Privacy Policy

Please read the following terms carefully.

INFORMATION ON DATA PROCESSING

The purpose of this Information on Data Processing is to provide detailed information on the controlling and processing of personal data by KELER Central Depository Ltd. and KELER CCP Central Counterparty Ltd. (hereinafter jointly: KELER Group). Please read the information carefully. For basic terms and applicable regulations related to personal data, please refer to this site.

The KELER Group is committed to compliance with the regulations applicable to personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR), and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act).

For more information on the activity of the KELER Group, please refer to here and here.

 

Personal data in the KELER Group

I. KELER Group, as data processor

The services provided by the KELER Group are not based on the processing of personal data, KELER and KELER CCP do not provide retail services, their clients are legal entities, other organizations, and they maintain no legal relationship with private individuals. In certain cases, however, during the performance of their activities and in order to perform such activities, the KELER Group may become aware of the following personal data of private individuals in legal relationship with their clients:

  • first name and last name,
  • position,
  • user name,
  • phone number,
  • mobile number,
  • email address.

With respect to the private individuals in legal relationship with the clients, the KELER Group acts as data processor as part of its own activity, the client of the KELER Group is the data controller. Data processing by the KELER Group is in line with the method and scope stated in this Information on Data Processing, the internal regulatory documents, the form and individual contract concluded with the client. The client of the KELER Group is obliged to ensure that it controls personal data in line with the regulations, including, in particular, the legal basis and purpose of data processing and giving information to the parties involved.

Therefore, we recommend that you contact with questions related to personal data the client of the KELER Group (the data controller) primarily, that is the legal person (company), other organization that you have a legal relationship with.

 

II. Additional data processing in the KELER Group, outsourcing

In accordance with Section 343 (2) of Act CXX of 2001 on the Capital Market (Tpt.), the members of the KELER Group are entitled to give personal data to each other without separate authorization. KELER Group members outsource some activities involving personal data also to each other or to external service providers, in line with the provisions of Regulation (EU) 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (EMIR), Regulation (EU) 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) 236/2012 (CSDR), Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (Hpt.), and Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities (Bszt.). For more information on outsourced activities, please refer to our General Business Rules.

 

III. KELER Group, as data controller

KELER Group members can control personal data based on the law (Section 343 of the Tpt.) in the case of transactions that they are counterparty to. The KELER Group has detailed data controlling and data processing records.

Data controlling by the KELER Group is primarily related to legal compliance or the basic operation of the company, as follows: 

1. Prevention and combating of money laundering and terrorist financing, customer due diligence, identification of the beneficial owner

In line with the customer due diligence requirement stated in Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (Pmt.), KELER Group members can take customer due diligence measures in order to identify the client and the beneficial owner and for their personal identification.

In that context, for the identification of the representatives, persons with right of disposition, authorized persons and beneficial owners of the partners for whom accounts are kept, the following personal data are controlled: 

  • first name and last name,
  • first name and last name at birth,
  • nationality,
  • place, date of birth,
  • residence, place of stay,
  • statement whether the person is a politically exposed person,
  • number, type, validity date of document used for personal identification [such document can be: identity card (valid jointly with card evidencing residence), passport, card-format driving licence],
  • mother’s name at birth.

Based on the Pmt., the KELER Group is authorized to control the personal data stored in line with the above, on paper and electronically, for eight years from the date of the termination of the business relationship or from the date of execution of the business order, this period of eight years can be extended at the request of the supervisory body, the financial intelligence unit, the investigating authority, the prosecutor’s office and the court to the period stated in the request, but not more than ten years from the date of termination of the business relationship or the date of execution of the business order.

2. Personal data of the contact persons of clients (business partners)

In order to provide services, to fulfil the contract, the KELER Group controls the following personal data of contact persons designated by clients and other contractual partners:

The contact person’s:

  • first name and last name,
  • position,
  • user name,
  • phone number,
  • mobile number,
  • email address.

The contact persons of clients consent to the processing of their data by completing the form attached to the contract.

The KELER Group processes the data stored on paper and electronically for ten years from the date the partner is no longer an account holder client (in line with the provisions of EMIR and CSDR).

The personal data of the contact persons of clients are processed in the following context:

  • Data processing to facilitate keeping contact with clients. 
  • Data processing for the purpose of invoicing.
  • Data processing related to representation.
  • Data processing to give information on the insolvency of system participants without delay.
  • Data processing for the purpose of setting user rights in IT systems.
  • Data processing related to securities transfer and teller deliveries in and out.

3. Data processing for security purposes

The premises of the KELER Group are protected by video surveillance and access control systems (hereinafter: system), in line with the opportunity stated in the provisions of Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (Szvtv.). The KELER Group acts with due regard to the principles of necessity and proportionality when the system elements are installed and operated. KELER operates the electronic surveillance system within the KELER Group. Based on Section 31 (3) of the Szvtv., KELER retains video recordings on the system servers for no more than 30 days if the recordings are not used. KELER stores recordings in a closed IT system located in a locked area subject to separate penetration control and access control. The video recordings made by the system can be viewed by the KELER Security Management colleagues, the Data Protection Officer of the KELER Group (hereinafter: Data Protection Officer), and the colleagues of the competent authority in the case of proceedings by the authority. In the case of proceedings, request by authorities, the recordings can be forwarded subject to consent by the Data Protection Officer and only if any security incident is suspected. Security guards continuously check live recordings, and thus the functionality of the system.

Rules on viewing recordings, possible purposes of using recordings:

  • Only the KELER Chief Security Officer or the colleagues of KELER Security Management are entitled to view recordings, in justified cases and in a documented manner.
  • The purpose of using recordings is to ensure the confidentiality, availability and integrity of the data and valuables managed by KELER and KELER CCP, the organizations operating a nationally vital system element of the financial sector. 

You can request that the recordings made of you are not deleted, where justified. You are also entitled to contact the Data Protection Officer if you believe that that operation of the electronic surveillance system is an affront to your human dignity.

The data processing rules related to the system apply to the access control system also, as in this case data on access and movement are considered personal data that the KELER Group retains for 24 hours after you leave.

4. Data processing related to the use of the websites of KELER and KELER CCP

The websites of the KELER Group (www.keler.hu; www.kelerkszf.hu) use anonymous user identifiers (cookies) related to the use of certain services in order to improve the quality of use of such services and make use simple for users. The cookie is a series of signs capable of identifying individual computers and store profile information that service providers store on the computer of the user. The series of signs itself is not capable of identifying personally the user, it can identify the computer only.

If you would not like to have cookies on your computer, please disable cookies in your browser. However, in this case it is possible that you cannot access certain services or access such services differently than with cookies enabled.

5. Data processing related to registration on the websites of KELER and KELER CCP

Visitors of the KELER Group websites (www.keler.hu; www.kelerkszf.hu) can register for notifications in English or Hungarian languages (KELER news, KELER CCP news, KELER Group Media news, Corporate action database update, Corporate action reminder, etc.).

Based on consent by the parties registering for the service, the KELER Group processes the following personal data provided on its website:

  • first and last name,
  • user name,
  • email address,

provided by the registering party.

Please read this information carefully upon registration, and mark the appropriate field to indicate your consent.

The KELER Group deletes data immediately when the registration is cancelled. You can cancel registration as described in the advice earlier sent, by clicking the registration cancellation function stated in the advice.

6. Processing the personal data of job applicants

Based on the consent of job applicants, the KELER Group manages the personal data stated in resumes and attached documents (motivation letter, reference and other documents) received directly or through the contracted selection and recruitment partner. Consent is given by submitting the application. In order to give advance information to applicants, the KELER Group highlights the electronic availability of this Information in all job postings.

If you wish to apply for a job posted by the KELER Group, please provide only the personal data relevant to the position (e.g. education, experience) and avoid providing information that are not necessarily required to assess whether you are fit for the position (e.g. age, address, religion).

The purpose of data processing is to perform the selection process and to inform applicants on the result of the selection processes.

If the KELER Group involves third parties in any phase of the selection process, the applicant is informed accordingly in advance and related consent is requested.

The KELER Group processes the above personal data until the posted position is filled, and the data will be deleted immediately when decision is made on filling the position. Should any reason justifying further data processing arise during the selection process (e.g. possibility of later cooperation), the KELER Group informs the applicant and requests consent by the applicant for further data processing for a fixed period.

7. Data processing for business development

The KELER Group processes the data of potential business partners related to business development, for the purpose of making contact later, based on consent expressed by handing over business cards or in similar manners. In such cases, at the time the first contact is made, the KELER Group makes verbal reference to this Information or sends it (as attachment or link) to give written information on data processing details. If no business cooperation is entered into, the KELER Group deletes data after eight years, but the party concerned can request immediate cancellation of its data at any time at: keler@keler.hu and kelerccp@kelerkszf.hu.

8. Voice recording

In line with the provisions of the Hpt. and the Bszt., the KELER Group records communication on the phone related to complaint management via phone, and retains the voice recording for 5 years. The party making the complaint is informed accordingly at the beginning of the phone conversation.

9. Data processing by the KELER Group as employer

As employers, KELER and KELER CCP process the personal data of employees (and third parties working based on other legal relationships), and, as appropriate, the personal data of the relatives of employees. The persons involved are informed separately on data processing by the employer.

 


Who can know the personal data processed by the KELER Group?

All KELER Group employees are bound by secrecy. The KELER Group places strong emphasis on ensuring with internal regulation and strict IT rights management that the data it controls and processes are known only to the employees to the job of whom the data concerned is related to, in the case of personal data, for example:

  • personal data of job applicants can be known to the HR Department and the colleagues and heads of the units posting the position,
  • data related to security purposes can be known to the colleagues of KELER Security Management and the Chief Security Officer,
  • data related to business development can be known to the colleagues and managers responsible for business development.

There are jobs at the KELER Group that promote compliance with regulations (Legal and Compliance, Internal Audit, Data Protection Officer). In order to perform work, the colleagues and managers of these units need to know the data processed or controlled by the KELER Group related to certain tasks.

 


To whom can the KELER Group forward personal data?

Data can be forwarded to meet the requirements of regulations, for example, in the following typical cases:

  • responding to requests by authorities or reporting to administrative or investigating authorities,
  • reporting suspected money laundering to the Finance Intelligence Unit of the National Tax and Customs Office (NAV),
  • in order to fulfil a contract, to the party involved (e.g. in the case of cross-border transactions or nominated ordering clients).

The KELER Group can forward to its partners performing outsourced activities the personal data related to the subject of the outsourcing. In certain cases, KELER and KELER CCP can forward personal data to the cooperating law firms*, for example in order to finalize a contract or related to a legal dispute. In this case, the law firm is required to manage the transferred data in line with the contract for legal services and the applicable regulations (in particular the secrecy stated in Act LXXVIII of 2017 on the Profession of Lawyer).

In other cases not regulated by law, when the need to transfer data to third parties arises, data is transferred subject to the written consent of the parties concerned, after prior information is given on the legal basis of data forwarding and the transferee. For example: filling a position at the KELER Group requires a test related to which KELER or KELER CCP wish to involve a third party service provider.

(*KELER Legal Department acts as the counsellor of KELER and KELER CCP.)

 


Security of data at the KELER Group

By law the systems of the KELER Group are considered system elements of vital national interest in the financial sector. Accordingly, the security environment is standard and operates in line with strict legal and regulatory requirements*, and is subject to ongoing and regular external and internal control and supervision.

(*E.g. Act L of 2013 on the Information Security of State and Local Municipality Organizations, Act CLXVI of 2012 on the Identification, Designation and Protection of Systems and Facilities of Vital Importance and related regulations, regulations of the financial sector and documents of the supervisors.)

Consequently, the KELER Group places great emphasis on the security of personal data it processes or controls, that is to say, to avoid violation of data security resulting in adventitious or unlawful destruction, loss, change, unauthorized communication of data or unauthorized access to data (data protection incident).

However, should a data protection incident nevertheless occur, the KELER Group has internal regulation that determines the method of incident investigation, involvement of the Data Protection Officer, informing the parties concerned and the National Data Protection and Information Security Authority (Authority), and the method of documenting and managing incidents without any delay.

Related to outsourced activities, the KELER Group cooperates with partners that guarantee the security of the personal data they come to possess. The provision of appropriate guarantees related to the security of data is a priority aspect when partners performing outsourced activities are selected.

The KELER Group manages physical documents containing personal data subject to strict security requirements. It is not possible to recover the destructed physical documents.

The KELER Group provides data protection training to employees to ensure data protection awareness, to facilitate the prevention and proper management of data protection incidents of IT or non-IT nature.

 


What can you do if you have questions or wish to make a complaint related to the processing of your personal data?

Rights of the persons involved in data processing under the GDPR:

  1. Right of information, access;
  2. Right of rectification;
  3. Right of erasure;
  4. Right to restriction of processing;
  5. Right to data portability;
  6. Right to object.

1. Right of information and access of the data subject

In addition to the information included in this Privacy Policy, at the request of the data subject, the Controller provides information on whether or not the data of the person are being processed. If yes, in addition to ensuring access, the Controller informs the data subject on the category of the data processed, the purpose of data processing, the recipients of personal data or the category of recipients, the data storing period or the criteria used to determine the storing period, the exercising of the rights of the data subject, the right to submit a complaint to the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), the source of data, and the fact of automated decision making, including profiling also. In case of data transfer outside the European Union or the European Economic Area, the data subject is informed on the appropriate guarantees provided related to the data transfer.

KELER informs the data subject on the measures taken by KELER or on the justification why measures are not taken by sending a response in no more than one month to the address stated in the request submitted.

2. Right to rectification

The data subject has the right to request the rectification of inaccurate personal data concerning him or her. If it is necessary to rectify the personal data controlled by the Controller, the data subject can request (in mail or email) the rectification of data by stating the correct data.

The data subject is required to report to the Controller in writing (in mail or email) any change to its personal data controlled by the Controller immediately but not later than 5 days after the change. The data subject assumes liability for damages due to failure to report or reporting with delay the change.

Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

KELER informs the data subject without undue delay, no later than one month, in a response letter sent to the address stated in the request submitted on the measures taken or on the justification why measures are not taken.

3. Right to erasure

The data subject has the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller is required to erase personal data of the data subject without undue delay in the cases stated in the GDPR (Article 17).

Where the Controller has made the personal data public, that is to say it has forwarded personal data to third parties, in case the right to erasure of the data subject is exercised, the Controller takes reasonable steps to inform controllers that received the personal data forwarded that the data subject has requested the erasure by such controllers of any links to, or copy or replication of those personal data.

The data subject can request KELER in writing to erase its personal data.

KELER rejects the request to erase if KELER is required by law to continue to store the personal data. If there is no such requirement related to the personal data requested to be erased, KELER informs the data subject without undue delay, no later than one month, in a response letter sent to the address stated in the request submitted on the measures taken or on the justification why measures are not taken.

4. Right to restriction of processing

The data subject has the right to obtain from the Controller restriction of processing if

  • the data subject contests the accuracy of personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data;
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing.

The data subject can request KELER to restrict processing in writing. Where processing has been restricted, KELER can only store personal data for the periods stated in Article 18 of the GDPR, other controlling activity can be undertaken subject to the consent of the person requesting restriction due to the establishment, exercise or defence of legal claims or for the protection of public interest. The Controller informs in advance the person requesting restriction on terminating the restriction.

5. Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Controller if:

  • processing is based on consent or contract stated in Article 20 of the GDPR; and
  • processing is carried out by automated means.

6. Right to object

The data subject has the right to object, on grounds related to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling. In this case personal data can no longer be processed for this purpose unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for such marketing which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the Controller can no longer process personal data.

Please be informed that if processing is based on consent (phone number, email address), you can revoke your consent to processing any time, however, it does not affect the lawfulness of processing based on consent before revocation of consent. You can revoke your consent by sending a statement to this effect in mail or email.

The Controller provides information on the measures taken related to the request received on the exercise of the rights stated in Point 1-6. without undue delay, but no later than one month, in writing, using plain language, in the electronic or mail channel selected by the data subject, which deadline can be extended with two more months if justified, taking into account the complexity of the request and the number of requests.

In order to protect your rights, the KELER Group appointed a Data Protection Officer. The appointed Data Protection Officer of the KELER Group is András Kertész, email address: adatvedelmitisztviselo@keler.hu.

In line with the details provided in this document, you have the right to request any member of the KELER Group to let you know the personal data processed related to you, the correction of such data, and the deletion of data, except for the data that are mandatory to be managed.

If you believe that your rights related to your personal data are violated by the KELER Group, you can lodge a complaint as follows, in line with the KELER Group Complaint Management Procedure:

  • In writing, to the mailing address of KELER or KELER CCP (KELER Ltd., KELER CCP Ltd., 1074 Budapest, Rákóczi út 70-72., phone: + 36 1 483 6100) or fax (+36 1 483 6194), at any time.
  • In email, to email address keler@keler.hu, or to the business email addresses of the colleagues of KELER and KELER CCP, at any time.
  • Related to data protection incidents regarding business applications: on the phone or in email, to KELER Service Desk (phone: +36 1 483 6120; email: servicedesk@keler.hu), between 07:00 and 20:00 from Monday to Friday.
  • At the Client Service of KELER (KELER Ltd., 1074 Budapest, Rákóczi út 70-72.), during the opening hours of Client Service (between 09:00 and 15:00 from Monday to Friday), orally or in writing by entering the complaint in the register of complaints located at Client Service.

If your rights related to the processing of personal data are violated, you have the right to contact the Authority (address: 1125 Budapest, Szilágyi Erzsébet Fasor 22/c; phone: +36 (1) 391-1400; email: ugyfelszolgalat@naih.hu; website: https://www.naih.hu), or go to court. Anyone can report to the Authority the violation of rules related to personal data processing or direct threat thereof. Details on further legal remedies are contained in Act V of 2013 on the Civil Code (Ptk.) and the rules of civil proceedings if the case is referred to the court, and in the Info Act if the data protection authority (Authority) is contacted.

You are recommended to lodge a complaint before starting any other proceedings. We make sure that your complaint is investigated with the greatest care, with the involvement of the Data Protection Officer, is responded to within one month, and we will do our best to solve the issue to your satisfaction. We also recommend that you contact primarily the legal person with whom you have a direct legal relationship with questions and complaints related to data processing in the legal relationship.