GDPR – European Union Data Protection Regulation

ANY Security Printing Company PLC, as well as all other members of the ANY corporate group are committed to processing the data of any of the Company’s visitors, employees and customers in accordance with the highest standards and in compliance with the provisions of the GDPR. We strive to achieve such aim both as controllers and processors.

As a Security Printing Company, the protection of personal data at our Company is not only an external particularity of corporate operations, but one of the most important, crucial elements of our activities and services.

During our work, we provide for information security in accordance with the highest available technical standards. To this end, we carry out our controlling and processing activities through processes that are devised and operated in accordance with the ISO 27001 information security standard, and regularly certified. Our internal policies and data protection incorporated into our processes ensure, as a whole, that our employees and partners proceed at all times in a conscious manner, complying with data protection requirements.

We ensure, in accordance with the rules of transparent operation, that all data subjects may exercise their rights pertaining to information requests, as well as the right to the reparation and restriction of their data processed by us. Data subjects may request the erasure of their data and may exercise the right to object.  Upon request, we provide for data portability. During our own controlling activities, as well as processing activities carried out for our partners, we always have an appropriate legal basis and proceed in accordance with the applicable data management purposes and deadlines.

Our Company keeps up-to-date records of all data management. If necessary, we will carry out a risk analysis prior to the commencement of data management. On the basis of the results thereof, we will opt for the best solution available in order to mitigate risks arising from the number of data subjects and the nature of data that is processed.

The present data protection information concerns the users of the website any.hu and the services available thereat, as data subjects. The purpose of the data protection information is that ANY Biztonsági Nyomda Nyrt., 1102 Budapest, Halom utca 5. Tel: +361 431 1200, Fax: +361 431 1220, E-mail: info@any.hu, hereinafter: ‘Controller’) may inform the data subjects regarding the processing of the data received.

As the data subject may decide freely whether to use the service, the data and information required for the use of such service are freely given.

The controller, the scope of the data processed, the purpose of processing

The controller is ANY Biztonsági Nyomda Nyrt., 1102 Budapest, Halom utca 5, Tel: +361 431 1200, Fax: +361 431 1220, e-mail: info@any.hu.

When visiting the any.hu pages registration or providing your personal data is not necessary and there is no option to do this.

When you choose to visit our website, data such as the IP address (the internet protocol address of your computer), the date, the visited sites and other technical data are logged as well.  All this happens on an anonymous basis, therefore such data may not be linked with you, neither now nor in the future.  We do not analyse data, they serve exclusively statistical purposes. After the statistical analysis – which we use to check the number of visitors to our website and to ensure the appropriately prompt functioning of our sites – we erase the data.  In case you would like to know more, you may request detailed information in writing via any of the contacts specified at the end of the present Policy, to which we will by all means respond.

Method and duration of data management

Data management is carried out by the Controller through its own IT system, on servers it owns or leases. In addition, data may be temporarily stored on other computers of the Controller as well. The duration of the processing of visitor data lasts until the log files are processed, the latter being stored for up to a year.

Data protection

In order to avoid the unauthorized use of the processed personal data and related misuse, the Controller applies extensive technical and operational security measures. Our security processes are regularly reviewed and developed in line with technological advancement.

Access to own data

The data subject may get information about his/her stored personal data at dpo@any.hu and may also request information via any of the Controller’s contacts according to relevant law.

Data transfer, further recipients

We do not transfer the data of data subjects to third parties neither within the European Economic Area nor outside thereof.

Automated decision-making

Our system does not automatically create a profile, provide a quote or determine a discount based on the visitor data of the data subject.

Removal, correction and limitation

Since we do not process personal data, the removal, correction or limitation is not possible in practice. In case of question please write to the dpo@any.hu e-mail address.

Data Protection Officer

At the ANY Biztonsági Nyomda corporate group, a group-level data protection officer (Corporate Level DPO) is appointed. His tasks include providing information to clients and ensuring uniform compliance with the provisions of the GDPR on a group level. Contact details of the data protection officer: Dr. Mihály Iszály, e-mail: dpo@any.hu.

Enforcement of rights

You may lodge a complaint at us with respect to data management or any element thereof, at the controller via a complaint addressed to the data protection officer, to which we will reply as soon as practicable (contact information). Should you wish to indicate your problems to other bodies, you may turn to your respective national data protection authority within the European Union, or the Hungarian National Authority for Data Protection and Freedom of Information (postal address: 1530 Budapest, Pf.: 5., address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, Phone: +36 (1) 391-1400, Fax: +36 (1) 391-1410, E-mail: ugyfelszolgalat@naih.hu)

ACCESS DATA CONTROL

OBJECTIVE OF DATA CONTROL: PROVISION OF SECURITY LEVEL AND PROTECTION

IDENTIFICATION OF LEGITIMATE INTERESTS

Objective of data control and controlled data

The data controller is ANY Security Printing Company Plc, the largest security printing company in the region. The operation of the access control systems and processes documented electronically and on paper is done for the purpose of the enforcement of legitimate (altogether: defence) interests. The controlled data do not include special personal data. Data include document identification number, date of expiry, name and time of access.

The legitimate interest and the specification and delimitation thereof

Being a security printing company  protection of persons, property and data are in the data controller’s legitimate interest. Applied data control does not violate any legal regulations. Besides employees, access control occurs in relation with maintenance contractors, suppliers and customer partners on a daily basis, so it is related to specific events. The site of access is the whole of the operational areas of the printing company therefore it is physically limited. This test only concerns such access with regard to the implementation of the defence objective above. In the course of its operation, the Printing Company continuously processes a large amount of personal data, which data are also stored in the systems of the printing company for the time of processing. The Printing Company shall provide risk-proportionate protection. We ensure physically regulated access to business information and personal data by controlling access. The data recorded during access control may ensure the detection and handling of any future incidents affecting the activities of the Printing Company, and if necessary, proving what has happened. It is a social interest to have a document system and a secure production of deeds and securities helping the operations of the state and the national economy and protected with appropriate guarantees. Printing Company is a system element of these subsystems the integrity and undisturbed operation of which should be protected in the interests of the society. The legal background referred to and determining data controller’s work is the following:

  • Act No. CXXXIII of 2005 on the rules of security service and private investigator activities
  • ·Act No. CXXXVIII of 2007 on investment enterprises and commodity exchange service providers and the rules of the activities that can be carried out by them
  • Act No. LXXXVIII of 2014 on insurance activities
  • Act No. CXX of 2001 on the capital market
  • Act No. LXXXIII of 2014 on the unified framework of electronic cards issuance and related to it, decree No. 5/2018. (II. 23.) BM of the Minister of the Interior
  • government decree No. 86/1996 (VI.14.) on the protection of security documents

INVESTIGATION OF THE NECESSITY OF DATA CONTROL

Why is data control necessary to attain the objective?

Data control is necessary to enforce the interest because it may only be guaranteed through identifying the persons entering that only authorised persons can get to the area of the Printing Company or such persons who do so in the interest of the Printing Company. The recording of minimum identification data is necessary because in case of any subsequently identified incidents, this helps with exploring the events, making it possible to conduct investigations and reconstructing events.

Is there an alternative solution to attain the objective?

There is at present no alternative solution to attain the defence objectives – at least no other than identifying persons entering, and recording and temporarily storing  the absolutely necessary data. This means that there is no such solution that could be economically implemented and is widespread on the market and is accepted in general practice which would have a smaller effect on the data subject’s rights and freedoms.

What disadvantages does the data controller have to suffer if data control is not performed?

If the measures investigated are not taken, the data controller cannot ensure the security level required by law and security printing company standards.

IDENTIFICATION OF THE INTERESTS AND RIGHTS EXISTING ON THE PART OF DATA SUBJECTS

Data controller’s relation with data subjects

Data subjects are the persons entering data controller’s operational area. Data subjects have varied relations with data controller, for example, they are customers, staff members of professional organisations or staff members of suppliers. The legal relation may be direct or indirect.

Data subjects’ reasonable expectations, interests, fundamental rights or freedoms

Data control concerns the right to informational self-determination of data subjects. In certain cases, this right may be restricted in a necessary and proportionate way. Data control has no other effect on the individual’s interests and freedoms. The data subject reasonably expects his/her data to be used only for the purpose of granting access and identification and only for the purpose, in the manner and for the time made known to him/her, and all his/her rights required in GDPR to be guaranteed in relation to this.

Favourable and unfavourable effects of data control on the data subject

Data control has no direct advantage for data subject but indirectly provides for him/her the circumstances of doing work and secure stay. Data control causes no disadvantage for data subject although presumably does not coincide with data subject’s own intentions. At the same time, it does not cause any detectable violation of interests, disadvantages, sufferings or vulnerability nor does it have any reflection on data subject’s life. This is supported by the fact that the operation of access control systems is generally accepted.

GUARANTEES IMPLEMENTED IN THE COURSE OF DATA CONTROL

Manner and duration of data control and data accessibility

The manner of data control is paper-based logging or data storage in an electronic access control system. Only staff members involved in the execution of security measures have access to the data, and only in the manner and to the extent absolutely necessary for performing work. The keeping of documents in a locked place, the management of keys and physical access are regulated, and the electronic systems provide differentiated authorisations. The control of any personal data handled is restricted to the shortest possible period taking legal statutes and different interests into account. Security Policy (policies) sets (set) forth the period for all the data for which they should be stored.

Measures taken for the secure preservation of data

Data control is performed in a closed system, on paper or in an IT system. Both the place of storage and access to it are protected and logged. In addition to the above, in case of an electronic registration system, data controller stores data in a database protected with a password and/or encrypted pursuant to IT security standards and regulations in order to guarantee the confidentiality, integrity and availability of such data. This is regulated in data controller’s own Information Security Policy.

Automatic decision making

There is no automatic decisionmaking in the processes applied.

Implementation of information provision

Information is provided in advance or upon the first access, at the start of data control the latest, in a controllable way.

RESULT OF LEGITIMATE INTEREST TEST

(legitimate interest, necessity, proportionateness)

It is concluded that the legitimate interest forming the base of data control does exist. The measures introduced and the data control implemented by them are indispensable and minimally necessary to attain the objective and have no feasible alternative. With regard to the fact that the personal data controlled are only held and used for the objective and for the period necessary to attain the objective, and they may only be accessed by a narrow range of people for whom such access is absolutely necessary, data controller ensures the secure preservation of personal data and takes into account the interests, rights and reasonable expectations of data subjects. Therefore the restriction of data subject’s right to informational self-determination is proportionate in order to achieve the intended goal.

The further security measures implemented by data controller guarantee that data subject is not exposed to any other risks due to data control. Data subject is provided information about data control in advance and becomes aware of both the circumstances of data control and any rights applicable to him/her.

On the basis of the above considerations, it can be concluded that data control is necessary and proportionate, causes no unjustified intrusion into data subject’s private sphere, and data controller’s legitimate interest can serve as the legal base of data control.

DATA PROCESSING OF SECURITY CAMERA SYSTEMS

PURPOSE OF DATA PROCESSING: ENSURING SECURITY LEVEL, PROVISION OF PROTECTION

IDENTIFICATION OF LEGITIMATE INTEREST

The purpose of data processing, the processed data

The data controller is ANY Security Printing Plc., the largest security printing company of the region. For the purpose of asserting a legitimate (in summary: protection) interest, the operating areas of the Printing Company and the boundaries thereof are monitored by camera, and the recordings are stored for a limited period. The processed data do not include sensitive personal data. The recordings show the movement of people, no voice recording is made. The system does not include a recognition feature.

The legitimate interest and its specific definition, limitation

It is in the legitimate interest of the data controller to ensure personal and property protection, as well as data protection arising from its security printing activity. This data processing is not against the law. In addition to the workers entering the protected area, maintenance staff, suppliers and customer partners also enter on a daily basis, therefore the recording is related to specific and frequent events. The location of the monitoring activities is all the operating areas of the Printing Company. These are physically limited and monitoring is performed within the boundaries, including the plane of the wall or fence. Public areas are not monitored. At the boundaries adequate information is provided. In the course of its operation, the Printing Company continuously processes large amounts of personal data, which data are stored on the systems of the printing company for the time of processing. The Printing Company is obliged to ensure their protection by taking measures proportionate to the risks involved. By monitoring the physical boundaries and the operating areas, we intend to improve physical control over the access to business information and personal data, and the guarantees thereof. The data gathered during the recording allow the subsequent investigation and management of any incident affecting the activity of the printing company, and provide evidence of the happenings, if necessary. It is in the interest of society to ensure the production of a document system, secure documents and securities protected by appropriate guarantees, supporting the functioning of the state and the national economy. The Printing Company is an element of these subsystems, and its integrity and smooth operation is to be protected in the interest of society. The legal background referred to above, governing the work of the data controller, is as follows:

  • Act No. CXXXIII of 2005 on the rules of personal and property protection and the activities of private investigators
  • Act No. CXXXVIII of 2007 on investment firms and commodity exchange service providers, and on the rules governing their activities
  • Act No. LXXXVIII of 2014 on insurance activities (hereinafter referred to as: the Insurance Act)
  • Act No. CXX of 2001 on the capital market
  • Act No. LXXXIII of 2014 on the uniform electronic card-issuing framework and related Decree No. 5/2018. (II. 23.) BM of the Minister of the Interior
  • Gov. Decree No. 86/1996 (VI.14.) on the protection of security documents

ASSESSMENT OF THE NECESSITY OF DATA PROCESSING

Why do we need data processing to achieve the purpose?

Data processing is needed to achieve the purpose, as after an incident the reconstruction of the actual movement of persons and vehicles on the area of the Printing Company can be guaranteed only by video recording. As monitoring is open, everyone is informed about it, this awareness is a significant deterrent to inappropriate behaviour. In addition, security guards need if for detecting persons moving on or entering the area, and for supporting the entry process, for example for the remote and safe viewing of persons entering on foot, or vehicles and their drivers.

Is there an alternative solution to achieve the purpose?

Currently no alternative solution – other than making and temporarily storing video recordings – is available for achieving the protection purposes. This means that there is no economically feasible, market-based and socially accepted solution that would have less impact on the rights and freedoms of the data subject than the current solution.

What are the disadvantages for the data controller if there is no data processing?

If the tested measures are not taken, the data controller is unable to ensure the level of protection required by law and the security printing standards.

IDENTIFICATION OF THE INTERESTS AND RIGHTS OF THE DATA SUBJECTS

Relationship between the data controller and the data subjects

The data subjects are persons entering the operating area of the data controller, or appearing at the boundaries thereof. The data subjects are in various relationships with the data controller, for example: customers, employees of professional organizations, employees of suppliers. The relationship can be either direct or indirect.

The reasonable expectations, interests, fundamental rights or freedoms of the data subject

Data processing affects the right of the data subject to informational self-determination. This right may be restricted in certain cases in a necessary and proportionate manner. Data processing has no other effect on the interests and freedoms of the individual. It is a reasonable expectation of the data subject that his or her data – his or her stay and movement on the area – should be processed only in a regulated manner for the reconstruction of events, for monitoring movement, and for supporting the entry process, and only in the manner and for the period communicated to him or her, and that all rights related to this, as provided by the GDPR, should be granted to him or her.

The advantages and disadvantages of data processing for the data subject

Data processing has no direct advantages for the data subject, however, indirectly provides him or her with safe working conditions and a safe environment to stay in. Data processing has no disadvantage for the data subject, although it is probably not in line with his or her intentions. Data processing causes no demonstrable other harm, detriment, suffering, or vulnerability either, and has no effect on the life of the data subject. This is supported by the fact that the operation of security camera monitoring systems is generally accepted.

SAFEGUARDS APPLIED DURING DATA PROCESSING

Means, period of data processing, accessibility to data

The means of data processing is real-time image display and storage for a limited period on a closed-circuit security camera monitoring system available to anyone. Access to the data is limited to those involved in the implementation of security measures, in the manner and to the extent absolutely needed for their work. Logging into the system and physical access to the system elements is controlled, the electronic systems provide differentiated privileges. The storage of recordings is limited to the absolutely necessary period, taking into account the various interests involved. The Security Policy(ies) specifies(y) a retention period for each recording and purpose.

Measures taken to keep the data safe

Data are processed (recordings are stored, viewed) in a closed, IT-protected system isolated from other systems. The storage area and access to it is physically protected and logged. In order to protect the confidentiality, integrity and availability of personal data, the data controller stores the data on a password protected and/or encrypted device in accordance with the IT security standards and procedures. This is governed by the own Information Security Policy of the data controller.

Automated decision-making

No automated decision-making is involved in the applied processes.

Provision of information

Information is provided in advance or at the boundary of the monitored area, at the normal points of entry at the latest.

RESULT OF THE BALANCE TEST

(legitimate interest, necessity, proportionality)

We conclude that we have a legitimate interest in data processing. The introduced measures and the data processing implemented by them are absolutely and minimally necessary for achieving the purpose, they have no real alternative. In view of the fact that the processed personal data are stored and used only for the purpose and for the period necessary for achieving the purpose, and access is limited to those who absolutely need it for their work, the data controller has ensured that personal data are kept safe, and has also taken into consideration the interests, rights and reasonable expectations of the data subject, therefore the restriction of the right of the data subject to self-determination in order to achieve the desired purpose is proportionate.

The additional security measures implemented by the data controller ensure that the data subject is not exposed to other risks as a result of data processing. The data subject is informed in advance of the data processing, the context of data processing and his or her rights.

On the basis of the above balance test it can be concluded that data processing is necessary and proportionate, it causes no undue interference with the privacy of the data subject, the legitimate interest of the data controller may serve as a legal basis for data processing.

DATA PROCESSING OF SECURITY CAMERA SYSTEMS

PURPOSE OF DATA PROCESSING: QUALITY ASSURANCE

IDENTIFICATION OF LEGITIMATE INTEREST

The purpose of data processing, the processed data

The data controller is ANY Security Printing Plc., the largest security printing company of the region. For the purpose of asserting a legitimate interest (quality assurance), camera recordings are made and processed on all operating areas of the Printing Company in order to ensure the verifiability and traceability of compliance with the legislation applicable to the printing company, the internal legal norms and the defined process. The processed data do not include sensitive personal data. The recordings show the movement of people, the performance of the individual work phases, and the time and date thereof, no voice recording is made. The system does not include a person recognition feature.

The legitimate interest and its specific definition, limitation

It is in the legitimate interest of the data controller to monitor the security printing work processes, to ensure the reconstructability of certain technological errors, and regulatory and security printing compliance, including the continuous and predictable operation of the document systems, guaranteeing a continuous supply of documents. In addition to the workers entering and working on the monitored area, maintenance staff, suppliers and customer partners also enter on a daily basis, therefore the recording is related to specific and frequent events. The location of the monitoring activities is all the operating areas of the Printing Company. These are physically identifiable and limited areas. Public areas are not monitored. At the boundaries of the monitored areas adequate information is provided. By making work processes reviewable, we wish to ensure the reconstructability of certain events in time, as required in the event of any quality non-compliance, defect or incident. It is in the interest of society to ensure the production of a document system, secure documents and securities protected by appropriate guarantees, supporting the functioning of the state and the national economy. The Printing Company is an element of these subsystems, and its integrity and smooth operation is to be protected in the interest of society. This data processing is not against the law.

The legal background referred to above, governing the work of the data controller, is as follows:

  • Act No. CXXXIII of 2005 on the rules of personal and property protection and the activities of private investigators
  • Act No. CXXXVIII of 2007 on investment firms and commodity exchange service providers, and on the rules governing their activities
  • Act No. LXXXVIII of 2014 on insurance activities (hereinafter referred to as: the Insurance Act)
  • Act No. CXX of 2001 on the capital market
  • Act No. LXXXIII of 2014 on the uniform electronic card-issuing framework and related Decree No. 5/2018. (II. 23.) BM of the Minister of the Interior
  • Gov. Decree No. 86/1996 (VI.14.) on the protection of security documents
  • Regulations (EU) 2016/679 of the European Parliament and of the Council (GDPR)
  • Act No. CXII of 2011 on the right of informational self-determination and the freedom of information

ASSESSMENT OF THE NECESSITY OF DATA PROCESSING

Why do we need data processing to achieve the purpose?

Data processing is needed to achieve the purpose, as it can be guaranteed only by a video recording that the subsequent investigation of certain events, any analysis, quality improvement, or re-regulation will be well-founded. The subsequent investigation of certain mechanical or manual operations, the documentation of movements and the physical movement of materials within the area is only possible on the basis of time and date stamped visual documentation.

Is there an alternative solution to achieve the purpose?

Currently no alternative solution – other than making and temporarily storing time stamped video recordings – is available for providing visual documentation. This means that there is no economically feasible, market-based and socially accepted solution that would at the same level have less impact on the rights and freedoms of the data subject than the current solution.

What are the disadvantages for the data controller if there is no data processing?

If the tested measures are not taken, the data controller is unable to ensure compliance with certain itemized critical quality requirements for the security of the processed data and the document systems, for the production of secure documents, and for continuous quality improvement.

IDENTIFICATION OF THE INTERESTS AND RIGHTS OF THE DATA SUBJECTS

Relationship between the data controller and the data subjects

The data subjects are persons entering the operating area, within that the production area of the data controller. The data subjects are in various relationships with the data controller, for example: customers, employees of professional organizations, employees of suppliers. The relationship can be either direct or indirect.

The reasonable expectations, interests, fundamental rights or freedoms of the data subject

Data processing affects the right of the data subject to informational self-determination. This right may be restricted in certain cases in a necessary and proportionate manner. Data processing has no other effect on the interests and freedoms of the individual. It is a reasonable expectation of the data subject that his or her data – his or her stay, movement, work or collaboration on the areas of the Printing Company and the duration thereof – should be processed only in a regulated manner for the reconstruction, investigation of events, correlations related to production, and only in the manner and for the period communicated to him or her, and that all rights related to this, as provided by the GDPR, should be granted to him or her. Changing rooms, social rooms, medical facilities are not monitored by camera.

The advantages and disadvantages of data processing for the data subject

Data processing has no direct advantages for the data subject, however, indirectly provides him or her with safe working conditions and a safe environment to stay in. Data processing has no disadvantage for the data subject, although it is probably not in line with his or her intentions. Data processing causes no demonstrable other harm, detriment, suffering, or vulnerability either, and has no effect on the life of the data subject. This is supported by the fact that the operation of camera monitoring systems is generally accepted.

SAFEGUARDS APPLIED DURING DATA PROCESSING

Means, period of data processing, accessibility to data

The means of data processing is real-time image display and storage for a limited period with time stamping on a closed-circuit camera monitoring system available to anyone. Access to the data is limited to those involved in the implementation of internal audit and quality improvement measures, in the manner and to the extent absolutely needed for their work. Logging into the system and physical access to the system elements is controlled, the electronic systems provide differentiated privileges. The storage of recordings is limited to the absolutely necessary period (subjective retention period), taking into account the various interests involved. If the data are not used for other lawful purposes, they are deleted after 5 years (objective retention period).

Measures taken to keep the data safe

Data are processed in a closed, IT-protected system isolated from other systems. The storage area and access to it is physically protected and logged. In addition to the above, in the case of an electronic filing sysem, in order to protect the confidentiality, integrity and availability of personal data, the data controller stores the data in a password protected and/or encrypted data base in accordance with the IT security standards and procedures. This is governed by the own Information Security Policy of the data controller.

Automated decision-making

No automated decision-making is involved in the applied processes.

Provision of information

Information is provided in advance or at the boundary of the monitored area, at the normal points of entry at the latest.

RESULT OF THE BALANCE TEST

(legitimate interest, necessity, proportionality)

We conclude that we have a legitimate interest in data processing. The introduced measures and the data processing implemented by them are absolutely and minimally necessary for achieving the purpose, they have no real alternative. In view of the fact that the processed personal data are stored and used only for the purpose and for the period necessary for achieving the purpose, and access is limited to those who absolutely need it for their work, the data controller has ensured that personal data are kept safe, and has also taken into consideration the interests, rights and reasonable expectations of the data subject, therefore the restriction of the right of the data subject to self-determination in order to achieve the desired purpose is proportionate.

The additional security measures implemented by the data controller ensure that the data subject is not exposed to other risks as a result of data processing. The data subject is informed in advance of the data processing, the context of data processing and his or her rights.

On the basis of the above balance test it can be concluded that data processing is necessary and proportionate, it causes no undue interference with the privacy of the data subject, the legitimate interest of the data controller may serve as a legal basis for data processing.

DATA PROCESSING OF OFFICIAL CERTIFICATES OF CRIMINAL RECORD

PURPOSE OF PROCESSING: CHECK REQUIRED FOR EMPLOYMENT TO COMPLY WITH SECURITY AND SECURITY PRINTING CRITERIA

IDENTIFICATION OF THE LEGITIMATE INTEREST

The purpose of data processing, the processed data

The data controller is ANY Security Printing Plc., the largest security printing company of the region. For the purpose of asserting a legitimate (in summary: protection) interest, the filling of certain positions at the Printing Company is subject to the possession of an official certificate of criminal record. The processed data include sensitive personal data (criminal personal data).

The legitimate interest and its specific definition, limitation

It is in the legitimate interest of the data controller to ensure personal and property protection, as well as data protection arising from its security printing activity. This data processing is not against the law. In the course of its operation, the Printing Company continuously processes large amounts of personal data, which data are stored on the systems of the printing company for the time of processing. The Printing Company is obliged to ensure their protection by taking measures proportionate to the risks involved. For some products, as it follows from the requirements of international and national certification bodies, and the national legislation on document security as well, trustworthy staff shall be employed. One of the means provided by law for ensuring this is the official certificate of criminal record.

The legal background referred to above, governing the work of the data controller, is as follows:

  • Regulations (EU) 2016/679 of the European Parliament and of the Council (GDPR)
  • Act No. CXII of 2011 on the right of informational self-determination and the freedom of information
  • Act No. CXXXIII of 2005 on the rules of personal and property protection and the activities of private investigators
  • Act No. CXXXVIII of 2007 on investment firms and commodity exchange service providers, and on the rules governing their activities
  • Act No. LXXXVIII of 2014 on insurance activities (hereinafter referred to as: the Insurance Act)
  • Act No. CXX of 2001 on the capital market
  • Act No. LXXXIII of 2014 on the uniform electronic card-issuing framework and related Decree No. 5/2018. (II. 23.) BM of the Minister of the Interior
  • Gov. Decree No. 86/1996 (VI.14.) on the protection of security documents

In view of its activities, it is in the interest of the Printing Company to comply with the above regulations, as well as to comply with the NATO, VISA and AQAP requirements.

ASSESSMENT OF THE NECESSITY OF DATA PROCESSING

Why do we need data processing to achieve the purpose?

Data processing is needed to achieve the purpose, as the official certificate of criminal record is the only means available to the data controller to obtain information about the criminal status of the data subject employee or candidate.

Is there an alternative solution to achieve the purpose?

There is no alternative solution. National security inspection, required by the Printing Company for certain positions (as provided by law), is a more thorough inspection, but it should not be extended to general cases, as it would not comply with the principle of data minimization.

What are the disadvantages for the data controller if there is no data processing?

If the possession of an official certificate of criminal record is not checked for certain positions where it would be justified, the risks that the Printing Company is required to reduce under the above laws and professional rules increase, and most of them are risks related to the processing of personal data. The regulatory environment governing security printing activities, the document security systems, and the international standards require the screening of the data subjects (those taking part in the work). Without this, the Printing Company would not be able to carry out its core business.

IDENTIFICATION OF THE INTERESTS AND RIGHTS OF THE DATA SUBJECTS

Relationship between the data controller and the data subjects

The data subjects are candidates applying for a position at the data controller, and after hiring they are employees. The relationship is direct.

The reasonable expectations, interests, fundamental rights or freedoms of the data subject

Data processing affects the right of the data subject to informational self-determination. With regard to the offered position, the data subject is free to decide whether or not he or she wishes to fill a position subject to an official certificate of criminal record. It is a reasonable expectation of the data subject that his or her data – criminal status – should be processed only in a regulated manner and only in the manner and for the period communicated to him or her, and that all rights related to this, as provided by the GDPR, should be granted to him or her. The data subject can learn about the entire process of data processing in the Human Resources Policy.

The advantages and disadvantages of data processing for the data subject

Data processing has no direct advantages for the data subject, however provides him or her with the opportunity to fill the position, and provides other data subjects with a safer, more successful work environment by maintaining a high level of trust within the teams. Data processing has no disadvantage for the data subject, and as he or she needs to apply for the issue of an official certificate of criminal record himself or herself, it is also in line with his or her intentions. Data processing causes no demonstrable other harm, detriment, suffering, or vulnerability either, and has no effect on the life of the data subject. This is supported by the fact that for certain positions it is common to require the presentation of an official certificate of criminal record, and that is why this institution exists in the national legislation.

SAFEGUARDS APPLIED DURING DATA PROCESSING

Means, period of data processing, accessibility to data

The means of data processing is detailed in the Human Resources Policy. In essence, upon the issue of an official certificate of criminal record applied for by the data subject, it is enough to present the valid certificate, and only the fact of presentation is recorded by the data controller, with the number of the document.

Measures taken to keep the data safe

The data are processed in a closed system, according to the rules of secure records management (Data Management Policy and Archive Policy), personal files are stored in a safe, with controlled and highly restricted access. The certificate is presented to, and in the case of a candidate the interview is conducted by the administrator in private.

Automated decision-making

No automated decision-making is involved in the applied processes. The use and interpretation of the data is as detailed in the Human Resources Policy.

Provision of information

Information is provided in advance in the recruitment process, in a certified manner.

RESULT OF THE BALANCE TEST

(legitimate interest, necessity, proportionality)

We conclude that we have a legitimate interest in data processing. The introduced measures and the data processing implemented by them are absolutely and minimally necessary for achieving the purpose, they have no real alternative. In view of the fact that the processed personal data are stored and used only for the purpose and for the period necessary for achieving the purpose, and access is limited to those who absolutely need it for their work, the data controller has ensured that personal data are kept safe, and has also taken into consideration the interests, rights and reasonable expectations of the data subject, therefore the restriction of the right of the data subject to self-determination in order to achieve the desired purpose is proportionate.

The additional security measures implemented by the data controller ensure that the data subject is not exposed to other risks as a result of data processing. The data subject is informed in advance of the data processing, the context of data processing and his or her rights.

On the basis of the above balance test it can be concluded that data processing is necessary and proportionate, it causes no undue interference with the privacy of the data subject, the legitimate interest of the data controller may serve as a legal basis for data processing.

Data Protection Information