INFORMATION ON DATA PROCESSING
The purpose of this Information on Data Processing is to provide detailed information on the controlling and processing of personal data by KELER Central Depository Ltd. and KELER CCP Central Counterparty Ltd. (hereinafter jointly: KELER Group). Please read the information carefully. For basic terms and applicable regulations related to personal data, please refer to
this site.
The KELER Group is committed to compliance with the regulations applicable to personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR), and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act).
Personal data in the KELER Group
I. KELER Group, as data processor
The services provided by the KELER Group are not based on the processing of personal data, KELER and KELER CCP do not provide retail services, their clients are legal entities, other organizations, and they maintain no legal relationship with private individuals. In certain cases, however, during the performance of their activities and in order to perform such activities, the KELER Group may become aware of the following personal data of private individuals in legal relationship with their clients:
- first name and last name,
- position,
- user name,
- phone number,
- mobile number,
- e-mail address.
With respect to the private individuals in legal relationship with the clients, the KELER Group acts as data processor as part of its own activity, the client of the KELER Group is the data controller. Data processing by the KELER Group is in line with the method and scope stated in this Information on Data Processing, the internal regulatory documents, the form and individual contract concluded with the client. The client of the KELER Group is obliged to ensure that it controls personal data in line with the regulations, including, in particular, the legal basis and purpose of data processing and giving information to the parties involved.
Therefore, we recommend that you contact with questions related to personal data the client of the KELER Group (the data controller) primarily, that is the legal person (company), other organization that you have a legal relationship with.
II. Additional data processing in the KELER Group, outsourcing
In accordance with Section 343 (2) of Act CXX of 2001 on the Capital Market (Tpt.), the members of the KELER Group are entitled to give personal data to each other without separate authorization. KELER Group members outsource some activities involving personal data also to each other or to external service providers, in line with the provisions of Regulation (EU) 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (EMIR), Regulation (EU) 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) 236/2012 (CSDR), Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (Hpt.), and Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities (Bszt.). For more information on outsourced activities, please refer to our General Business Rules.
III. KELER Group, as data controller
KELER Group members can control personal data based on the law (Section 343 of the Tpt.) in the case of transactions that they are counterparty to. The KELER Group has detailed data controlling and data processing records.
Data controlling by the KELER Group is primarily related to legal compliance or the basic operation of the company, as follows:
1. Prevention and combating of money laundering and terrorist financing, customer due diligence, identification of the beneficial owner
In line with the customer due diligence requirement stated in Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (Pmt.), KELER Group members can take customer due diligence measures in order to identify the client and the beneficial owner and for their personal identification.
In that context, for the identification of the representatives, persons with right of disposition, authorized persons and beneficial owners of the partners for whom accounts are kept, the following personal data are controlled:
- first name and last name,
- first name and last name at birth,
- nationality,
- place, date of birth,
- residence, place of stay,
- statement whether the person is a politically exposed person,
- number, type, validity date of document used for personal identification [such document can be: identity card (valid jointly with card evidencing residence), passport, card-format driving licence],
- mother’s name at birth.
Based on the Pmt., the KELER Group is authorized to control the personal data stored in line with the above, on paper and electronically, for eight years from the date of the termination of the business relationship or from the date of execution of the business order, this period of eight years can be extended at the request of the supervisory body, the financial intelligence unit, the investigating authority, the prosecutor’s office and the court to the period stated in the request, but not more than ten years from the date of termination of the business relationship or the date of execution of the business order.
2. Personal data of the contact persons of clients (business partners)
In order to provide services, to fulfil the contract, the KELER Group controls the following personal data of contact persons designated by clients and other contractual partners:
The contact person’s:
- first name and last name,
- user name,
- phone number,
- mobile number,
- email address.
The contact persons of clients consent to the processing of their data by completing the form attached to the contract.
The KELER Group processes the data stored on paper and electronically for ten years from the date the partner is no longer an account holder client (in line with the provisions of EMIR and CSDR).
The personal data of the contact persons of clients are processed in the following context:
- Data processing to facilitate keeping contact with clients.
- Data processing for the purpose of invoicing.
- Data processing related to representation.
- Data processing to give information on the insolvency of system participants without delay.
- Data processing for the purpose of setting user rights in IT systems.
- Data processing related to securities transfer and teller deliveries in and out.
3. Data processing for security purposes
The premises of the KELER Group are protected by video surveillance and access control systems (hereinafter: system), in line with the opportunity stated in the provisions of Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (Szvtv.). The KELER Group acts with due regard to the principles of necessity and proportionality when the system elements are installed and operated. KELER operates the electronic surveillance system within the KELER Group. Based on Section 31 (3) of the Szvtv., KELER retains video recordings on the system servers for no more than 30 days if the recordings are not used. KELER stores recordings in a closed IT system located in a locked area subject to separate penetration control and access control. The video recordings made by the system can be viewed by the KELER Security Management colleagues, the Data Protection Officer of the KELER Group (hereinafter: Data Protection Officer), and the colleagues of the competent authority in the case of proceedings by the authority. In the case of proceedings, request by authorities, the recordings can be forwarded subject to consent by the Data Protection Officer and only if any security incident is suspected. Security guards continuously check live recordings, and thus the functionality of the system.
Rules on viewing recordings, possible purposes of using recordings:
- Only the KELER Chief Security Officer or the colleagues of KELER Security Management are entitled to view recordings, in justified cases and in a documented manner.
- The purpose of using recordings is to ensure the confidentiality, availability and integrity of the data and valuables managed by KELER and KELER CCP, the organizations operating a nationally vital system element of the financial sector.
You can request that the recordings made of you are not deleted, where justified. You are also entitled to contact the Data Protection Officer if you believe that that operation of the electronic surveillance system is an affront to your human dignity.
The data processing rules related to the system apply to the access control system also, as in this case data on access and movement are considered personal data that the KELER Group retains for 24 hours after you leave.
4. Data processing related to the use of the websites of KELER and KELER CCP
The websites of the KELER Group (
english.keler.hu;
english.kelerkszf.hu) use anonymous user identifiers (cookies) related to the use of certain services in order to improve the quality of use of such services and make use simple for users. The cookie is a series of signs capable of identifying individual computers and store profile information that service providers store on the computer of the user. The series of signs itself is not capable of identifying personally the user, it can identify the computer only.
If you would not like to have cookies on your computer, please disable cookies in your browser. However, in this case it is possible that you cannot access certain services or access such services differently than with cookies enabled.
5. Data processing related to registration on the websites of KELER and KELER CCP
Visitors of the KELER Group websites (
english.keler.hu;
english.kelerkszf.hu) can register for notifications in English or Hungarian languages (KELER news, KELER CCP news, KELER Group Media news, Corporate action database update, Corporate action reminder, etc.).
Based on consent by the parties registering for the service, the KELER Group processes the following personal data provided on its website:
- First and last name,
- user name,
- e-mail address,
provided by the registering party.
Please read this information carefully upon registration, and mark the appropriate field to indicate your consent.
The KELER Group deletes data immediately when the registration is cancelled. You can cancel registration as described in the advice earlier sent, by clicking the registration cancellation function stated in the advice.
6. Processing the personal data of job applicants
Based on the consent of job applicants, the KELER Group manages the personal data stated in resumes and attached documents (motivation letter, reference and other documents) received directly or through the contracted selection and recruitment partner. Consent is given by submitting the application. In order to give advance information to applicants, the KELER Group highlights the electronic availability of this Information in all job postings.
If you wish to apply for a job posted by the KELER Group, please provide only the personal data relevant to the position (e.g. education, experience) and avoid providing information that are not necessarily required to assess whether you are fit for the position (e.g. age, address, religion).
The purpose of data processing is to perform the selection process and to inform applicants on the result of the selection processes.
If the KELER Group involves third parties in any phase of the selection process, the applicant is informed accordingly in advance and related consent is requested.
The KELER Group processes the above personal data until the posted position is filled, and the data will be deleted immediately when decision is made on filling the position. Should any reason justifying further data processing arise during the selection process (e.g. possibility of later cooperation), the KELER Group informs the applicant and requests consent by the applicant for further data processing for a fixed period.
7. Data processing for business development
The KELER Group processes the data of potential business partners related to business development, for the purpose of making contact later, based on consent expressed by handing over business cards or in similar manners. In such cases, at the time the first contact is made, the KELER Group makes verbal reference to this Information or sends it (as attachment or link) to give written information on data processing details. If no business cooperation is entered into, the KELER Group deletes data after eight years, but the party concerned can request immediate cancellation of its data at any time at:
and
.
8. Voice recording
In line with the provisions of the Hpt. and the Bszt., the KELER Group records communication on the phone related to complaint management via phone, and retains the voice recording for 5 years. The party making the complaint is informed accordingly at the beginning of the phone conversation.
9. Data processing by the KELER Group as employer
As employers, KELER and KELER CCP process the personal data of employees (and third parties working based on other legal relationships), and, as appropriate, the personal data of the relatives of employees. The persons involved are informed separately on data processing by the employer.
Who can know the personal data processed by the KELER Group?
All KELER Group employees are bound by secrecy. The KELER Group places strong emphasis on ensuring with internal regulation and strict IT rights management that the data it controls and processes are known only to the employees to the job of whom the data concerned is related to, in the case of personal data, for example:
- personal data of job applicants can be known to the HR Department and the colleagues and heads of the units posting the position,
- data related to security purposes can be known to the colleagues of KELER Security Management and the Chief Security Officer,
- data related to business development can be known to the colleagues and managers responsible for business development.
There are jobs at the KELER Group that promote compliance with regulations (Legal and Compliance, Internal Audit, Data Protection Officer). In order to perform work, the colleagues and managers of these units need to know the data processed or controlled by the KELER Group related to certain tasks.
To whom can the KELER Group forward personal data?
Data can be forwarded to meet the requirements of regulations, for example, in the following typical cases:
- responding to requests by authorities or reporting to administrative or investigating authorities,
- reporting suspected money laundering to the Finance Intelligence Unit of the National Tax and Customs Office (NAV),
- in order to fulfil a contract, to the party involved (e.g. in the case of cross-border transactions or nominated ordering clients).
The KELER Group can forward to its partners performing outsourced activities the personal data related to the subject of the outsourcing. In certain cases, KELER and KELER CCP can forward personal data to the cooperating law firms*, for example in order to finalize a contract or related to a legal dispute. In this case, the law firm is required to manage the transferred data in line with the contract for legal services and the applicable regulations (in particular the secrecy stated in Act LXXVIII of 2017 on the Profession of Lawyer).
In other cases not regulated by law, when the need to transfer data to third parties arises, data is transferred subject to the written consent of the parties concerned, after prior information is given on the legal basis of data forwarding and the transferee. For example: filling a position at the KELER Group requires a test related to which KELER or KELER CCP wish to involve a third party service provider.
(*Kapolyi Law Firm is the legal representative of KELER and KELER CCP, based on the contract for legal services executed with the companies.)
Security of data at the KELER Group
By law the systems of the KELER Group are considered system elements of vital national interest in the financial sector. Accordingly, the security environment is standard and operates in line with strict legal and regulatory requirements*, and is subject to ongoing and regular external and internal control and supervision.
(*E.g. Act L of 2013 on the Information Security of State and Local Municipality Organizations, Act CLXVI of 2012 on the Identification, Designation and Protection of Systems and Facilities of Vital Importance and related regulations, regulations of the financial sector and documents of the supervisors.)
Consequently, the KELER Group places great emphasis on the security of personal data it processes or controls, that is to say, to avoid violation of data security resulting in adventitious or unlawful destruction, loss, change, unauthorized communication of data or unauthorized access to data (data protection incident).
However, should a data protection incident nevertheless occur, the KELER Group has internal regulation that determines the method of incident investigation, involvement of the Data Protection Officer, informing the parties concerned and the National Data Protection and Information Security Authority (Authority), and the method of documenting and managing incidents without any delay.
Related to outsourced activities, the KELER Group cooperates with partners that guarantee the security of the personal data they come to possess. The provision of appropriate guarantees related to the security of data is a priority aspect when partners performing outsourced activities are selected.
The KELER Group manages physical documents containing personal data subject to strict security requirements. It is not possible to recover the destructed physical documents.
The KELER Group provides data protection training to employees to ensure data protection awareness, to facilitate the prevention and proper management of data protection incidents of IT or non-IT nature.
What can you do if you have questions or wish to make a complaint related to the processing of your personal data?
In order to protect your rights, the KELER Group appointed a Data Protection Officer. The appointed Data Protection Officer of the KELER Group is András Kertész, e-mail address:
.
In line with the details provided in this document, you have the right to request any member of the KELER Group to let you know the personal data processed related to you, the correction of such data, and the deletion of data, except for the data that are mandatory to be managed.
- In writing, to the mailing address of KELER or KELER CCP (KELER Ltd., KELER CCP Ltd., 1074 Budapest, Rákóczi út 70-72., phone: + 36 1 483 6100) or fax (+36 1 483 6194), at any time.
- In e-mail, to e-mail address
, or to the business e-mail addresses of the colleagues of KELER and KELER CCP, at any time.
- Related to data protection incidents regarding business applications: on the phone or in e-mail, to KELER Service Desk (phone: +36 1 483 6120; e-mail:
), between 07:00 and 20:00 from Monday to Friday.
- At the Client Service of KELER (KELER Ltd., 1074 Budapest, Rákóczi út 70-72.), during the opening hours of Client Service (between 09:00 and 15:00 from Monday to Friday), orally or in writing by entering the complaint in the register of complaints located at Client Service.
If your rights related to the processing of personal data are violated, you have the right to contact the Authority (address: 1125 Budapest, Szilágyi Erzsébet Fasor 22/c; phone: +36 (1) 391-1400; e-mail:
; website:
https://www.naih.hu), or go to court. Anyone can report to the Authority the violation of rules related to personal data processing or direct threat thereof. Details on further legal remedies are contained in Act V of 2013 on the Civil Code (Ptk.) and the rules of civil proceedings if the case is referred to the court, and in the Info Act if the data protection authority (Authority) is contacted.
You are recommended to lodge a complaint before starting any other proceedings. We make sure that your complaint is investigated with the greatest care, with the involvement of the Data Protection Officer, is responded to within thirty days, and we will do our best to solve the issue to your satisfaction. We also recommend that you contact primarily the legal person with whom you have a direct legal relationship with questions and complaints related to data processing in the legal relationship.