Acting within the scope of my duties as set out in Sections 24 (3) and 30 (6) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, I hereby establish the data protection and data security regime of the Verőce Mayor's Office (hereinafter: institution), as an institutional data controller, as follows:

I.

GENERAL PROVISIONS

1. Scope of the regulations

1.1. The personal scope of the regulations extends to the employees of the Verőce Mayor's Office and to employees in a legal relationship with the institution.

1.2. The scope of the regulations covers all administrative and file management procedures at the institution, regardless of the data management method.

2. Interpretative provisions

Data: the form of appearance of information, i.e. the uninterpreted but interpretable form of communication of facts and ideas;

Personal data: data relating to the data subject – in particular the name, identification number and one or more specific physical, physiological, mental, economic, cultural or social characteristics of the data subject – and any inferences relating to the data subject that can be drawn from the data;

Special data:

a) personal data relating to racial origin, nationality, political opinion or party affiliation, religious or other ideological beliefs, membership of an interest-representative organization, and sexual life,

b) personal data relating to health status, pathological addiction, and criminal personal data;

Public interest data: information or knowledge recorded in any way or form, which is managed by a body or person performing a state or local institutional task or other public task specified by law and is related to its activities or generated in connection with the performance of its public task, and which does not fall under the concept of personal data, regardless of the method of processing, its independent or collective nature, in particular data relating to competence, jurisdiction, organizational structure, professional activity, its evaluation including its effectiveness, the types of data held and the laws governing its operation, as well as management and concluded contracts;

Public data in the public interest: all data not falling within the concept of public interest data, the disclosure, accessibility or accessibility of which is ordered by law in the public interest;

Contribution: the voluntary and definite declaration of the data subject's will, based on adequate information and by which she gives her unambiguous consent to the processing of personal data concerning her, in full or in relation to certain operations;

Data controller: the natural or legal person or organisation without legal personality who, alone or jointly with others, determines the purposes of the processing of data, makes and implements decisions relating to the processing of data (including the means used), or has them implemented by a data processor entrusted by him/her;

Data management: any operation or set of operations performed on data, regardless of the method used, including in particular collection, recording, recording, organisation, storage, alteration, use, consultation, transmission, disclosure, alignment or combination, blocking, erasure and destruction, as well as preventing further use of data, taking photographs, sound or image recordings and recording physical characteristics suitable for identifying a person (e.g. fingerprints or palm prints, DNA samples, iris images);

Data transmission: making the data accessible to a specific third party;

Disclosure: making the data accessible to anyone;

Data deletion: making data unrecognizable in such a way that its recovery is no longer possible;

Data destruction: complete physical destruction of the data medium containing the data;

Data processing: performing technical tasks related to data processing operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;

Data processor: the natural or legal person, or an organization without legal personality, who processes data based on a contract concluded with the data controller - including a contract concluded based on the provisions of the law;

Data set: the set of data managed in a register;

Third person: a natural or legal person or an organization without legal personality who is not the same as the data subject, the data controller or the data processor;

Trade secret any fact, information, solution or data related to economic activity, the disclosure of which, the acquisition or use of which by unauthorized persons would harm or endanger the legitimate financial, economic or market interests of the right holder – not including the Hungarian state – and in order to keep it secret, the right holder has taken the necessary measures.

Administrator: A person authorized to set up users and permissions for a given program.

3. General provisions

3.1. All officers and employees are required to comply with the provisions of the data protection policy. The Registrar monitors the enforcement of the policy, as well as the provisions of data protection laws and other regulations, through the internal auditor and the data protection officer.

3.2. The President is personally responsible for ensuring the protection of personal data processed at the institution, which includes the following:

a. Data generated and managed by the given organizational unit during the performance of the task.

b. Data received from another body or organizational unit.

c. Data for which they have been granted access or use rights.

d. All data that is not directly necessary to perform their duties, but that they have become aware of through various information channels during their work.

3.3. The president is personally responsible for ensuring the disclosure of public interest data at the institution. Requests for access to public interest data must be submitted to the president or the registrar, and the president is responsible for fulfilling them.

3.4. The institution may process personal data if:

1. the data subject consents to it, or

2. it is ordered by law or – based on the authorization of law, within the scope specified therein – by a decree of a local institution for a purpose based on public interest.
   

3.5. In order to protect data files managed electronically in various registers, it must be ensured through appropriate technical solutions that the data stored in the registers cannot be directly linked and assigned to the data subject, unless permitted by law.

3.6. When processing personal data files, the right to the protection of personal data and the personal rights of the data subject may not be violated by other interests related to data processing, including the disclosure of data of public interest, unless an exception is made by law.

3.7. Personal data may only be processed for specific purposes, in order to exercise rights and fulfill obligations. Data processing must comply with the purpose of data processing at all stages, and the collection and processing of data must be fair and lawful.

3.8. Only personal data that is essential for the purpose of data processing and suitable for achieving the purpose may be processed. Personal data may only be processed to the extent and for the period necessary to achieve the purpose.

3.9. Data processing operations must be designed and implemented in such a way as to ensure the protection of the privacy of data subjects in accordance with the applicable laws.

3.10. The data controller:

1. The data controller may only use the classified data that has come to his knowledge for the performance of his duties, may not disclose it to unauthorized persons, and may not release any information without the permission of his manager. The data controller is obliged to deny all forms of data access and use to unauthorized data requesters or applicants. The data controller is personally liable for the handling of data that has come to his knowledge.
   

2. is obliged to keep the business secret that he has come to know in the course of his work - taking into account the provisions of Section 81 of the Civil Code - and essential information about the employer and its activities. In addition, he may not disclose to an unauthorized person any data that he has come to know in connection with the performance of his job, the disclosure of which would have adverse consequences for the employer or another person. Confidentiality does not extend to the disclosure of data of public interest and the obligation to provide data and information specified in a separate law regarding data that is public in the public interest.

3.11. Anyone who detects unlawful data processing is obliged to call on the data controller to cease the unlawful data processing, and is obliged to inform the immediate manager and the data protection officer about the detection of unlawful conduct, the person who processes the data and the scope of the processed data. The immediate manager is obliged to inform the president about the detection of unlawful data processing, and is also obliged to take all necessary measures to eliminate the unlawfulness and mitigate and prevent damage resulting from the unlawful data processing.

II.

DATA PROTECTION ORGANIZATION

1. The president

It performs the tasks assigned to its competence by law, including:

• Publishes the privacy and data security policy.

• Appoints the institution's data protection officer.

• Decides on the identity of data maintainers outside the organization and the contract for data maintenance.

• It checks data management and data protection, as well as IT records, through the internal auditor, directors, department heads, and the data protection officer.
  

2. The data protection officer

2.1. It contributes and provides assistance in making decisions related to data management and in ensuring the rights of data subjects.

2.2. It monitors compliance with the provisions of data processing legislation, internal data protection and data security policies, and data security requirements.

2.3. It investigates the reports received and, if unauthorized data processing is detected, calls on the data controller or data processor to terminate it.

2.4. Prepares and continuously updates the internal data protection and data security policy.

2.5. It provides training on data protection.

2.6. Upon request, it provides opinions on board and committee proposals from a data protection perspective.

2.7. It provides opinions on requests for data provision upon request.

2.8. It compiles a record of the rejection of requests for public interest data and the reasons for the rejections, and then informs the National Data Protection and Freedom of Information Authority of the contents thereof by January 31st of each year.

2.9. Performs data protection tasks as determined by the president from time to time.

3. The data controller

3.1. He/she manages the data related to his/her job, may only manage other data in case of substitution, and keeps the records.

3.2. Provides data to a person or organization authorized by law.

3.3. It keeps the data and data provision records.

3.4. It preserves the information it has obtained.

3.5. She ensures that unauthorized persons cannot access the data in the register she keeps, and ensures that the register is stored securely.

3.6. Complies with the provisions on data management, data protection and data security.

3.7. Immediately informs IT specialists of any malfunction of IT equipment or any problems with the manageability of the data file.

3.8. The data controller is obliged to inform his/her direct manager and the data protection officer of any event in which he/she has been asked or instructed to engage in unlawful data processing, or has experienced any other unauthorized data access or data processing in his/her own system.

III.

REGISTRATION AND DATA PROCEDURE

1. Records management

1.1. Data can be recorded electronically or manually. Important data files cannot be stored on the computers' own storage; they are stored exclusively on the network.

1.2. Data access rights determine which data controllers have access (read) and which data controllers have modification (enter, change, delete) rights to the recorded data.

1.3. The access rights for records kept on the computer are set by the administrator of the given program. The administrator is required to keep an up-to-date record of the access rights of the data controllers.

1.4. The president, the data protection officer, has the right to inspect the register of access rights.

2. Data provision procedure

2.1. Data provision can be done upon request and ex officio.

2.2. The data provision on request may be made orally, in writing or electronically. In the case of an oral data request, the data provision is made via a data provision request form, which is filled in by the applicant (Annex 1).

2.3. Requests for data provision must be filed and recorded manually or electronically in the form specified in Annex 2.

2.4. Personal data may only be provided if the legal requirements are met.

2.5. When requesting data necessary to enforce his or her rights or legitimate interests, the applicant is obliged to prove the fact or event that provides the basis for the purpose of data use, which exists or existed between him or her and the data subject.

2.6. Each department may only fulfill a request for personal data if the requested data falls within its control.

2.7. Requests for information concerning data of public interest and data made public in the public interest must be submitted to the President.

2.8. In the event of a conflict between personal and public interest data, the fundamental right to the protection of personal data and the fundamental right to access public interest data must be interpreted in relation to each other, and the hierarchy of these two fundamental rights must always be established with regard to the subject matter of the issue under consideration.

2.9. If there is any doubt regarding the legality, feasibility or other related circumstances of the data request, each data controller is obliged to seek the opinion of the data protection officer.

2.10. After examining the request, the data protection officer will decide on its feasibility within 3 days, or provide assistance in clarifying doubtful circumstances.

2.11. Requests for access to data of public interest must be fulfilled within 15 days, in a comprehensible form with the necessary details. In the case of significant volume or a large number of data, the processing deadline may be extended by 15 days once. The refusal of the request must be communicated within 8 days, with reasons.

2.12. Prior to the execution of the application, the applicant must be informed of the amount of the reimbursement to be paid based on Annex 3 within 8 days of receipt of the application.

2.13. The applicant may withdraw their application at any time until the data provision is completed.

2.14. From the data provision register, each department prepares a summary report on rejected requests and the reasons for the rejection for the data protection officer by January 15th of each year. The data protection officer compiles the report forwarded by the departments and informs the National Authority for Data Protection and Freedom of Information by January 31st.

2.15. The data access procedure is governed by the rules of the data provision procedure, mutatis mutandis.

2.16. The rules applicable to documents shall apply to the procedure for inspection of image and audio material. The amount of compensation for costs incurred in connection with the provision of data shall be determined in accordance with Annex 3.

IV.

DATA PROTECTION AND DATA SECURITY

1. Infrastructure-related security measures

1.1. Other persons may enter or remain in the premises or work area where data files are managed and stored only in the presence of the administrator or the competent manager managing the given data file.

1.2. Customers may only be in the area designated for customer reception, with the constant presence of an administrator. These rooms must be kept locked during the absence of the authorized person.

1.3. The room used to store server machines may only be entered or stayed in the presence of an IT specialist or the head IT specialist. No one may be in the server room in the absence of the IT specialist or the head IT specialist.

1.4. The administrator managing the data file must log out of the programs he or she uses during his or her absence, thus preventing unauthorized data access.

Computers in office premises must be placed and used in such a way that the information displayed on the screen is not visible to unauthorized persons (e.g. customers, etc.). During work breaks, the computer must be reset so that the information and documents are not visible.

1.5..The data controller is obliged to keep its own passwords secret and may not pass them on to a third party under any circumstances. Any act committed with the data controller's password is the responsibility of the data controller. If the data controller notices that its password has become known to an unauthorized person, it is obliged to change its password immediately and report this fact to the data protection officer.

1.6. The receipt of keys to rooms and data storage cabinets is authenticated by the signature of the recipient in the key register. The key register is kept up to date by the caretaker.

1.7. The right holder may not transfer the keys to the premises and devices used to manage and store data files to another person, even temporarily.

1.8. Copies of keys to premises and data storage devices may only be made in justified cases, with the written permission of the department head. The fact of key copying and the details of the person authorized to use the copy must be entered in the key register.

1.9. The administrator shall put the alarm in the rooms equipped with an alarm into operation at the end of the day's work. The operability of the alarm devices must be checked monthly. The fact and the result of the check are recorded in the key register book and authenticated by their signature.

1.10. Alarm systems should be equipped with a personal authorization (code) if possible to ensure traceability. The authorization register is kept up to date by the caretaker.

1.11. The institution must have fire extinguishers in a state of readiness and in a number that meet fire safety regulations, with particular regard to computer rooms. The server room must also be equipped with separate fire safety equipment. The fire safety officer is responsible for ensuring that the fire safety equipment is provided and that it is operational.

1.12. At the institution, all computing and IT-related equipment must be turned off at the end of the day's work, and the power supply must be disconnected. Server machines may only be turned off when necessary, and users must be notified in advance.

1.13. Security measures related to the infrastructure must be updated in the event of personnel changes.

2. Security measures related to hardware assets

2.1. The use of computer equipment is primarily authorized by its operator, and in his/her absence, by the employees of the organizational unit or by IT specialists. Only IT specialists are authorized to manage servers, and are responsible for their operation and operational security.

2.2. Only IT specialists are authorized to install hardware and software elements into the system, unless it is performed by the distribution company.

2.3. During working hours, a member of the IT team must be available at all times to ensure that any malfunctions in the IT system can be resolved.

2.4 In the event of a malfunction in the IT system – the data controller notifies the IT specialists by indicating the error and symptoms. The IT specialists immediately begin troubleshooting and eliminating the malfunction. They report the failure of servers and services not operated by us to the service provider.

2.5. The maintenance of hardware devices, with the exception of multifunction machines and desktop printers, and the repair of malfunctions are carried out continuously by IT specialists. If the repair is not possible on site, the faulty device must be sent to a specialist service center.

3. Software-related security measures

3.1. Software installation may only be performed by IT specialists in the entire IT system.

3.2. Data files stored on servers must be backed up regularly. Backups and their storage are handled by IT specialists.

3.3. Data maintenance is carried out continuously by the data manager. The data manager of the relevant data file is responsible for keeping the data file he manages up to date.

3.4. IT specialists provide assistance to data controllers in the management and use of computer programs and software, if required.

4. Protection measures related to data carriers and documents

4.1. Copies of data files may only be made for purposes necessary for the performance of the task within the framework of data security.

4.2. Copies of documents may only be made in connection with the performance of duties and only in the justified number of copies. Defective, unused copies must be destroyed.

4.3. The retention period and archiving of paper-based (manual) data carriers are carried out according to the archiving plan.

4.4. Only the president, the administrator, the internal auditor, and the data protection officer have the right to inspect documents (files). Inspection and copying of documents by external persons is carried out in accordance with applicable laws.

4.5. After release or disposal of digital data media, they must be erased using a process that results in the destruction of the data before being used again. When disposed of, computer data media cannot be thrown away; they are continuously collected by the IT department, and as they are hazardous materials, IT specialists ensure their removal.

4.6. The transfer of data carriers (documents) or certain data between organizational units is based on the permission of the relevant director/head of department. Only the transfer of data necessary for the performance of the duties may be permitted. The receipt of the data (documents, data carriers) must be confirmed by signature.

4.7. All stamps used at the institution must be registered – before being issued – with the name and position of the person authorized to use them indicated, and receipt must be confirmed by signature. Stamp purchases are authorized by the competent director/head of department, and the tasks related to the purchase and registration procedure are performed by the guardianship.

4.8. Stamps must be kept in a closed place at all times and may not be left in the open or unattended, even temporarily. Stamps may only be used by authorized personnel.

4.9. The stamp may not be transferred to another person who is not authorized to use it, even temporarily. The person authorized to use the stamp shall be fully liable for any violation of this and any resulting damages.

V.

SPECIAL RULES FOR THE HANDLING OF DOCUMENTS RELATED TO BOARD AND COMMITTEE MEETINGS (HEREIN: BOARD MEETINGS)

1. The minutes of board meetings, committees, and board resolutions must be handled and recorded in a uniform manner. The minutes of closed meetings must be handled separately, in a closed place, but must be recorded together with the minutes of open meetings. The minutes must be recorded together with the proposals.

2. The IT department and the president are responsible for keeping up-to-date records of board minutes and resolutions.

3. The procedure for inspecting committee and board minutes – and providing data from them – is carried out in accordance with the data provision rules of the institution's SZMSZ.

4. Only local institutional representatives may be provided with information or be permitted to exercise their right of access to the minutes of closed meetings and to the parts of the minutes concerned with the agenda items discussed at the closed meeting. Non-representative members of committees shall only have the right of access to the minutes of closed meetings and to the proposals of the committee in which they are members. These provisions do not apply to data of public interest and data made public in the public interest. However, the possibility of obtaining data of public interest and data made public in the public interest must be ensured even in the case of closed meetings.

5. The agenda – proposals, minutes – of closed meetings may be delivered exclusively to local representatives, and the proposals of closed meetings of committees may be delivered exclusively to the committee members concerned.

6. Submissions and minutes to be delivered to the media - written and electronic press -, the library, or other external persons or bodies may not contain personal data.

7. The provisions of the document management regulations shall apply to the management of documents related to board meetings.

8. Board submissions are delivered on paper and via the internet, and access rights are defined on a personal basis.

VI.

FINAL PROVISIONS

1. The tasks and rights specified in the data protection policy must be included in the job descriptions.

2. These regulations come into force on December 1, 2017.