Please read this legal notice carefully before using the website. By using the website and checking the checkboxes within the individual menu items, you acknowledge and accept its contents – without any further request for consent!

This data protection notice was prepared taking into account the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation, GDPR).

On 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: GDPR) became applicable uniformly in all Member States of the European Union, including Hungary. “General Data Protection Regulation” or “GDPR”). The GDPR is considered the primary legislation for the protection of personal data. When processing personal data, our group acts in accordance with the provisions of the GDPR, Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information, and Act V of 2013 on the Civil Code. The primary objective of the new legislation is to facilitate the more effective enforcement of rights related to the processing of personal data, the transparency of the entire process of data processing, and the prevention of misuse of personal data, data theft and other incidents.

1. Introduction
Acting on behalf of the data controllers listed below (hereinafter: “Data Controller(s)”), ​​I, Mihály Kádár, CEO, undertake that all data processing related to the activities of the data controllers complies with the requirements set out in this information and in the applicable laws.

Data Controller’s details and contact information

Company name: TSPC Technical Supervision and Planning Consulting Hungary Kft.

Abbreviated name: TSPC Kft.
Registered office: 9022 Győr, Dunakapu tér 7.
Company registration number: 08-09-025358
Name of the court of registration: Győr Court of Registration
Tax number: 24084794-2-08
Phone number: +36 1 800 9191
Website: http://www.tspcgroup.hu
E-mail: info@tspcgroup.hu

Company name: TSPC Mérnökiroda Korlátolt Felelfösségű Társaság
Abbreviated name: TSPC Mérnökiroda Kft.
Registered office: 9022 Győr, Dunakapu tér 7.
Company registration number: 08-09-025291
Name of the court of registration: Győr Court of Registration
Tax number: 24655460-2-08
Phone number: +36 1 800 9191
Website: http://www.tspcgroup.hu
E-mail: info@tspcgroup.hu

Company name: Kádár Consulting Limited Liability Company
Abbreviated name: Kádár Consulting Kft.
Registered office: 9011 Győr, Ezerjó út 10.
Company registration number: 08-09-035469
Name of the court of registration: Győr Court of Appeals
Tax number: 32199202-2-08
Phone number: +36 1 800 9191
Website: http://www.tspcgroup.hu
E-mail: info@tspcgroup.hu

Company name: TSPC BIM Limited Liability Company
Abbreviated name: TSPC BIM Kft.
Registered office: 9022 Győr, Dunakapu tér 7.
Company registration number: 08-09-028050
Name of the court of registration: Győr Court of Appeals
Tax number: 25548659-2-08
Phone number: +36 1 800 9191
Website: http://www.tspcgroup.hu
E-mail: info@tspcgroup.hu

Company name: TSPC Slovakia s.r.o
Registered office: 94501 Slovak Republic, Komárno, Dunajské nábrezie 4726
Organization identification number: 51 86 1291
Phone number: +36 1 800 9191
Website: http://www.tspcgroup.hu
E-mail: info@tspcgroup.hu

Company name: TSPC d.o.o.
Registered office: 10000 Zagreb, Crnomrec – 63.

Tax number: HR56735821062

Company name: TSPC Asia Ltd.
Registered office: Unit 1010, Miramar Tower,132 Nathan road, TsimShaTsui, Kowloon, Hong Kong
Organizational Identification Number: 1970672
Telephone Number: +36 1 800 9191
Website: http://www.tspcgroup.hu
Email: info@tspcgroup.hu

The data controller implements appropriate technical and organizational measures to guarantee an appropriate level of data security and to ensure the integrity of the data.It ensures the confidentiality of data, data integrity, access to data by authorized persons, availability, enforcement of the rights of website visitors (hereinafter: “Users”), ​​and information on legal remedies.

The data controller does not perform profiling, does not analyze the behavior, interests, or personal preferences of service users (hereinafter: users).

The data protection guidelines arising in connection with the data processing of the Data Controller’s service available at www.tspcgroup.hu (hereinafter: “website”) are continuously available on the website.

The data controller reserves the right to change this information, which it continuously updates on its website. Please write to us if you have any questions related to this notice so that we can answer them as soon as possible.

Our data processing principles are in line with the applicable data protection legislation, in particular the following:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 (General Data Protection Regulation, GDPR)
• Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.)
• 2013. Act V of 2011 – on the Civil Code (Ptk.)

The data controller processes the data provided by Users during contact in accordance with the principles of purpose limitation and data economy exclusively in the manner and to the extent necessary for maintaining contact with Users, in accordance with the legal conditions.

Personal data is stored electronically on a server provided by the hosting service provider for the data controller. The data controller has access to this data, and it is not passed on to third parties without the user’s specific consent.

We would like to draw the attention of data providers to the fact that if they do not provide their own personal data, the data provider is obliged to obtain the consent of the data subject.

We inform Users that the Data Controller does not intend to collect data from children under the age of 16, therefore we call on parents/guardians of children under the age of 16 to monitor and control how their child uses our website, in order to ensure that they do not share personal data with our company without your prior permission!

The data controller informs the User that, pursuant to Article 7 of the GDPR, he/she has the right to withdraw his/her consent at any time, however, the withdrawal does not affect the lawfulness of data processing based on consent prior to withdrawal.

2. Data processing

2.1 Contact directly via the website

On the website, under the Contact menu item, there is a possibility to contact the data controller directly, during which the user of the website can send a message to the data controller.

Scope of personal data subject to data processing and purpose of data processing:

• name (surname and first name)
• email address
• telephone number

The processing of the provided personal data is necessary to identify the user, to contact him/her, and to handle the case.

Legal basis for data processing: Voluntary consent of the data subject, GDPR Article 6 (1) a)

Duration of data processing: The data controller will retain the provided personal data for two years after handling the case initiated by the user – in the absence of the user’s request for its deletion.

Deletion of data: Within 3 working days after receiving the user’s request for deletion of the personal data required for contact, otherwise after 2 years after handling the case.

2.2 Career – management of data provided when applying for job offers directly via the website and uploaded CVs

On the website, under the Career menu item, it is possible to apply directly for individual job offers.

(1) The Data Controller is looking for employees for vacant or newly created positions on its website or through advertisements. Recruitment takes place through advertisements appearing on the Data Controller’s online platforms.(2) The Data Controller receives so-called flying CVs both by e-mail and by post outside the recruitment period.

(3) For so-called flying CVs, a data management and data protection information sheet is sent to the applicant’s provided e-mail address by return mail, in which the data subject agrees or refuses to retain the CV for 6 months. In the case of a CV that the Data Controller does not wish to retain, the sender is notified in a reply letter of the fact of its return.

Scope of personal data subject to data processing and purpose of data processing:

• name (surname and first name)
• email address
• telephone number
• cover letter
• professional CV with personal data included (at least: surname and first name, date of birth, place, mother’s name, address, qualification data, photo)
• portfolio

Purpose of data processing: Data processing is necessary for the assessment of the application and the establishment of an employment relationship with the selected candidate.

Legal basis for data processing: The voluntary consent of the data subject, Article 6(1)(a) GDPR

Duration of data processing: Until the purpose of data processing is achieved, in principle

• In the case of unsuccessful applicants, up to 6 months after the completion of the recruitment process if the[CG1] applicant has given their express consent.
• In the case of an applicant selected for a given job, the CV is part of the personal file, and it is kept until the purpose of data processing is achieved, in principle, after the termination of the employment relationship or the final conclusion of the labor lawsuit, until the statute of limitations for tax assessment, in the case of deferred tax, the deferred tax is due for five years from the last day of the calendar year (Act CL of 2017 on the Taxation System, Section 78 (3)-(4)); and data management lasts for the period specified in the legislation on pension payments in relation to entitlements arising from employment, and may not be discarded under Act LXVI of 1995 on Public Documents, Public Archives and the Protection of Private Archives.

Deletion of data:

• The personal data of unsuccessful applicants will be deleted 6 months after the completion of the recruitment process. If the data subject withdraws his/her consent to data processing during this period or requests deletion from the data controller, the data controller shall take action for deletion within 2 working days of receipt of the declaration.
• In the case of successful applicants, the data related to the establishment of the employment relationship shall be retained until the expiry of the right to assess the tax after the termination of the employment relationship or the final conclusion of the labor lawsuit, or for five years from the last day of the calendar year in which the deferred tax is due, or before the expiry of the period specified in the legislation on pension payments. Act LXVI of 1995 on public documents, public archives and the protection of private archival material Data in documents subject to the Act cannot be deleted.

2.3 Logging of the www.tspcgroup.hu server

When visiting the www.tspcgroup.hu website, the web server does not record user data, so no personal data is processed in this regard.

2.4 Cookie management

The data controller places a small data package, a short text file (so-called “cookie”) on the user’s computer.

Upon first visit to the Data Controller’s website, a caption will pop up at the bottom of the screen stating that the data controller uses the cookies that can be found here.

The purpose of the cookie is to ensure the highest possible operation of the given site, to provide personalized services, and to enhance the user experience. Cookies do not connect to the User’s system and do not damage the User’s files. The user can delete the permanent cookie from his/her computer or set his/her browser to prohibit the use of cookies. By prohibiting the use of cookies, the user acknowledges that the operation of the given site is not complete without cookies.In accordance with the relevant EU legislation, functional cookies, analytical cookies and other cookies related to third parties are only placed through our site if you have allowed this by clicking the appropriate button.

After you have chosen to allow or not allow the use of cookies, the cookie information message disappears, but may appear from time to time. If you wish to make these settings again before the time expires, please delete your browser’s cookies, you can find help in this on the help page of the given browser.

Data recorded technically during the operation of the systems: the data of the User’s logging in computer, which are generated during the use of the Service and which are recorded by the Data Controller’s system as an automatic result of technical processes. The data recorded automatically is automatically logged by the system upon entry or exit without any separate declaration or action by the User.

2.4.1 Types of cookies

2.4.1.1 Session cookies (temporary cookies) are essential for navigating the website, for the operation of essential website functions and for accessing protected content. These cookies do not collect information about users that can be used to identify the user, for marketing purposes or to remember which other websites they have visited. After you close the website, these cookies are automatically deleted and the session is closed.

2.4.1.2 Functional cookies (permanent cookies) detect the device you used to access our website, remember your previous user choices (such as your chosen language, region, whether you have logged in during a previous session, changes you have made to text size, font or other customizable elements of the website), in order to offer you better and more personalized features.

These cookies do not track your activity on other websites and we do not use them to send you advertisements through other websites.

2.4.1.3 Analytical cookies help us evaluate the performance of our website and improve your user experience based on experience.

2.4.1.4 Third-party cookies may also display interesting information, useful content and spectacular videos on our pages. These typically come from Facebook and YouTube pages. Such content on the website may contain various cookies from third parties, in exactly the same way as when you visit or use the video sharing site Facebook or YouTube.

2.4.2 You can find information about cookie settings for the most popular browsers at the following links:
Google Chrome; Firefox; Microsoft Internet Explorer 8; Microsoft Internet Explorer 9; Microsoft Internet Explorer 10; Microsoft Internet Explorer 11;

There are also browsers that allow you to restrict cookies by setting security levels.

Further information on cookies:

European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/hu/
General information: http://hu.wikipedia.org/wiki/HTTP-cookie

2.5 Customer correspondence

Scope of personal data subject to data processing and purpose of data processing:

• name (first and last name)
• address
• email address
• telephone number
• name of contact person

The processing of the provided personal data is necessary to identify the user, contact him/her, and handle the case.

Legal basis for data processing: Voluntary consent of the data subject, GDPR Article 6 (1) a)

Duration of data processing: In the case of a question related to the service, the data controller will retain the case for two years after handling it – unless the user initiates its deletion.

Deletion of data: The data controller will delete the provided personal data within 3 working days of receiving the user’s request for deletion of personal data, otherwise 2 years after handling the case.

2.6 Data processing related to photos on the website

Scope of personal data subject to data processing and purpose of data processing:

• Photographs taken of employees of the Data Controller under the About Us menu
• Photographs taken at events or interviews under the News menu

The purpose of data processing is to introduce the company’s employees to prospective partners, or in the case of photos taken at events, to present the life of the company through the photos.

Legal basis for data processing: Voluntary consent of the data subject, GDPR Article 6 (1) a)

Duration of data processing: Until the data subject withdraws their consent or receives a request for deletion.

Deletion of data: Within 2 working days after the withdrawal of the data subject’s consent or receipt of the request for deletion.

3. Data transfer, data processing

The data controller may use a data processor to ensure the continuous and proper functioning of the website.

The data controller is entitled and obliged to transfer all personal data at its disposal and regularly stored by it to the competent authorities, which data transfer obliges it to by law or a final official decision. The data controller cannot be held liable for such data transfer and the consequences arising therefrom.

If the data controller transfers the operation or utilization of the service located on the www.tspcgroup.hu page in part or in whole to a third party, the personal data it processes may be transferred to this third party in full for further processing without requesting separate consent. However, this data transfer may not put the User in a more disadvantageous position than the data management and data security rules specified in the current text of this Privacy Policy.

Name of the data processors used:

4. Rights of the data subjects:

a) right to information (GDPR Article 12)

The data controller shall take appropriate measures to ensure that the data subject is provided with all information referred to in Articles 13 and 14 of the GDPR and in Articles 15–22 concerning the processing of personal data. and provide each information pursuant to Article 34 in a concise, transparent, intelligible and easily accessible form, in clear and plain language, and free of charge. The right to information may be exercised through the contact details indicated in point 1 (in writing or by other means, including, where appropriate, by electronic means). At the request of the data subject, information may also be provided orally, provided that the identity of the data subject has been verified by other means.

b) Right of access to personal data (Article 15 of the GDPR)

The data subject shall have the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed and, where such processing is taking place, access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;

(d) where applicable, the envisaged period for which the personal data will be stored;

(e) the right of the data subject to obtain from the controller rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the data were not collected from the data subject, all available information on their source;

(h) the fact of automated decision-making referred to in Article 22(1) and (4) of the GDPR, including profiling, and at least in such cases, intelligible information on the logic involved and the significance and the foreseeable consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer pursuant to Article 46.

The Controller shall provide the data subject with a copy of the personal data subject to processing. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on the administrative costs. If the data subject has submitted the request electronically, the Employer shall provide the information in a commonly used electronic format, unless the data subject otherwise requests.

The Data Controller shall inform the data subject within one month of receipt of the request.

c) Right to rectification (Article 16 GDPR)

The data subject shall have the right to obtain from the controller, at his or her request, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

d) right to erasure (‘right to be forgotten’) (Article 17 GDPR)

The data subject shall have the right to obtain from the controller, at his or her request, the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws his or her consent to the processing pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) and there is no other legal basis for the processing;

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d) the personal data have been processed unlawfully;

(e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;(f) the personal data were collected in connection with the provision of information society services referred to in Article 8(1).

The data shall not be erased if the processing is necessary for any of the following reasons:

a) to exercise the right to freedom of expression and information;

b) to comply with an obligation to which the controller is subject under Union or Member State law, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) on grounds of public interest in the field of public health;

(d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, where the right to erasure would likely render such processing impossible or seriously jeopardise such processing; or

(e) for the establishment, exercise or defence of legal claims.

e) right to restriction of processing (Article 18 GDPR)

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or

d) the data subject has objected to processing pursuant to Article 21(1); in which case the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override those of the data subject.

If processing is restricted on one of the above grounds, such personal data may be processed, with the exception of storage, only with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the Union or of a Member State.

The controller shall inform the data subject in advance of the lifting of the restriction on processing.

f) right to data portability (Article 20 GDPR)

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where:

a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

b) the processing is carried out by automated means.

In exercising the right to data portability, the data subject shall have the right to request the direct transmission of the personal data between controllers, where technically feasible.

The exercise of the right to data portability shall be without prejudice to the right to erasure (to be forgotten) as provided for in Article 17. This right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

This right shall not adversely affect the rights and freedoms of others.

g) Right to object (Article 21 GDPR)

The data subject shall have the right, on grounds relating to his or her particular situation, to object at any time to processing of personal data concerning him or her which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions. In this case, the data controller may no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling, where this is related to direct marketing.

If the data subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Where the personal data are processed for scientific and historical research purposes or for statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

​h) Automated decision-making in individual cases, including profiling (Article 22 GDPR)​

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Paragraph 1 shall not apply where the decision:

a) is necessary for entering into, or the performance of, a contract between the data subject and the controller;

b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

c) is based on the data subject’s explicit consent.

Procedural rules for taking measures to exercise the data subject’s rights:

Article 12 GDPR: The controller shall inform the data subject without undue delay and in any event not later than one month from the date of receipt of the request of the action taken on a request pursuant to Articles 15 to 22. Where necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months.

The controller shall inform the data subject of any extension of the period, stating the reasons for the delay, within one month from the date of receipt of the request. Where the data subject has submitted the request electronically, the information shall be provided by electronic means, unless the data subject otherwise requests.

If the controller does not take action on the data subject’s request, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and of the right to lodge a complaint with a supervisory authority and to seek a judicial remedy.

The controller shall provide the information referred to in Articles 13 and 14 and the information and action referred to in Articles 15 to 22 and 34 free of charge. Where the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive nature, the controller may charge a reasonable fee, taking into account the administrative costs of providing the requested information or taking the action requested, or may refuse to take action on the request.

The burden of proof that the request is manifestly unfounded or excessive shall be on the controller.

Article 19 GDPR: The controller shall inform any recipient to whom the personal data have been disclosed of the rectification, erasure or restriction of processing carried out by the controller, unless this proves impossible or involves a disproportionate effort. Upon request by the data subject, the controller shall inform the data subject of those recipients.

Article 15(3) GDPR: The controller shall provide the data subject with a copy of the personal data which are the subject of the processing. For further copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs. If the data subject has submitted the request electronically, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.

6. Legal remedies

6.1 Procedure before a supervisory authority (right to lodge a complaint – Article 14(3) and Article 77 GDPR)

(1) Without prejudice to other administrative or judicial remedies, each data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data concerning him or her infringes this Regulation.(2) The supervisory authority to which the complaint has been lodged shall inform the customer of the progress of the complaint and its outcome, including the right of the customer to seek a judicial remedy pursuant to Article 78.

(3) Without prejudice to other administrative or non-judicial remedies, every natural and legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.

(4) Without prejudice to other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy where the supervisory authority competent pursuant to Article 55 or 56 does not deal with the complaint or does not inform the data subject within three months of the progress of the complaint or its outcome pursuant to Article 77.

(5) Proceedings against the supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

(6) Where proceedings are brought against a decision of the supervisory authority in relation to which the Board has previously issued an opinion or taken a decision within the framework of the consistency mechanism, the supervisory authority shall be obliged to send that opinion or decision to the court.

The Authority’s investigation shall not be considered an administrative procedure.

The Authority’s investigation shall be free of charge, and the costs of the investigation shall be advanced and borne by the Authority.

The Authority shall take a decision within two months of receipt of the notification.

Name: National Data Protection and Freedom of Information Authority
Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Postal address: 1530 Budapest, Pf.: 5.
Telephone: +36 (1) 391-1400
URL: https://naih.hu
Email: ugyfelszolgalat@naih.hu

6.2 Judicial redress (Article 12(3) and Article 79 of the GDPR)

(1) Without prejudice to any administrative or non-judicial remedies available to you, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where, in the opinion of the data subject, his or her rights under this Regulation have been infringed as a result of the processing of personal data concerning him or her not being in accordance with this Regulation. rights.

(2) Proceedings against a controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State.

(3) The court shall hear the case as a matter of urgency. The data subject may also, at his or her choice, bring proceedings before the court competent for his or her place of residence or residence.

6.3 Compensation and damages (Article 82 GDPR, Sections 2:52 and 2:53 of the Civil Code)

(1) Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall be entitled to compensation from the controller or processor for the damage suffered.

(2) Each controller involved in the processing shall be liable for any damage caused by the processing in breach of this Regulation. The processor shall be liable for damage caused by the processing only if it has failed to comply with the obligations laid down in this Regulation expressly incumbent on the processor or if it has disregarded or acted contrary to the lawful instructions of the controller.

(3) The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

(4) Where several controllers or processors or both controllers and processors are involved in the same processing and are liable for damage caused by the processing pursuant to paragraphs (2) and (3), each controller or processor shall be jointly and severally liable for the full damage in order to ensure that the data subject receives effective compensation.(5) Where a controller or processor has paid full compensation for the damage suffered in accordance with paragraph (4), it shall be entitled to recover from the other controllers or processors involved in the same processing the part of the compensation corresponding to the degree of their liability for the damage under the conditions laid down in paragraph (2).

(6) Judicial proceedings for the enforcement of the right to compensation shall be brought before the court which has jurisdiction under the law of the Member State referred to in Article 79(2).

If the controller causes damage to another person by unlawful processing of the data subject’s data or by breaching the requirements of data security, it shall be obliged to compensate him.

If the controller infringes the data subject’s right to privacy by unlawful processing of the data subject’s data or by breaching the requirements of data security, the data subject may claim damages from the controller.

The data controller shall be exempt from liability for the damage caused and from the obligation to pay damages if it proves that the damage or the infringement of the personal rights of the data subject was caused by an unavoidable cause outside the scope of data processing.

No compensation shall be required and no damages may be claimed to the extent that the damage or the infringement of the personal rights caused by the infringement resulted from the intentional or grossly negligent conduct of the data subject.

 
Update cookies preferences