GLS General Logistics Systems Hungary Kft. (hereinafter: GLS Hungary or GLS, Controller) is classed as a postal service provider under Act CLIX of 2012 on Postal Services.
The purpose of this Data Processing Notice is that prior to starting the data processing, the Controller should inform visitors clearly and in detail about all facts relating to the processing of their personal data, the rights and legal remedies relating to the data processing. In the course of the data processing, our essential goal is to protect personal data.
1. THE CONTROLLER AND ITS CONTACT INFORMATION
Name: GLS General Logistics Hungary Kft.
Registered office : 2351 Alsónémedi, GLS Európa utca 2.
E-mail address: firstname.lastname@example.org
Address for correspondence: 2351 Alsónémedi, GLS Európa utca 2.
Data Protection Officer: dr. Rita Katona
Email address: email@example.com
Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. The controller’s identity is stated in point 1. If in the case of a specific data processing purpose other persons besides GLS Hungary are deemed to be controllers, such persons are indicated at the specific data processing purpose.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The data processors used by the controller are included in Annex 3.
Recipient: pursuant to this Privacy Notice the Recipient refers to the person in line with the Postal Act to whom the parcel is send by the sender
Parcel: means a letter or parcel with a weight of up to 40 kg, featuring at least an address on the mail itself, on its packaging or in a list attached to it, or any other letter or parcel identified as mail by law; such mail may be items of correspondence, official documents, mail written in Braille, parcels and mail containing books, catalogues and press publications, and any other mail which is not excluded from the scope of postal services in accordance with a government decree issued under statutory authority.
Postal service: means the service covering the acceptance, collection if necessary, processing, transport and delivery of parcels, or any of these activities. Postal service means any of these activities with the parcels if it is provided in the framework of a complex service which has a part that are excluded from the postal service.
Client: means the same person as the sender.
Data subject: an identified or identifiable natural person who visits or registers on the website.
Third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Personal data: any information relating to the data subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3. MAIN LEGAL REGULATIONS APPLICABLE TO DATA PROCESSING AND THEIR ABBREVIATIONS
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR or Regulation)
- Act V of 2013 on the Civil Code (hereinafter: Hungarian Civil Code)
- Act CLV of 1997 on Consumer Protection (hereinafter: Consumer Protection Act)
- Act CLIX of 2012 on Postal Services (hereinafter: Postal Act)
- Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Information Act)
- Act C of 2000 on Accounting (hereinafter: Accounting Act)
- Government Decree 335/2012 (XII.4.) on the provision of postal services and on the detailed rules of postal services relating to official documents, and on the general contractual terms of postal services and on consignments that are excluded from the postal service or that may only be carried subject to conditions (hereinafter: Government Decree)
4. PRINCIPLES OF DATA PROCESSING AND ENFORCEMENT THEREOF
4.1. Lawfulness, fairness, transparency
Controller performs the data processing operations indicated in this Notice in a lawful and fair manner, in a manner which is transparent for the Data Subject.
4.2. Purpose limitation
The Controller only uses the personal data for the purposes stated in this Notice and only transfers it in order to achieve such purposes, in accordance with the provisions of this Notice and legal regulations in force, applicable to the processing of personal data. The processed personal data can only be accessed by the persons concerned in the achievement of the purposes.
It is the User’s responsibility and obligation to obtain the data subject’s consent in advance whenever he or she indicates personal data which is not his or hers. Responsibility for the truthfulness of data falls on the User.
4.3. Data minimisation
The Controller only asks the Data Subject to provide personal data which, considering the purpose of the data processing, is appropriate, relevant and absolutely necessary in respect of the specific data processing, without which it would not be able to provide its service or would not be able to provide it according to its commitments.
The Data Subjects are responsible for the truthfulness, accuracy and up-to-date nature of data entered on the website. Moreover, it is also the Data Subject’s responsibility and obligation to obtain the data subject’s consent in advance whenever he or she indicates personal data which is not his or hers.
If the Data Subject notifies the Controller, in accordance with this Notice, that his or her data does not correspond to reality, the Controller shall arrange for the erasure or rectification of this data, in accordance with this Policy.
4.5. Storage limitation
The Controller ensures that personal data is stored in such form as only allows the identification of the Data Subject for the time required to achieve the purposes of personal data processing. Thus, the Controller defines the duration of data storage in accordance with this principle.
4.6. Integrity and confidentiality (data security)
GLS is committed to the protection of its customers’, partners and employees’ personal data and attaches special importance to respecting its customers’ right to informational self-determination.
GLS processes personal data confidentially and takes every security, informational security, technical and organisational measure to guarantee the security of data.
Every employee of GLS has undertaken in writing to maintain the confidentiality of data. GLS Hungary, as well as the person (organisation) performing the postal agency activity, is obliged – provided that the statutory conditions are met and there is a request to this effect – to hand over or present any postal consignment, textual message or communication to the organisations authorised by a separate statutory instrument to examine the contents thereof, and shall also make possible the monitoring and storing of these, as well as any other kind of intervention in respect of the consignment or textual message.
The Controller takes every measure required to ensure that the data is processed in a secure and intact manner, as well as to build and operate the data processing systems required for this, and to protect personal data from abuse and data loss.
The Controller ensures that no unauthorised person can access, disclose, transfer or alter or erase the data processed. The Controller stores the data that contains personal data on a secure server, which is not publicly accessible. GLS Hungary only uses data made available by the customers (recipient data) to carry out the services ordered.
The Controller also requires its employees participating in the data processing activity and any data processors it may use to undertake the above commitment.
4.7. Data transfer and participants
The personal data shall be provided, processed or transferred to a third party in compliance with the undermentioned regulations.
GLS does not sell or lease any personal data to third parties. However, there are certain circumstances when GLS may share personal data without further notice.
- With GLS subsidiaries and GLS subcontractors for the purpose of parcel dispatch from sender to recipient.
- With subcontractors employed lawfully by the Service Provider or with postal contributors (processors) for fulfilling the contract between the Sender and the Service Provider.
- With processors employed lawfully by the Controller. The list of the processors can be found in Annex 3. GLS cooperates with its partners under a data protection agreement and subject to strict control.
Furthermore, GLS only provides information to third parties based on authorisation under the law (e.g. inquiries of authorities based on law).
5. THE LEGAL BASIS OF DATA PROCESSING
The Controller is entitled to perform its data processing activity based on the following legal bases.
In its logistical activity relating to postal services, i.e. collecting, processing, transporting, and delivering parcels, GLS Hungary shall process data on the following bases:
- consent of the data subjects, which is expressed in the fact that they provide their personal data to GLS or transmit it to the sender so that it should be processed for one or more specific purposes (hereinafter referred to as ‘Consent’) this is based on Point (1) a) Article 6 of GDPR;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (hereinafter referred to as ‘Performance of a Contract’); this is based on Point (1) b) Article 6 of GDPR;
- processing is necessary for compliance with a legal obligation to which the controller is subject (hereinafter referred to as ‘Compliance with legal obligation’); this is based on Point (1) c) Article 6 of GDPR;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, (hereinafter referred to as ‘Legitimate interest of the Controller’); this is based on Point (1) f) Article 6 of GDPR.
The legal basis of a specific data processing activity is contained in the information indicated for that specific data processing activity.
6. DATA PROCESSING ACTIVITIES
6.1. DATA PROCESSING RELATED TO WEBSITES
GLS essentially differentiates between the use of the public and restricted pages of the GLS website.
The User is responsible for the truthfulness and authenticity of the data entered on the Website. If the User indicates another person’s personal data on or through the Website, he or she shall be obliged to obtain the required consent from the data subject or to possess it otherwise on another legal basis.
6.1.1. Personal data that is available / may be entered on public pages and its processing
Anyone can access the public pages, enter or search for data through it. On some parts of the public pages, personal data may be entered, while no such data is included on other parts.
Public pages containing personal data
• Damage claims form
• Reporting parcel tracking
• Reporting a COD complaint
Public pages containing no personal data
• GLS ParcelShop finder
• GLS ParcelLocker finder
• Track & Trace function (parcel tracking)
6.1.2. Personal data that is available / may be entered on restricted pages and its processing
Restricted pages function as part of the performance of the contract made between GLS and its customer, and may be accessed only after entering a unique username and password.
6.2. POSTAL SERVICE-RELATED DATA PROCESSING, WHICH IS PART OF GLS’S GBC AND GLS PARCELSHOP’S GBC
The data processing in this section contains the Data Controller’s data processing related to postal service, the detailed rules of which are contained in Annex 1. Annex 1 forms part of the Data Controller’s General Business Conditions.
6.2.1. DATA CONTROLLERS, DATA PROCESSORS, RESPONSIBILITY FOR DATA PROCESSING
The Service Provider qualifies as a data controller in respect of the fulfilment or provision of the postal service. The postal service contract is concluded between the Service Provider and the Sender.
In the case of a contractual relationship between the Recipient and the Sender (including, but not limited to, web store orders, distance sales agreements), the Sender also qualifies as a data controller. This data processing is governed by the contract between the Sender and the Recipient.
The data necessary for the delivery of postal consignments (parcel delivery) are provided by the Sender to the Service Provider within the framework of the postal service contract. The Sender is responsible for the legality of the transmission of such data and for the accuracy and correctness of the data transmitted. The Sender is obliged to cooperate with the Service Provider in connection with the data processing, in particular in connection with the correction, restriction and deletion of the data transmitted by the Sender or the management of any data protection incidents. If the Data Subject directly contacts the Service Provider for correction, deletion or restriction of any data, but the incorrect / inaccurate data was not generated in the Service Provider’s systems or scope of activity but is clearly attributable to incorrect / inaccurate data forwarded to the Service Provider by the Sender, the Sender shall be obliged to take all necessary measures to correct, delete or restrict the data. Failure to do so or breaching this obligation shall be the responsibility of the Sender.
The Service Provider shall be solely responsible for the data processing performed in the framework of the postal service.
The data processor shall only be liable for any damage caused by the data processing if it has failed to comply with the obligations specifically imposed on data processors under the GDPR, or if the Service Provider’s lawful instructions have been disregarded or acted against.
6.2.2. DATA PROCESSING RELATED TO PARCEL DELIVERY
Data processing related to parcel delivery may differ depending on the service(s) ordered by the Sender from the Data Controller. The exact description of the services is set out in the Data Controller’s General Business Conditions.
Data processing related to Home delivery (door-to-door delivery) is a basic service provided by the Data Controller
The additional services indicated in Annex 1 are the additional services available to the Client (sender), therefore the data processing related thereto shall be performed only if the Client (the sender) has ordered this additional service. For additional services, only the additional data processing that results from the nature of the additional service is indicated, and not the data processing defined as part of the basic service. That is, in such a case, the data processing rules specified for the Home Delivery and the specific additional service in question shall be applied together.
6.2.3. OTHER DATA PROCESSING RELATED TO CONTRACTS CONCLUDED WITH OR TO BE CONCLUDED WITH CLIENTS
These data processing activities include data processing beyond the use of the above parcel delivery services.
This section and the appendix do not contain any data processing using systems and software managed by the Clients related to the data recorded therein; the Data Controller shall provide information about this separately for the particular system or software.
6.2.4. DATA PROCESSING RELATED TO CUSTOMER SERVICE
The data processing tasks of the Customer Service can be divided into two main groups.
(1) On the one hand, Data Controller is obliged under paragraph (3) of Section 57 of the Postal Act to operate at least one central customer service with opening hours as specified in paragraph (2) of Section 17/B of the Consumer Protection Act and accessible by telephone, and also ensure that complainants are able to submit their complaints verbally, in writing and via the internet. The detailed rules for Customer Support and the filing of complaints are contained in the General Business Conditions.
(2) In addition, the Customer Service is responsible for providing information on the activities of the Data Controller to both its contractual partners (Clients, Senders) and recipients as well as other stakeholders.
Data Controller has an obligation to investigate complaints based on the Consumer Protection Act as a general rule on the one hand, and, on the other hand, based on the Postal Act as a special regulation. Under paragraph (1) of Section 57 f the Postal Act, the provisions in Section 17/A-17/C on complaint management and customer service of the Consumer Protection Act can only be applied to complaints filed against the Data Controller in so far as it is allowed by the provisions in paragraph 57 of the Postal Act.
6.2.5. DATA PROCESSING RELATED TO FILING DAMAGE CLAIMS, DAMAGE CLAIM ADMINISTRATION
The detailed rules regarding the enforcement of damage claims (right holders, deadlines, method of enforcing the claim) are set out in the General Business Conditions. The data processing rules are set out in Annex 1.
6.2.6. DATA PROCESSING RELATED TO THE PARCELSHOP ACTIVITY
The data processing activity of the GLS ParcelShops is described in Annex 1.
In respect of the GLS ParcelShops, in addition to the data processing specified for this activity, the rules on further processing laid down in Annex 1 shall apply mutatis mutandis where this is justified by the nature of the service.
For the purposes of the GLS ParcelShops, GLS shall be considered as data controller and the ParcelShop Operator as data processor.
6.3. DATA PROCESSING ACTIVITIES THAT ARE NOT PART OF THE GLS GENERAL BUSINESS CONDITIONS/ GLS PARCELSHOP GENERAL BUSINESS CONDITIONS
These data processing activities are detailed in Annex 2.
6.3.1. DATA PROCESSING FOR MARKETING PURPOSES
6.3.2. DATA PROCESSING RELATED TO RECRUITMENT AND SELECTION
This section contains the detailed rules for processing the data of applicants applying directly to the Data Controller for employment.
Data Controller will keep the job applications submitted to it as specified in Annex 2 even if there are no job vacancies available at the moment, or if the Data Subject was not hired for the advertised job. In this case, the Data Controller shall store the data of the Data Subject in a separate database, so that if a job becomes vacant that the Data Subject may be able to fill based on his / her education, qualifications, professional experience, the Data Controller may contact him / her.
The Data subject shall have the right to delete his or her personal data in accordance with the provisions of Section 7 in connection with the inclusion or deletion of such data in the Data Controller’s database.
6.3.3. DATA PROCESSING THROUGH CAMERAS
6.3.4. DATA PROCESSING RELATED TO ACCESS TO THE DATA CONTROLLER’S BUILDINGS
7. RIGHTS OF THE DATA SUBJECT
This section details the rights of Data Subjects and their possibilities of enforcing them.
The Data Controller draws the attention of the Data Subjects to the fact that for the purposes of this Section they may only exercise the rights provided by the applicable legal provisions. That is, where the exercise of that right is subject to a specific legal basis or condition, the Data Subject may only exercise that right if the Data Controller manages that particular personal data on that particular legal basis or the request is in compliance with the conditions set out therein.
7.1. RIGHT OF ACCESS BY THE DATA SUBJECT (RIGHT TO BE INFORMED)
Data Subjects have a right to receive information from the Controller whether their personal data is being processed. If data is being processed, the Data Subject may request information from the Controller about the following:
a) purposes of the data processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data is not collected from the data subject, any available information as to their source;
h) information about the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The Controller shall provide a copy of the personal data undergoing processing free of charge once per year to the Data Subject. For any further copies requested by the Data Subject, the Controller may request reimbursement of costs (in the case of paper-based information: HUF 10/sheet). If the data subject has submitted the request electronically, the controller shall provide this data – unless otherwise instructed by the Data Subject – in electronic form to the Data Subject.
7.2. RIGHT TO RECTIFICATION
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
7.3. RIGHT TO ERASURE, RIGHT TO BE FORGOTTEN
The Data Subject may request the Controller to erase his or her personal data in the following cases:
a) the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) if the processing is based on the Data Subject’s consent, the Data Subject withdraws this consent, provided that the data processing has no other legal basis;
c) the data subject objects to the data processing, if the rules of erasure exist in respect of this objection;
d) the personal data has been unlawfully processed;
e) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the Decree.
The Controller is not obliged to erase the personal data if the data processing is required:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) on the basis of public interest concerning public health;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes insofar as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
7.4. RIGHT TO RESTRICTION OF PROCESSING
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(1) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(4) the data subject has objected to processing; in this case, the restriction applies pending the verification whether the legitimate grounds of the controller override those of the data subject.
7.5. RIGHT TO DATA PORTABILITY
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and shall have the right to transmit the data to another controller without hindrance from the Controller, provided that
(1) the legal basis of processing is the performance of a contract signed with the Data Subject or the data subject’s consent, and
(2) the processing is carried out by automated means.
7.6. RIGHT TO OBJECT
7.6.1. Objection in connection with the following legal bases of data processing
If the legal basis for data processing is
(1) the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
(2) the enforcement of legitimate interests pursued by the controller or by a third party,
the Data Subject has a right to object to the data processing.
In this case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or which concern the establishment, exercise or defence of legal claims.
7.6.2. Objection to data processing for direct marketing purposes
Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
In this case, the controller may no longer process the personal data concerning the Data Subject.
7.7. RIGHT TO WITHDRAWAL OF CONSENT
Where processing is based on consent of the Data Subject, the Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of any processing that was conducted based on the consent prior to its withdrawal.
The withdrawal must be sent to the Controller’s e-mail address indicated in point 1.
7.8. SUBMITTING A COMPLAINT
Request for information, rectification, restriction of processing, erasure related to the personal data, or objection to processing may be filed any time using the following contact information:
in writing: 2351 Alsónémedi, GLS Európa utca 2.
by e-mail: to the e-mail address firstname.lastname@example.org
in person: at GLS Hungary, Alsónémedi, GLS Európa utca 2.
Filling a complaint
If the Data Subject considers that the processing of personal data relating to him or her infringes this Privacy Notice or the regulation of GDPR, the Data Subject shall have the right to lodge a complaint.
This compliant should be lodged with the Controller or the Supervisory Authority.
Complaints shall be filled to the following addresses of the Controller:
in writing: 2351 Alsónémedi, GLS Európa utca 2.
by e-mail: to the e-mail address email@example.com
in person: at GLS Hungary, Alsónémedi, GLS Európa utca 2.
The Controller starts the investigation of the complaint when the complaint is filled to the abovementioned addresses.
Complaints shall be filled to the following addresses of the Supervisory Authority:
Hungarian National Authority for Data Protection and Freedom of Information
(magyarul: Nemzeti Adatvédelmi és Információszabadság Hatóság)
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c,
Postal address: 1530 Budapest, Pf.: 5.
The data subject may take action in court against the data controller if his or her rights are violated. The court – following the inquiry – shall consider the case as a matter of urgency. The case falls within the jurisdiction of regional courts (contact information of the Metropolitan Court of Budapest: H-1055 Budapest, Markó u. 27., 1363 Pf.: 16.). The legal action – at the data subject’s choice – can be brought before the regional court with competence according to the data subject’s domicile or place of residence. You can contact the regional court with competence according to your domicile or place of residence on the website http://birosag.hu/ugyfelkapcsolati-portal/birosag-kereso.
If the amendment concerns a Section which is also part of the GLS General Business Conditions, the Data Controller shall, 15 days prior to the date of entry into force of the amendments, publish the amendment at https://gls-group.eu/EU/en/dataprotection/glshungary and send it to NMHH.
If the amendment concerns a Section which is not part of the GLS General Business Conditions, the Data Controller shall, 15 days prior to the date of entry into force of the amendments, publish the amendment at https://gls-group.eu/EU/en/dataprotection/glshungary.
Last updated on: 18 October 2019.