Data Processing

General Information on Data Processing of the State Audit Office of Hungary

The State Audit Office of Hungary (hereinafter: SAO) processes personal data acquired or recorded during its activities in accordance with Regulation (EU) 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR), as well as the provisions of Act CXII of 2011 on the Right to Informational Self-determination and on the Freedom of Information (hereinafter: Information Act). As the data controller, the SAO informs data subjects about the general information regarding the processing of personal data through the publication of this notice.

I. Identity of the controller and data protection officer

	Controller	Data protection officer
Name:	State Audit Office of Hungary	dr. Szabolcs Csernyák
Represented by:	dr. László Windisch, President	–
Postal address:	1364 Budapest 4. P.O. Box 54	1364 Budapest 4. P.O. Box 54
E-mail:	szamvevoszek@asz.hu	adatvedelem@asz.hu
Phone:	+36-1-484-9100	+36-1-398-9339
Website:	www.asz.hu
Headquarter:	H-1052 Budapest, Apáczai Csere János street 10.

II. The SAO’s data processing principles:

The SAO, as a data controller, carries out its processing in compliance with the principles set out in Article 5 of the GDPR. At every stage of data processing, it must comply with the data processing principles set out in the GDPR, the technical and organisational measures to be taken in relation to the risks posed by the processing, and the requirements set out in relation to data quality (in particular the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability). Subject to the principle of accountability under the GDPR, the controller shall carry out all its processing operations from the design of the processing, through the start of the processing, to the erasure of the personal data processed, in such a way that it can demonstrate at any time its compliance with data protection requirements. The data controller shall plan and implement personal data processing operations in a way that ensures the protection of data subjects’ privacy when applying the provisions of the GDPR, the Information Act, and internal regulations. Personal data processed by the data controller can only be used for a lawful purpose as defined in the GDPR, based on a legal basis, such as statutory provisions or consent, and its use for private purposes is prohibited. Data processing is only lawful if at least one of the legal bases set out in Article 6(1) of the GDPR is met. The process is fair and transparent if the data subject is provided with easily accessible and comprehensible information about how their data is collected, used, who has access to it, and how or by whom it is processed. Personal data may be processed for clearly defined legitimate purposes. Personal data should not be processed in a way incompatible with those purposes. Processing must be justified having regard to the purposes and limited to the minimum necessary. Data processing must be accurate, and any inaccurate data must be rectified without delay, meaning that all reasonable measures must be taken to ensure that inaccurate personal data is either erased or corrected in relation to the purpose of the processing. Data must be stored in a way that permits identification of data subjects only to the extent necessary to achieve the purpose. During data processing, appropriate technical or organisational measures shall be applied to ensure the security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Data security measures:

The SAO ensures data security and takes all technical and organisational measures necessary to enforce the GDPR, the Information Act and other data and confidentiality protection rules. The data is protected against unauthorised access, alteration, transmission, disclosure, erasure, or destruction, as well as accidental loss and damage. The data controller, and if applicable, the data processor engaged for a specific data processing operation, is responsible for ensuring the security of personal data. They are also required to implement the technical and organisational measures and establish procedural rules necessary to enforce data protection. The SAO, as the data controller, shall protect personal data with appropriate measures, considering the principles of data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability under the GDPR, particularly against unauthorised access, alteration, transmission, disclosure, erasure, or destruction, as well as accidental loss, damage, and inaccessibility due to changes in the applied technology. These technical and organisational measures for the protection of personal data for data security purposes are primarily laid down in the IT Security Regulations of the State Audit Office of Hungary.

General principles regarding the duration of data processing:

In the case of data processed by the SAO, the data processing times given in this notice shall be understood to refer to the data processed in the structural databases. In the archive system defined in Act LXVI of 1995 on Public Records, Public Archives and the Protection of Private Archives, data erased from the databases may be retrievable, but these data are kept in a closed form by the SAO until the time of their destruction or transfer to archives as defined by law.

III. In the information notice you will find information about the processing of data that may involve natural persons who have contact with the SAO, these include the following:

Customer service (SAO call-centre) data processing in connection with telephone reporting
Cookie management on the asz.hu website
Access to the building, operation of access gates
Operation of security cameras
Data processed in the performance of the public auditing task of the SAO
Data processing in the SAO’s internal whistleblowing system
Data processed in relation to complaints, public interest reports, and notifications or other documents sent to the SAO in accordance with legal obligations
Data processed during SAO events
Contact details and data processed in the course of communication activities
Data processed in the SAO’s job applications and recruitment process
Data processing related to contracts ensuring the operational conditions of the SAO
Data processing related to requests for access to public interest and publicly available data, as well as the further use of data belonging to the national data assets

1. Customer service (SAO call-centre) data processing in connection with telephone reporting

The State Audit Office of Hungary operates a central telephone customer service line at +36-1-484-9100 (hereinafter: SAO call centre). The SAO call centre uses a recorded voice message system that requires the consent of the notifier as part of the SAO’s reporting systems, specifically in relation to telephone complaints/public interest reports and internal whistleblowing (hereinafter collectively referred to as: reports). At the SAO call centre, voice recordings are made automatically in relation to the submission of reports, without the involvement of a SAO employee in the telephone conversation. For individuals who do not wish to submit a report via the SAO call centre but rather wish to inquire about the SAO’s press relations or contact us for other inquiries, we also provide the opportunity to do so, with the automatic recording of the relevant voice message.

2. Cookie management on the asz.hu website

For more information on cookie management, please visit this link.

3. Access to the building, operation of access gates

The tasks related to the physical protection and guarding of the premises of the State Audit Office of Hungary are carried out by the Emergency Police pursuant to Government Decree 160/1996 (XI. 5.) on the Protection of Protected Persons and Designated Facilities, according to which the buildings of the State Audit Office of Hungary in Apáczai Csere János Street and Lónyay Street („the central buildings of the SAO”) are designated as facilities and valuables for the purpose of facility security measures. The SAO, as the data controller, is responsible for the operation of access gates at the SAO’s headquarters and premises. The data processed shall consist of the electronic access cards and personal data stored in the computer system of the access control system operated at the SAO on the basis of the relevant Presidential Decree. The purpose of data processing is to protect the SAO’s facilities and premises, to prevent incidents, mitigate their consequences, to assist in investigations, to detect violations, to prevent unlawful acts and to protect property.

4. Operation of security cameras

The tasks related to the physical protection and guarding of the premises of the State Audit Office of Hungary are carried out by the Emergency Police pursuant to Government Decree 160/1996 (XI. 5.) on the Protection of Protected Persons and Designated Facilities, according to which the buildings of the State Audit Office of Hungary in Apáczai Csere János Street and Lónyay Street („the central buildings of the SAO”) are designated as facilities and valuables for the purpose of facility security measures. In the central buildings of the SAO, the Emergency Police operates a security camera system, for which a data management information notice is published on the police website.
The SAO operates an electronic camera surveillance system for image recording at its headquarters and at its premises in the capital, in accordance with the relevant data processing information.

5. Data processed in the performance of the public auditing task of the SAO

Purpose of data processing and scope of data processed:
The SAO, as the data controller, acts in relation to data processing in connection with its audits by applying the data processing and data protection rules set out in Article 27 of Act LXVI of 2011 on the State Audit Office of Hungary (hereinafter: SAO Act), so the following provisions of the Act shall apply in particular to the processing of data and information obtained during the audit: the person performing the audit (hereinafter referred to as the auditor) may inspect, copy or extract data from documents and data files of data registration systems managed by IT tools during the audit, even if they contain classified data or other secrets protected by law. Information obtained during the audit about the audited organisation or its employee or officer (hereinafter together referred to as the auditee) may not be used for any purpose other than the preparation of the report, unless otherwise provided by law. The auditor is obligated to preserve the classified information or other secrets protected by law that come to their knowledge, may not disclose them to third parties without special authorisation and may not use them outside their duties (Article 27 (1) and (5) of the SAO Act). The State Audit Office of Hungary and the auditor carrying out the audit on its behalf may process sensitive data and criminal personal data during the audit, but, with the exception of health data and criminal personal data, they have only a right of access. [Article 27 (3) of the SAO Act]
Legal basis for data processing:
The legal basis for the processing of data by the SAO in connection with audits is the performance of the SAO’s tasks carried out in the public interest pursuant to Article 6(1)(e) of the GDPR.
Data retention period:
The SAO may handle personal data obtained in the course of its inspections for five years from the start of data processing. Health data and criminal personal data for three years from the start of data processing, but not longer than until the final conclusion of disciplinary proceedings or the conclusion of criminal proceedings by a final court decision or a final non-conclusive order, or until the decision of the prosecution or investigative authority terminating the proceedings is taken. [Article 27 (8) of the SAO Act].
Data transfer:
the SAO may transfer personal data obtained in the course of its audits for the purpose of initiating criminal or disciplinary proceedings, executing a request from an investigative authority or conducting legal proceedings. Health data and criminal personal data only for the purpose of initiating criminal proceedings or executing a request from a court, prosecutor’s office or investigative authority. [Article 27 (7) of the SAO Act].
Use of a data processor:
The SAO, as data controller, does not use a data processor for the processing of the data in question.

6. Data processing in the SAO’s internal whistleblowing system

The State Audit Office of Hungary processes personal data within its internal whistleblowing system to allow its employees and other eligible individuals to report events that violate organisational integrity. It also addresses unlawful or suspected unlawful acts or omissions, as well as other abuses, in accordance with the Act XXV of 2023 on Complaints, Notifications of Public Interest and Rules on the Notification of Abuse („Whistleblower Act”), based on the relevant presidential measure of the SAO. In doing so, it ensures the necessary protection for whistleblowers and other involved parties in accordance with the Whistleblower Act and relevant data protection legal regulations.

7. Data processed in relation to complaints, public interest reports, and notifications or other documents sent to the SAO in accordance with legal obligations

Purpose of data processing and scope of data processed:
The SAO, as the data controller, acts in relation to complaints and public interest reports by applying the data processing and data protection rules set out in the Whistleblower Act and Article 27 of the SAO Act, thus, in particular, the data processing of data and information in its possession is subject to the provisions of Article 27 of the SAO Act. The SAO may process notifications of public interest received, as well as information and other documents sent to it under statutory obligation, and non-sensitive personal, health and criminal personal data they contained. [Article 27 (6) of the SAO Act]
Legal basis for data processing:
The legal basis for data processing related to SAO audits is the execution of the SAO’s tasks in the public interest, as defined in Article 6(1)(e) of the GDPR.
Data retention period:
The State Audit Office of Hungary may process personal data obtained in connection with public interest reports, information and other documents sent to it based on statutory obligations, for a period of five years from the start of data processing. Health data and criminal personal data may be processed for a period of three years from the start of data processing, but no longer than until the final completion of the disciplinary procedure or the conclusion of the criminal proceedings with a final conclusive decision or a final non-conclusive order by a court, or until the decision of the prosecution or investigative authority to terminate the proceedings, which is not subject to further legal remedies. [Article 27 (8) of the SAO Act].
Data transfer:
the SAO may transfer personal data obtained in connection with notifications of public interest, information notices or other documents sent to it under a statutory obligation for the purpose of initiating criminal or disciplinary proceedings, fulfilling a request from an investigative authority or conducting legal proceedings, and may transfer health data and criminal personal data only for the purpose of initiating criminal proceedings or fulfilling data requests from a court, prosecutor’s office or an investigative authority. [Article 27 (7) of the SAO Act].
Use of a data processor:
The SAO, as the data controller, does not use a data processor for the processing of the data in question.

8. Data processed during SAO events

Purpose of data processing and scope of data processed:
The purpose of data processing is the registration necessary for the organisation of events, the identification of attendees and the contact with participants.
Legal basis for data processing:
Pursuant to Article 6(1)(a) of the GDPR, the SAO shall process data on the basis of the unambiguous consent of the participants to the SAO given during registration.
Data retention period:
For the period specified in the detailed information provided during registration. For data also used for communication purposes, up to five years after the event.
Data transfer:
In this scope of data processing, no transfer of personal data handled takes place.
Use of a data processor:
The SAO, as the data controller, does not use a data processor for the processing of the data in question.

9. Contact details and data processed in the course of communication activities

Purpose of data processing and scope of data processed:
The purpose of data processing is to maintain the SAO’s communication relations, including relations with the press, in the context of the performance of its tasks and to ensure its continuous operation. Scope of the data processed: identification data necessary for maintaining contact, in particular name, e-mail address, telephone number, position, organisation.
Legal basis for data processing:
The SAO performs data processing in accordance with the execution of its public tasks as defined in the law, based on Article 6(1)(e) of the GDPR, for the purpose of carrying out its tasks in the public interest. For other tasks, data processing is carried out based on contact lists for information purposes in accordance with Article 6(1)(a) of the GDPR (with the consent of the data subject).
Data retention period:
The duration of the relationship and the provision of new data by the partner organisation. To ensure the accuracy of the data, the State Audit Office of Hungary continuously reviews its contact databases and erases outdated information.
Data transfer:
In this scope of data processing, no transfer of personal data processed will take place.
Use of a data processor:
The SAO, as the data controller, does not use a data processor for the processing of the data in question.

10. Data processed in the SAO’s job applications and recruitment process

Purpose of data processing and scope of data processed:
The State Audit Office of Hungary registers and manages the data submitted as part of the recruitment procedure, the purpose of which is to establish an employment relationship.
Legal basis for data processing:
The SAO processes data on the basis of the consent of the participants in the recruitment procedure and in the call for and evaluation of applications, in accordance with Article 6(1)(a) of the GDPR.
Data retention period:
The recruitment procedure lasts until the presentation and submission of the documents required for establishing an employment relationship, followed by the signing of the auditor’s public service contract, the employment contract, and the basic registry of public service officials by the employer and the participant in the recruitment process. After the recruitment procedure, the data are processed and recorded by the SAO as part of the basic registry of public service officials and as part of the personnel file, in accordance with the SAO’s Data Protection and Data Security Rules, which the participant in the recruitment procedure is informed of at the time of the employment relationship. If the establishment of a legal relationship fails during the recruitment procedure, the personal data transmitted electronically to the SAO will be erased. The data subject will be informed of the erasure. If the data subject withdraws their consent to data processing, the SAO, as data controller, will process the personal data of the data subject until the data subject’s consent to data processing is withdrawn, and will take immediate action to erase the data if the consent is withdrawn.
Data transfer:
There is no transfer of data between the SAO as data controller and any other natural or legal person, unless authorised by law.
Use of a data processor:
The SAO, as the data controller, does not use a data processor for the processing of the data in question.

11. Data processing related to contracts ensuring the operational conditions of the SAO

Purpose of data processing and scope of data processed:
The SAO, as a data controller, in the context of the preparation, conclusion, execution and registration of contracts with natural and non-natural persons, necessarily carries out processing of personal data relating to the data of certain natural persons as data subjects. The purpose of data processing is to provide the resources and infrastructure necessary for the effective performance and exercise of the functions and powers of the SAO, to prepare and conclude contracts relating to the use public funds, the management of public assets, and the procurement of goods, works, services, the sale of property, the use of property, the transfer of property or rights of pecuniary value in connection with public tasks performed by the SAO and the provision of its operating conditions, as well as to keep records of transfers from the Treasury.
Legal basis for data processing:
The legal basis for the processing is Article 6(1)(e) of the GDPR; the processing is necessary for the exercise of official authority vested in the SAO or for the performance of the SAO’s tasks carried out in the public interest.
Data retention period:
The SAO, as the data controller, shall in all cases act in accordance with the retention periods set out in the Records Management Rules of the State Audit Office of Hungary. Accordingly, the SAO shall keep the accounting records and documents which directly and indirectly support its accounting for a period of 8 years, as specified in its filing plan.
Data transfer:
The SAO forwards personal data related to contracts concerning the provision of operating conditions to the Hungarian State Treasury (Central address: H-1054 Budapest, Hold u. 4.).
Use of a data processor:
The SAO, as the data controller, does not use a data processor for the processing of the data in question.

12. Data processing related to requests for access to public interest and publicly available data, as well as the further use of data belonging to the national data assets

The SAO processes the name and contact details of the applicant in relation to requests for access to data of public interest pursuant to Article 29 (1b) of the Information Act.

The following data subject rights are outlined in the notice:

Right to information and access.

Right to rectification.

Right to erasure (right to be forgotten).

Right to restriction of processing.

Right to object.

Right to withdraw consent.

Legal remedy, judicial or administrative enforcement related to data processing.

According to Articles 15-20 of the GDPR, the data subject is entitled to exercise these rights concerning the personal data processed by the SAO:

have access to personal data;
request the rectification of personal data;
request the erasure of personal data;
request the restriction of the personal data processing;
object to the processing of personal data;
if the processing of personal data is based on their consent, withdraw their consent at any time.

At the request of the data subject, the SAO shall provide information about the personal data processed by it, the purposes, legal basis and duration of the processing, the name, address (registered office) and activities of the data processor in relation to the processing, and who is receiving or has received the data and for what purposes. On the basis of their right of self-determination in relation to the freedom of information, the data subject has the right to withdraw their consent to the processing, to request the erasure, blocking, rectification, correction or restriction of their personal data at any time.

Fees for information and requests of the data subject: The information and measures related to the application of data subjects’ rights under the GDPR should, as a general rule, be provided by the controller free of charge. If the data subject’s request is clearly unfounded or excessive, in particular because of its repetitive nature, the controller may charge a reasonable fee, taking into account the administrative costs of providing the information requested or of taking the action requested, or refuse to act on the request (the burden of proving that the request is clearly unfounded or excessive lies with the controller). The data subject shall have the following rights in relation to the processing.

Right to information and access

The data subject is entitled to request the data controller to provide their personal data and information related to their processing. The data subject has the right to receive feedback from the data controller regarding whether their personal data is being processed, and if such processing is ongoing, they are entitled to access their personal data as well as the following information: the purposes of the processing, the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations, where applicable, the envisaged period of storage of the personal data or, if this is not possible, the criteria for determining that period, the data subject’s right to request the controller to rectify, erase or restrict the processing of personal data concerning them and to object to the processing of such personal data, the right to lodge a complaint with a supervisory authority if the data have not been collected from the data subject, any available information on their source, the fact of automated decision-making, including profiling. [right of access as required by Article 15 of the GDPR]

Right to rectification

The data subject has the right under the GDPR to rectify inaccurate personal data about them. [Article 16 of the GDPR]

Right to erasure („right to be forgotten”)

The data subject may request the erasure of the processed data in writing, on the basis of a request for the exercise of the right to erasure. [Article 17 of the GDPR accordingly]

The controller shall refuse to comply with a request for erasure where it is legally obliged to process the data. In accordance with Article 173 (b) of the GDPR, the right to erasure („right to be forgotten”) shall not be applied to the SAO as a data controller in relation to the performance of tasks defined in the SAO Act, as long as the data processing is carried out in the performance of a legal obligation under Union or national law applicable to the data controller, or in the public interest or for the exercise of public authority vested in the data controller (such as, in particular, tasks related to official duties, public service record-keeping, and public audits).

The right to restriction of data processing

The data subject may request in writing that their personal data be marked (blocked) by the SAO for the purpose of restricting further processing of the data, if one of the following conditions is met:

the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use;

the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
the data subject has objected to the processing in accordance with Article 21(1) of the GDPR, in which case the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the controller override the legitimate grounds of the data subject.

If the data processing is restricted, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State. [as required by Article 18 of the GDPR]

Under the right to object, the data subject may object in writing to processing based on Article 6(1)(e) of the GDPR on grounds relating to their particular situation. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. [as required by Article 21 of the GDPR]

Right of withdrawal of consent

In the case of processing based on Article 6(1)(a) of the GDPR, the data subject may withdraw their consent to processing at any time in writing, via the contact details provided in the information on processing, during the period of processing. In the event of withdrawal of consent, the processing of the SAO’s data prior to the withdrawal remains lawful. The SAO will erase the personal data without undue delay after receipt of the withdrawal and will notify the person who has given their consent by sending a letter to the contact details provided by them. If the request is sent to the SAO by electronic means, the SAO’s reply will also be sent by electronic means, where possible. If you request a reply by any other means, please indicate this in your declaration.

Legal remedies, judicial and administrative enforcement in relation to data processing

In the event of unlawful processing, the data subject may initiate a lawsuit against the SAO as data controller. The court has jurisdiction to rule on the action. The action may also be brought before the court of the place of residence of the data subject, at the data subject’s choice.

(A list of the courts and their contact details can be found at the following link: http://birosag.hu/torvenyszekek.) Without prejudice to other administrative or judicial remedies, all data subjects have the right to lodge a complaint with the data protection authority if they consider that the processing of personal data relating to them infringes the GDPR or the Information Act. Contact details of the HNADPFI:

Hungarian National Authority for Data Protection and Freedom of Information

Address: H-1055 Budapest, Falk Miksa street 9-11.

postal address: H-1363 Budapest, P.O. Box 9.

e-mail: ugyfelszolgalat@naih.hu

phone: +36 (1) 391-1400

fax: +36 (1) 391-1410

website: www.naih.hu

If you wish to exercise your data subjects’ rights in relation to the processing (except for lodging a complaint with the National Authority for Data Protection and Freedom of Information and for recourse to the courts), please send an e-mail to the e-mail address of the controller or the data protection officer of the controller as stated in this privacy notice.

If you have a complaint about our use of your personal data, including details of the complaint, please send it by e-mail to the email address of the controller or the data protection officer of the controller as set out in this privacy notice. All complaints received will be investigated and responded to within 1 month.