The data protection policy provides the framework conditions necessary to ensure the adequate level of data protection provided by Regulation no. 679 of April 27, 2016, on the protection of individuals concerning the processing of personal data and on the free movement of such data.
We inform you that our responsibility in our relationship with you also involves the way we process and take care of personal data. Thus, starting with May 25, 2018, we comply with the European standards in force regarding the processing of personal data and the free movement of these data stipulated in Regulation (EU) 2016/679 of the European Parliament and the Council.
The requirements regarding the processing of personal data are complied with by Rise English following the security provisions regarding the processing of personal data provided in Regulation 679/2016 (hereinafter referred to as “GDPR”).
Both when establishing the means of processing and during the processing itself, Rise English applies the appropriate organizational measures to guarantee and prove that the processing is done in compliance with the applicable legal provisions.
We have taken all necessary measures to ensure that, by default, only the personal data strictly necessary for each specific purpose of the processing are processed.
The operator of your personal data
The operator about your personal data is Rise English.
Categories of personal data processed
Rise English will process the data legally, correctly and transparently, the purposes for which we will use this data being well determined, more precisely for the preparation and provision of the services you request from us.
Contact information, such as your name, job title, mailing address, including home address, if you provided it to us, business address, telephone number, mobile phone number and fax number;
Rise English does not engage in the processing of the personal data of third parties in working relationships with clients.
Legal bases for the processing of personal data
Any operation of processing your personal data will be carried out based on one of the following legal grounds:
The processing is necessary for concluding or executing a contract to which you are a party;
The processing is necessary to comply with a legal obligation of the operator;
The processing is performed based on your consent;
Processing is necessary in order to protect the vital interests of you or another individual;
Processing is necessary for the legitimate interests of Rise English or a third party (e.g. when processing is necessary for the performance of a contract to which your organization is a party) unless your interests or fundamental rights and freedoms prevail over those interests;
In the case of special categories of data, the processing will be done if, in addition to a general legal basis for data processing, one of the following specific processing conditions will be met:
The consent of the data subject was obtained;
We have a legal obligation to process these categories of data;
Processing is necessary to establish, exercise or defend a right in court.
The purpose of processing personal data
We may use your personal data for the following purposes (“Allowed Purposes”):
Management and administration of the contractual relationship with our clients;
Compliance with our legal obligations (such as obligations to combat money laundering and terrorist financing, reporting obligations to the tax authorities);
Managing security and access to our premises, managing the use of IT systems used by iC Consulting (eg website, data management platforms, communication systems used), including the prevention and detection of security threats, fraud or other unauthorized activities or malicious;
Analyzing and improving our services and communications to you;
For any purpose related to and/or auxiliary to any of the above, or for any other purpose for which your personal data have been provided to us, in compliance with applicable law.
The purpose of the data protection policy
As part of its social responsibility, Rise English is committed to complying with national and international data protection laws. It is based on accepted European and global data protection principles. Ensuring data protection is the foundation of reliable business relationships.
In order to comply with our legal obligations for the security and confidentiality of our data, when you exercise one of the rights you enjoy as a data subject, we may ask you to prove your identity by providing us with a copy of a document identification or any other information necessary to verify that the request comes from the relevant data subject.
The data protection policy provides the framework conditions necessary to ensure the adequate level of data protection provided by Regulation no. 679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Scope and policy change
This personal data protection policy applies to everyone at Rise English and their employees. The data protection policy extends to all processing of personal data.
Anonymized data, where available, used e.g. for statistical evaluations or other studies, are not subject to this data protection policy.
The policy is reviewed annually and the latest version approved by the CEO will be immediately available to both employees and customers and business partners.
Principles for the processing of personal data
Fairness and legality
When processing personal data, the individual rights of data subjects must be protected. Personal data must be collected and processed legally and correctly.
Restriction to a certain purpose
Personal data may be processed only for the purpose defined before the data collection and communicated to the data subject. Subsequent changes to the scope are possible only to a limited extent and require a solid rationale.
The data subject must be informed about how his data are treated. In general, personal data must be collected directly from the person concerned. When data is collected, the data subject must either already know or be informed about:
The data controller identity (the company that collects the data)
The purpose of data processing
Third parties or categories of third parties to whom the data may be transmitted
Data reduction and data minimization
Before processing personal data, you must determine whether, and to what extent the processing of personal data is necessary to achieve the purpose for which it is performed.
Where the purpose allows and where the costs involved are proportionate to the objective, anonymous data should be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.
Personal data that is no longer needed after the expiration of the legal or business process must be deleted. There may be situations in which the legal interests oblige to keep these data for predefined terms. In this case, the data must remain in the files until the expiration of the legal obligations.
Accuracy and timeliness of data
The personal data collected must be correct, complete and, if necessary, updated. Permanent steps must be taken to ensure that inaccurate or incomplete data is deleted, corrected, supplemented or updated.
Confidentiality and data security
Within the company, Rise English personal data is considered confidential information and is protected by appropriate organizational and technical measures to prevent unauthorized access, illegal processing or distribution, and accidental loss, alteration or destruction.
Reliability of data processing
The collection, processing and use of personal data is permitted on the basis of the following legal grounds, also if the purpose of the collection, processing and use of personal data must be changed from the original purpose.
Data about clients and partners
Data processing for a contractual relationship
The personal data of potential customers, existing customers and partners can be processed in order to conclude, execute and finalize a contract. It also includes consulting services for the partner if this is related to the contractual purpose. Prior to a contract, during the initiation phase of the contract – personal data may be processed to prepare offers or other documents that meet different requirements of the perspective related to the conclusion of the contract. People can be contacted during the contract preparation process using the personal information they have provided. Any restrictions requested by potential customers must be observed.
Data processing for advertising purposes
If the data subject contacts Rise English to request information (ex: to receive informational materials about a product or service), data processing to respond to this request is permitted.
Advertising actions are subject to additional legal requirements. Personal data may be processed for advertising, market research and public opinion purposes, provided that such processing is carried out under the purpose for which the data were initially collected. The data subject (data subject) must be informed of the use of his data for advertising purposes. If the data is collected only for advertising purposes, disclosure from the data subject is voluntary. The data subject must be informed that the provision of personal data for processing for advertising purposes is voluntary and that consent must be obtained from the data subject to process said data for advertising purposes. When consent is given, the data subject should be able to choose between the available forms, such as pre-printed printed forms, the transmission of consent by e-mail and telephone.
If the data subject refuses to use his data for advertising purposes, his data can no longer be used for these purposes and must be blocked for use for these purposes.
Consent for data processing
The data may be processed with the consent of the data subject. Before giving their consent, the data subject must be informed about this data protection policy. Declaration of approval – the consent must be obtained in writing or in electronic format and kept for documentation purposes.
In certain circumstances, such as telephone conversations, consent may be given orally. Consent must be documented.
Data processing based on a legitimate interest
Personal data may also be processed based on a legitimate interest of Rise English. Legitimate interests are generally of a legal nature (ex, collection of outstanding debts) or of a commercial nature (ex, avoidance of breaches of contract). Personal data may not be processed for the purpose of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject require protection and that he has priority. Before processing the data, it is necessary to determine if there is such a situation.
Processing of sensitive data
Highly sensitive personal data can only be processed if the law requires it or the data subject has given his or her express consent. This data may also be processed only if it is mandatory for the fulfillment, exercise or defense of the legal claims regarding the data subject. If there is an intention to process sensitive data, the person responsible for the protection of personal data must be informed in advance.
Automatic individual decisions
The automatic processing of personal data, which is used to assess certain aspects, cannot be the only basis for decisions that have negative legal consequences or that could significantly affect the data subject. The data subject must be informed of the facts and results of the automated individual decisions and has the opportunity to respond. To avoid erroneous decisions, a test and a plausibility check must be done by an employee.
User and internet data
If personal data is collected, processed and used on websites or in applications, the data subjects must be informed about this in an Information Note and, if applicable, information about cookies. The information note and any information about cookies must be integrated so that it is easy to identify, directly accessible and constantly available to the data subjects.
If usage profiles (tracking) are created to evaluate the use of websites and applications, the data subjects must always be properly informed in the information note.
If the sites or applications can access personal data in an area limited to registered users, the identification and authentication of the data subject must provide sufficient protection during access.
Data processing for the employment relationship
In employment relationships, personal data may be processed if necessary to initiate, perform and close the employment contract. When initiating an employment relationship, the personal data of the applicants can be processed. When the candidate is rejected, his/her data must be deleted (according to the required retention period), unless the applicant has agreed that his/her data will remain in the file for a future selection process.
In the existing employment relationship, the purpose of the data processing must always correlate with the purpose of the employment contract if there are none of the following circumstances for the processing of authorized data.
If during the application procedure it is necessary to collect information about an applicant from a third party, the corresponding legal requirements must also be observed.
Data processing based on a legitimate interest
Personal data may also be processed if it is necessary to support a legitimate interest of Rise English. Legitimate interests are generally of a legal nature (for example, filing, enforcing or defending against legal complaints, recovering claims, etc.).
Control measures that require the processing of employee data can only be taken if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must always be examined. The company’s justified interests in enforcing control measures (for example, compliance with the company’s legal provisions and internal rules and regulations) must be weighed against any employee’s interests that must be protected so that control measures are appropriate.
Processing of sensitive data
Sensitive personal data can only be processed under certain conditions. These are data on racial and ethnic origin, political beliefs, religious or philosophical beliefs, as well as on the health and sexual orientation of the data subject or data relating to the criminal record. Such data may be processed when there are legal obligations or when we have the express consent of the data subject.
If, at some point, personal data are processed automatically as part of employment relationships and certain specific personal data are evaluated automatically (for example, in the selection of staff or in the evaluation of competency profiles) this automatic processing cannot be the only basis for decisions that could have a negative impact on that employee. To avoid erroneous decisions, the automated process must be assisted by a natural person who evaluates the content of the situation and this evaluation is the basis of the decision. The data subject must also be informed of the facts and results of the automated individual decisions and of the possibility to respond.
Telecommunications and internet
Telephone equipment, e-mail addresses, intranets and the internet together with internal applications are provided by the company primarily for work-related tasks. They are a tool and a resource of the company. They can be used in the applicable legal regulations and internal company policies. In the case of authorized use for personal purposes, the provisions of the internal regulations and procedures and the specific legislation on telecommunications shall be taken into account. There will be no general monitoring of telephone and e-mail communications or intranet/internet usage. To protect against attacks on IT infrastructure or individual users, protection measures can be implemented for connections to the Rise English network that block technically harmful content or analyze attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, intranets/internet and internal applications for a temporary period may be monitored.
Transmission of personal data
The transmission of personal data to recipients outside or inside Rise English is subject to the authorization requirements for the processing of personal data in accordance with this policy. The data beneficiary must use the data only for the defined purposes.
If the data is transmitted to a recipient outside the company, to a third country this country must agree to maintain a level of personal data protection equivalent to this data protection policy and in accordance with the provisions of EU GDPR 679/2016 .
If the data is transmitted by a third party to Rise English, we must ensure that the data is used only for its intended purpose.
Processing of contract data
The processing of data by a service provider that is committed to processing personal data means that it will comply with Regulation 679/2016 and this Policy without assuming responsibility for related business processes. In these cases, an agreement on the processing of personal data must be concluded.
The provider can process personal data only according to the customer’s instructions. At the conclusion of the agreement, the following requirements must be met and the department placing the order must ensure that they are met:
1. The supplier must be chosen on the basis of its capacity to ensure the necessary technical and organizational protection measures.
2. The processing order must be sent in writing. The instructions regarding the data processing and the responsibilities of the client and the supplier must be documented.
3. The contractual standards for the protection of personal data provided by the person responsible for the protection of personal data in the company must be taken into account.
4. Before starting the data processing, the customer must trust that the provider will comply with its obligations. A provider may document compliance with data security requirements, in particular by submitting an appropriate certification. Depending on the risk of data processing, the revisions of the certifications must be repeated regularly during the contract.
5. In the case of cross-border processing of contract data, the requirements of Regulation 679/2016 and of the relevant national legislation on the disclosure of personal data abroad must be met. In particular, personal data from the European Economic Area (EEA) may be processed in a third country outside the EEA only if the provider can prove that he has a data protection standard equivalent to this data protection policy. The appropriate tools can be:
a. Agreement on EU standard contractual clauses for processing data from contracts in third countries with the supplier and any subcontractors.
b. The supplier’s participation in an EU-accredited certification system to ensure a sufficient level of data protection.
c. Recognition of the mandatory corporate rules of the provider, in order to create an adequate level of data protection, by the supervisory authorities responsible for data protection.
The rights of the data subject
Each data subject has the rights below and their assertion must be processed immediately by the person responsible for the protection of personal data and cannot constitute a disadvantage for the data subject.
Article 1. The data subject may request information on what personal data concerning him have been stored, how the data have been collected and for what purpose. If there are additional rights to view the employer’s documents (for example, the personnel file) in the case of employment relationships in accordance with the relevant employment laws, they will not be affected.
Art. 2. If the personal data are transmitted to third parties, information must be provided about the identity of the recipient or the categories of recipients.
Art. 3. If the personal data are incorrect or incomplete, the data subject may request their correction or their completion.
Art. 4. The data subject may object to the processing of his data for advertising or market or opinion research purposes. Data must be locked for these types of uses.
Art. 5. The data subject may request the deletion of his data if the processing of these data has no legal basis or if the legal basis has ceased to apply. The same applies if the purpose of the data processing has expired or has ceased to be applicable for other reasons. Attention will be paid to storage periods and possible conflicts of interest.
Art. 6. The data subject has the right to oppose the processing of his data and this must be taken into account if the protection of his interests has priority over the interest of the data controller following a specific personal situation. This does not apply if there is a legal provision requiring the data to be processed.
Personal data is considered confidential. Any unauthorized collection, processing or use of this data by employees is prohibited. Any data processing performed by an employee who has not been authorized to perform it, as part of his legitimate duties, is unauthorized. The “need to know” principle applies. Employees may have access to personal data only as appropriate for the type and purpose of the work in question. This requires careful breakdown and separation, as well as the implementation of roles and responsibilities. Employees are prohibited from using personal data for private or commercial purposes, disclosing it to unauthorized persons or making it available in any other way. Heads of departments and the Human Resources department must inform their employees at the beginning of the employment relationship about the obligation to protect the confidentiality of personal data and information. This obligation remains in force even after the end of the employment period.
Personal data must be protected against unauthorized access and illegal processing or disclosure, as well as accidental loss, alteration or destruction. This applies whether the data is processed electronically or on paper. Before the introduction of new data processing methods, especially new information systems, technical and organizational measures for the protection of personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing and the need to protect the data (determined in the information classification process).
In particular cases, the responsible department may consult with the information security officer. Technical and organizational measures for the protection of personal data are part of the company’s information security management and must be continuously adapted to technical developments and organizational changes.
Data protection control
Compliance with personal data protection policy and applicable data protection laws is regularly verified through data protection audits and other controls. The performance of these controls is the responsibility of the Personal Data Protection Officer.
Upon request, the results of the data protection checks shall be made available to the supervisory authority responsible for data protection. The authority responsible for data protection may carry out its own controls, in accordance with national legislation.
Data protection incidents
All employees must immediately inform the head of the department or the data protection officer of cases of breaches of this Data Protection Policy or other regulations regarding the protection of personal data (data protection incidents).
In cases of:
Improper transmission of personal data to third parties,
Inadequate access by third parties to personal data or
Loss of personal data
The reports required by the company through the procedures for reporting and managing information security incidents must be made immediately, so that all reporting obligations can be complied with in accordance with national legislation.
Responsibilities and sanctions
The executive functions (heads of departments) in the group are responsible for data processing in their area of responsibility. Therefore, they are obliged to ensure that the legal requirements for data protection and those contained in the personal data protection policy are met. The management staff is responsible for ensuring the organizational, technical and human resources measures so that any data processing is carried out in accordance with data protection. Compliance with these requirements is the responsibility of each relevant employee. If the Supervisory Authority carries out a data protection control, the Personal Data Protection Officer must be informed immediately.
The person responsible for personal data protection is the contact person displayed on the site for data protection relations. It can perform checks and must familiarize employees with the content of data protection policies. Relevant management is required to support the Data Protection Officer in his / her efforts.
The departments responsible for business processes and projects must inform the Person in charge of the protection of personal data in a timely manner regarding a new processing of personal data. For the processing of data that may present special risks for the individual rights of the data subjects, the Data Protection Officer must be informed before starting the processing. This is especially true for extremely sensitive personal data.
Improper processing of personal data or other violations of data protection laws leads to bearing the sanctions provided by internal regulations, EU Regulation no. 679/2016 and the legislation in force.
Responsible for personal data protection
The person responsible for personal data protection, being internally independent from professional subordination, works in order to comply with national and international regulations on data protection. He is responsible for data protection policy and oversees compliance.
The heads of departments have the obligation to promptly inform the Person in charge of personal data protection about the occurrence of any risks of personal data protection.
Any data subject may contact the Personal Data Protection Officer at any time to ask questions, request information or submit complaints related to data protection or personal data security issues. If there are requests, complaints will be treated confidentially.
If the Data Protection Officer in question is unable to resolve a complaint or remedy a breach of data protection policy, advice will be sought from the Supervisory Authority.
The decisions taken by the Personal Data Protection Officer to remedy the data protection breaches must be supported by the company’s management. Investigations and controls performed by the Supervisory Authority must always be reported to the company’s management.