AETRCONTROL Ltd. (6 Kén Str. Budapest, H-1097) provides and distributes a self-developed system for tachograph and driver card evaluation. During our business activity, we handle some of the data on the commission of other companies as data processors, when we perform purely technical tasks related to data management, according to the instructions of the data handler. In such cases, we do not possessindependent decision-making or data disposal rights. As direct data handlers, we commit ourselves to comply with the expectations determined by the current regulation and the current Hungarian and EU legislation, whenever we process data.
AETRCONTROL Ltd. is committed to protecting the personal information of its customers and partners, while holding it of utmost importance to honour the information self-determination rights of its clients. AETRCONTROL Ltd. handles personal data confidentially, taking all safety, technical and organizational measures to guarantee the security of data.
Data handling during the activities of AETRCONTROL Ltd. is based on voluntary contribution. In certain cases though, the processing and storing of supplied data is made obligatory by legislation. We would like to remind clients supplying AETRCONTROL Ltd. with data that if they do not provide their own personal data, it is the obligation of the data provider to acquire the permission of the subject.
The range of data processed:the name of the driver and the employing company (if any), the date of birth, place of birth, license number, ID number, home address, mobile phone number (if any), Android identifier, card identifier, email address (if any), password and username, preferred language, signature image, tachograph and card data, scanned image of analog tachograph disks, driving and vehicle events, GPS coordinates, tax number, VAT number (if any), company payment data, company contacts (if any) and their contact information (name, position, landline and mobile phone number, email address).
The purpose of the data management:
- Declaration, extension, and management of foreignpostings and supportingdocumentsfordeclaration.
- To support compliance with legislation on driving, rest and working time of drivers,
- collecting basic payroll data,
- to ensure ex-post verifiability for the 5 years following the year in question, as required by law,
- meeting statutory obligations,
- optimising operations, monitoring the use of subscribed services, minimising possible errors and infringements, improving the quality of service.
Storage and use of positioning data (GPS coordinates): The AETRControl IMI declaration of posting system collects GPS coordinates in the following cases:
- To determine the current country.
- If the parking search function is used, the system continuously collects the current coordinates and shares them with the AETRControl server to determine the optimal parking place.
The collection of location data stops when the application is closed.
The legal basis for data handling:the legal requirements, as well as the subject’s voluntary contribution. Furthermore, Article 6 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and paragraph 13/A § (3) of Act CVIII of 2001 on certain aspects of information society services.
The deadline for deletion of the data: five years after the termination of the contract.
AETRCONTROL Ltd. will delete all received e-mails along with the name of the sender, their e-mail address, the date, time and other, personal data supplied in the message no later than five years after the date of disclosure.
AETRCONTROL Ltd. records clients’ incoming phone calls.
The purpose of data management: validation of the rights of the customer and the data controller, ensuring ex-post verification.
The legal basis for data handling: the subject’s voluntary contribution.
The range of data processed: identity number, voice recording of the conversation between the client and the administrator, the client’s name and phone number, other personal information provided during the conversation, the administrator’s name, the date and duration of the call.
The duration of data handling: five years.
Data management methods not listed in this guide will be described when new data is recorded. Hereby we inform our clients that the court, the prosecutor, the investigating authority, the National Data Protection and Freedom of Information Authority, or other bodies acting on the authority of the law, may contact the data controller for providing information, communicating or handing over data, or providing documents. AETRCONTROL Ltd. hands over personal information to a third party (other than the constitutor) in case of legal obligation only, and even then to the extent only that is indispensable to achieve the purpose of the inquiry.
THE SECURITY OF DATA MANAGEMENT
The computer and data storage systems of AETRCONTROL Ltd. can be found at our headquarters, in a server park that is protected in all respects.
AETRCONTROL Ltd. selects and operates the IT tools used to handle personal data in the provision of the service so that the data is:
a) accessible to those entitled (data availability);
b) secured for credibility and authentication (credibility of data management);
c) justifiable for uniformity (data integrity);
d) protected against unauthorized access (data confidentiality).
AETRCONTROL Ltd. protects data by taking appropriate measures particularly against unauthorized access, changing, forwarding, disclosure, deletion or destruction, as well as from chance annihilation, damage, and from becoming inaccessible due to changes in the applied technology.
In order to protect data files in its various, electronically managed records, AETRCONTROL Ltd. uses appropriate technical solutions to ensure that stored data can never be directly linked or assigned to the subject.
With regard to the current state of technology, AETRCONTROL Ltd. ensures the security of data management by taking such technical and organizational measures whichprovide a level of protection that meets the risks associated with data management.
During its data management, AETRCONTROL Ltd. will keep client’s data in:
a) secrecy:we protect information so that only those can access it who are authorized;
b) integrity:we protect the accuracy and completeness of the information and the method of processing;
c) availability:we make sure that whenever an authorized user needs it, she/he can access the desired information, and that the necessary tools are available.
The IT system and network of AETRCONTROL Ltd. are both protected against computer-supported fraud, espionage, sabotage and vandalism, as well as against computer viruses, hacking and denial-of-service (DoS) attacks. The operator provides security through server-level and application-level security procedures.
The system of AETRCONTROL Ltd. communicates via http through TLS protocol, using authenticated certificates and public-key encryption. Such data communication is secure and protected. Hereby we inform users that electronic messages openly transmitted via the Internet (e-mails) are vulnerable to network threats leading to fraudulent activity, contract dispute, or the disclosure or modification of the information. In order to remedy such threats, the data controller will take all reasonable precautionary measures. She/he monitors the systems so that all security discrepancies can be recorded, which will serve as evidence in case of any security incident. System monitoring also allows for the verification of the effectiveness of the precautions used.
DATA CONTROLLER DETAILTS AND CONTACT INFORMATION
Name: AETRCONTROL Ltd.
Headquarters: 6 Kén Str, Budapest, H-1097
Company registration number: 01-09-684783
Name of the court of registration: Metropolitan Court of Registration
Tax number: 11949332-2-43
Phone number: +36 (20) 410-0035
The client can ask for information about the management of her/his data, request the rectification of his/her personal information, or – with the exception of mandatory data handling – request their deletion or lockup as indicated at data recording, or by contacting the data controller (see above).
Right to Information:
At the request of the client, AETRCONTROL Ltd. as data controller will provide information about the data it manages, their source, the purpose of data management and its legal basis, the duration, the name and address of the data handler and his/her activities related to data management, the circumstances and effects of a potential privacy incident and the measures taken to remedy them, and, in the case of data transmission, its legal basis and recipient. The data controller will provide the information within the shortest possible time from the submission of the application, but no more than 25 days, in an understandable and written form, at the request of the person concerned. The information is free of charge, unless the enquirer has already submitted a request to the data controller related to the same range of data in the current year. If so, AETRCONTROL Ltd. may set a cost reimbursement.
Right to Rectification:
AETRCONTROL Ltd. will rectify personal information if it does not match reality, and the correct personal information is available.
Locking and Marking:
AETRCONTROL Ltd. will lock personal information at the client’s request, or if it is presumable based on available data that deletion would violate the subject’s interests. Locked personal information can exclusively be handled until the purpose of data management persists which excluded the deletion of personal information. AETRCONTROL Ltd. marks the personal information it handles if the client debates their correctness and accuracy, but the incorrectness and inaccuracy of the personal information cannot be determined unequivocally.
Right to Erasure:
AETRCONTROL Ltd. will delete personal information if its management is illicit, the client requests it, the data handled is incomplete or incorrect and this condition cannot be legally remedied (provided that erasure is not excluded by law), the purpose of data management has ceased, the statutory deadline for data storage has expired, or it has been decreed by the court or the National Data Protection and Freedom of Information Authority.
Rules of Procedure:
The data controller has 25 days for the deletion, locking and rectification of personal information. If the data controller does not comply with the client’s request for deletion, locking or rectification, he/she will state the reasons for rejection in written or – with the consent of the subject – electronic form within 25 days.
AETRCONTROL Ltd. will inform the subject and all parties whom it had previously forwarded the data for data management purposes about the rectification, locking, marking or deletion. Notice will not be provided, however, if the datadoes not prejudice the legitimate interests of the subject with regard to the purpose of data management.
Right to Protest:
The client may object to his/her personal information being handled, if:
a) the management and conveyance of personal information is necessary exclusively to fulfil the legal obligation of the data controller or to enforce the legitimate interest of the data controller, data receiver or a third party, unless data management is prescribed by law;
b) the usage or conveyance of personal information takes place withthe purpose of direct business acquisition, public opinion research or scientific research;
c) there is any other case specified by law.
AETRCONTROL Ltd. will review the objection within the shortest possible time, but nor more than 15 days after the submission of the application, make a decision on its merits, and inform the applicant about the decision in writing. If the data controller ascertains the subject’s objection is valid, data management – including further data collection and transfer – will be ceased, the data will be locked, and all parties to whom the personal information affected by the objection had previously been forwarded, and those who are obliged to take action to enforce the right to protest will be informed about the objection as well as about the measures taken in its basis.If the subject does not agree with the data controller’s decision, he/she can go to court within 30 days of its notification.AETRCONTROL Ltd. cannot delete the subject’s data if the data management has been decreed by law. However, the data cannot be conveyed to the data receiver if the data controller has agreed with the objection, or if the court has found the objection as justified.
Restitution and Grievance Fee:
AETRCONTROL Ltd. will reimburse any damage caused to others by illicit handling of the client’s data or by violating the requirements of data security. When the subject’s personal rights have been violated, he/she may demand a grievance fee (as per Civil Code 2:52. §). The data controller is also responsible toward the client for damages caused by the data processor. The data controller is absolved from responsibility if the damage has been caused by an unavoidable event outside the scope of data management. The data controller will not reimburse the damage and a grievance fee cannot be demanded if the damage or the violation of personal rights has occurred due to the subject’s intentional or grossly negligent behaviour.
Right of Access to Court:
If his/her rights have been violated, the client may go to court. The court will proceed with the case out of turn.
The court competent for the data controller’s headquarters is the General Court of Budapest (27 Markó Str. Budapest, H-1055), but the subject can also choose to go to the competent court of his/her residence.
Data Protection Authority Procedures:
Complaints may be submitted to the National Data Protection and Freedom of Information Authority.
Name: National Data Protection and Freedom of Information Authority
Headquarters: 22/C Szilágyi Erzsébet Alley Budapest, H-1125
Mailing address: 1530 Budapest, Pf. 5.
Phone number: +36 (1) 391-1400
Fax number: +36 (1) 391-1410