Privacy and data management policy

The Privacy and Data Management Policy of Cedit 2000 Kft (“Data Protection Policy”) defines the rules concerning the protection of personal data. The Data Protection Policy reflects the provisions of the GDPR and the data protection legislation of the country.

Cedit 2000 Kft takes the protection of personal data very seriously, and handles the data with due care and responsibility in the course of its business activities.

The Data Protection Policy of Cedit 2000 Kft. is valid in conjunction with the Act CXII of 2011 on the right to information self-determination and freedom of information.


This Data Prrotection Policy covers Cedit 2000 Kft. and its employees, as well as the handling of all personal data that is subject to the GDPR and the national data protection laws of the EU Member States.

Definitions / Abbreviations

Data subject

An identified or identifiable natural person; the natural person is identifiable when, directly or indirectly, in particular on the basis of an identifier such as name, number, location, online username or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity identifiable

Data Manager

A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data

Data Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Personal Data

Any information relating to an identified or identifiable natural person

Special category of personal data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or labor union membership, as well as genetic and biometric data for the unique identification of natural persons, health data and personal data concerning the sexual life or sexual orientation of natural persons.

Member State data protection legislation

Data protection legislation adopted in the Member States in accordance with the GDPR

Data Handling

Any operation or set of operations on personal data or files, whether automated or non-automated, such as collecting, recording, organizing, segmenting, storing, transforming or altering, querying, inspecting, using, communicating, transmitting, distributing or otherwise making available, harmonizing or connecting, restricting, deleting or destructing.

Anonymized information

Any information which can not be related to an identified or identifiable natural person, including data anonymised in such a way that the data subject is not or can no longer be identified.

Third person

Any legal entity or natural person who is not an employee of the Company, except for those involved.


A voluntary, specific and clear statement – based on adequate information – of the data subject, by which the data subject indicates, by means of a statement or an act unequivocally expressing his or her consent, that he or she consents to the processing of personal data concerning him or her.


The General Data Protection Regulation (GDPR) – (EU) 2016/679 – is the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive)



  1. Procedure and tasks

The following provisions describe the procedures to be followed by Cedit 2000 Kft during the processing of personal data.

1.1 General obligation

Cedit 2000 Kft applies appropriate technical and organizational measures against misuse of personal data, loss or damage to personal data, and to ensure that the data is handled in accordance with the provisions of the GDPR and the national data protection legislation of the relevant EU Member States. The data protection regulations apply to the processing of the personal data of Cedit 2000 Kft’s business partners, employees, family members, job applicants and other natural persons whose personal data is managed by Cedit 2000 Kft.         

1.2 Principles of personal data protection

Cedit 2000 Kft respects the principles set by the GDPR in relation to data management.

The list of relevant principles is as follows:

  • Principle of lawfulness – there must be at least one legal basis for starting the processing of personal data;
  • Principle of purpose – personal data can only be processed for pre-defined purposes;
  • Principle of data saving: – data is processed only when necessary, any relevant personal data can only be processed for lawful purposes
  • Principle of accuracy and transparency – open and transparent data management towards the data subject;
  • Principles of integrity and confidentiality, the application of the „what we need to know” principle – the application of the necessary technical and organizational measures to ensure that access is restricted by preventing unauthorized or illegal data processing;
  • Principle of accuracy – accurate and up-to-date personal data must be processed;
  • Controlled change management system – modification of the personal data management system or introduction of a new method based on the opinion of the data controller, followed by a possible data management impact assessment;

1.3 Legal bases and data management purposes

The processing of personal data must be based on legal basis; such may include consent to the processing, fulfillment of a legal obligation, contract obligation, legitimate interest, public interest or protection of the interests of the data subject. Cedit 2000 Kft carries out its activities with full consideration of these legal bases and purposes.

1.4 Transfer of personal data

Cedit 2000 Kft may only make personal data available to third parties under defined conditions. Personal data may only be transferred to a third party acting as a data processor under a data management contract. Under the relevant contracts, personal data may also be transferred to a third party acting as a contractual data processor or joint data processor.

If correction or deletion of personal data is necessary, or if there are circumstances restricting the processing of data, Cedit 2000 Kft will notify the third parties to whom it has transferred the personal data, unless this would be unsolvable or would involve a disproportionate effort. Upon special request, Cedit 2000 Kft. shall notify the data subject of the third parties to whom the personal data has been transferred.

Cedit 2000 Kft may also transfer personal data to third parties or international organizations outside the EEA or the European Union.

1.5 Rights of data subjects

Cedit 2000 Kft takes the necessary steps that data subjects may exercise their rights granted to them by GDPR. In relation to the processing of their personal data, the rights of data subjects include the right to access personal data, the right to restrict data processing, the right to modify data, the portability and deletion of data, the right to object to data processing and the right not to be subject to scope of the decision based on automated data processing only.

Cedit 2000 Kft ensures proper communication and cooperation in order to process all requests in a timely manner. Cedit 2000 Kft will do its best to respond to the data subject within 30 days at the latest.

1.6 Tasks required for data managers and all employees

All data holders and employees Within Cedit 2000 Kft., are obliged to handle the data in accordance with the first guidelines of Cedit 2000 Kft, the GDPR and the data protection legislation of the Member States.

1.7 Reporting a privacy or data management related incident

If there is a risk of a data protection incident or an attempt to do so, Cedit 2000 Kft. will notify the supervisory authority and / or the parties concerned, and its employees will fulfill this obligation within 72 hours of the incident.

1.8 Deletion of personal data

Cedit 2000 Kft handles personal data only for the necessary time. Personal data must be deleted or anonymised in the following cases:

  • Termination of the purpose of data processing, without any other/replacing legitimate purpose;
  • Personal data are no longer required for the purpose for which they were collected or otherwise processed;
  • The data subject withdraws his or her consent and there is no other legal basis for the processing;
  • The data subject objects to the data processing and there is no other legal basis to override the objection;
  • Unlawful processing of personal data.

Cedit 2000 Kft. pays the appropriate attention on complying with the necessary data protection measures when deleting or anonymizing data.