DENOK Közhasznú Nonprofit Kft.

internal data processing and privacy policy

I. The data controller:

Name: Denok Közhasznú Nonprofit Kft.
Location and postal address: 4030 Debrecen Fokos utca 12.
Registry authority: Hajdú-Bihar Megyei Cégbíróság.
Registration number: 9 09 015413
VAT number: 14419250209
E-mail:
Website addresses: https://denok.debrecen.hu
https://isd.debrecen.hu
Phone number: +36 20 404 4822
Name of hosting provider: Opendevel Kft.
Address of hosting provider: 4031 Debrecen István út 65. 5/16

II. The scope of policy

1. This directive on privacy policy and processing (hereafter: policy), covers the data controller’s personal processing and all employees of the controller.

III. The purpose of policy

  1. The purpose of this policy is to ensure the protection of personal data under the basic law and the implementation of self-determination as regards information. Furthermore, defining the governing rules of data security and data processing, in relation to the personal data managed by the controller during the processing.

IV. Directive on privacy used by the data controller

  1. The controller highlights the importance of respect for self-determination of the data subjects. The controller shall keep confidential all personal data, and take all reasonable security, technical and organizational measures to guarantee personal data breach.
  2. The controller is committed to ensuring that all data processing which is related to his or her activities, comply with the requirements of the policy and the existing laws.
  3. Information about processing of personal data is continuously available on https://denok.debrecen.hu, and https://isd.debrecen.hu websites.
  4. The controller is entitled to modify the policy unilaterally.
  5. In the case of modification the policy, the changes will be published on https://denok.debrecen.hu, and https://isd.debrecen.hu websites, at least eight (8) days prior to the entry.
  6. The principles of processing in accordance with the laws on data protections, especially the following ones:
    1. The Fundamental Law of Hungary;
    2. Law CXII. of 2011 on the right to self-determination as regards information and freedom of information;
    3. Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR);
    4. Law V. of 2013 on the Civil Code;
    5. Law I. of 2012 on the Labour Code (hereafter: Lc.);
    6. Law XLVII. of 2008 on the Act on the Basic Requirements and Certain Restrictions of Commercial Advertising;
    7. Law C. of 2003 on the Electronic Communications.
  7. The controller shall treat the personal data only on the purposes of processing with the consent of the data subjects and under legal provisions.
  8. Before collecting, recording and processing of personal data, the controller shall take appropriate measures to provide the purposes, methods and principles relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
  9. In all cases where data collection, recording and processing are not mandated by national legislation, the controller shall notify the data subjects to the volunteering of providing such data.
  10. In case of mandatory disclosure, it shall indicate the law on data processing.
  11. In all cases where the controller tends to use personal data from the original purpose of data recording to another purpose, shall inform the data subjects, ask for prior consent and gives the opportunity to the data subject to prohibit the usage.
  12. During the data collection, data recording and data processing of personal data, the controller shall observe the legal requirements. The controller shall inform the data subjects about the activities by electronic mail, as required.

V. Definitions

  1. „personal data”: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  2. „processing”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  3. „profiling”: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
  4. „filing system”: means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
  5. „controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  6. „processor”: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  7. „recipient”: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the 4.5.2016 EN Official Journal of the European Union L 119/33 framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  8. „third party”: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
  9. „consent of the data subject”: means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  10. „personal data breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  11. „data concerning health”: means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
  12. „supervisory authority”: means an independent public authority which is established by a Member State pursuant to Article 51.

VI. Principles relating to processing of personal data

  1. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject by the controller („lawfulness, fairness and transparency”);
  2. Personal data is only for specified, explicit and legitimate purposes; („purpose limitation”);
  3. Processing shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed („data minimization”);
  4. Processing shall be accurate and, where necessary, kept up to date;
  5. The controller need to do every reasonable step which must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay („accuracy”);
  6. Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed („storage limitation”);
  7. Processing shall be happened in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures („integrity and confidentiality”);
  8. The controller shall be responsible for, the personal data processing which need to be legitimate, and be able to demonstrate compliance with this legality („accountability”).

VII. Lawfulness of processing

  • Processing shall be lawful only if and to the extent that at least one of the following applies:
  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes (hereafter: the processing based on a consent).
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (hereafter: the processing based on a contract).
  • Processing is necessary for compliance with a legal obligation to which the controller is subject (hereafter: processing based on a legal obligation).
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person (hereafter: processing based on vital interests).
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (hereafter: processing based on public interests).
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (hereafter: processing based on legitimate interests).
  • The controller always manages data processing based on a single legal basis in relation to handling a personal data set). The legal basis for the processing might change during the processing. The processing shall meet the requirement for the purpose of processing at each stage. Processing shall be legal, fair and transparent. Only personal data can be handled which is essential for the purpose of processing and suitable for achieving targets, and these data can only be handled until the target will not be reached.
  • Regarding the legally incapacitated or lacking full legal capacity minors, such consent shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

VIII. Conditions of consent

  1. Where processing is based on consent, prior to giving consent, the data subject shall be informed about the volunteering of data retrieval and shall have the right to withdraw his or her consent at any time.
  2. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  3. The controller pays particular attention to justify that the data subject has consented to processing of his or her personal data.

IX. Property data inventory

  1. The controller creates the following data asset inventory according to the obligation of GDPR and other obligations concerning the processing in its activities, for the purpose of creating technical and organizational measures.
  2. The data asset inventory contains all the data which are managed by the controller, including:
    1. data subjects;
    2. purpose and name of processing;
    3. the range of handled data (all managed data);
    4. the range of many special data that may be handled;
    5. legal basis for processing;
    6. period of processing;
    7. who can access personal data within the same controller;
    8. the data for whom may be forwarded;
    9. whether the controller is using a data processor as an employee, if so, who is the processor and for what personal information she or he has an access and how long does the processor can store these data.

X. Rights of the data subject and their enforcement

  1. In accordance with the provisions of the GDPR, the controller shall provide the following to the data subjects.
  2. Right of information:
    1. the data subject is entitled for the right of information, in relation to each processing based on legal basis.
    2. the controller shall take appropriate measures to provide any information and any communication to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language;
    3. the information shall be provided in writing, or by electronic means.
  3. Information requested by the data subject:
    1. when requested by the data subject, the information may be provided orally, provided that the identity of the data subject is already proven;
    2. the controller shall provide information on action taken on a request to the data subject without undue delay and in any event within 30 days of receipt of the request;
    3. that period may be extended by sixty further days where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within 30 days of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject;
    4. any communication and any actions shall be provided free of charge;
    5. where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request;
    6. the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
  4. Where personal data relating to a data subject are collected from the data subject, the controller shall provide the data subject with all of the following information:
    1. the name and the contact details of the controller's representative;
    2. the contact details of the data protection officer;
    3. purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
    4. about the legitimate interests where the processing is based on legitimate interests.
  5. The controller shall, at the first time when personal data are obtained, provide the data subject with the following further information:
    1. the period for which the personal data will be stored;
    2. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
    3. where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    4. the right to lodge a complaint with a supervisory authority (Hungarian National Authority for Data Protection and Freedom of Information, hereafter: Authority or NAIH);
    5. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
    6. where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose.
  6. In order to comply with the mandatory information, the controller shall publish its policy on www.denok.debrecen.hu and www.isd.debrecen.hu websites.
  7. Right of access by the data subject:
    1. the data subject is entitled for the right of access, in relation to each processing based on legal basis;
    2. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
      1. b/1. the purposes of the processing;
      2. b/2. the categories of personal data concerned;
      3. b/3. the envisaged period for which the personal data will be stored.
    3. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    4. the right to lodge a complaint with a supervisory authority;
  8. Right to rectification:
    1. the data subject is entitled for the right to rectification, in relation to each processing based on legal basis;
    2. the data subject shall have the right to ask for rectification
    3. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her;
    4. the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement;
  9. Right to erasure (‘right to be forgotten’):
    1. the data subject is not entitled automatically for the right to erasure (right to be forgotten), in relation to each processing based on legal basis;
    2. the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    3. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    4. the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
    5. the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
    6. the personal data have been unlawfully processed;
    7. the personal data have to be erased for compliance with a legal obligation in Union or national law to which the controller is subject;
    8. the right to erasure by the data subject shall not apply to the extent that processing is necessary to complete the statutory obligations for processing of personal data:
    9. if an erasure request is received by the data controller, the controller shall examine whether the request is actually comes from the data subject;
    10. if the controller has to comply with the erasure request, the personal data will be deleted from all databases;
    11. the controller takes a record of the erasure in order to confirm that the deletion has happened. The record shall be signed by the CEO of the controller. The deletion record includes the following details:
    12. name of the data subject;
    13. deleted personal data;
    14. time of erasure;
  10. Right to restriction of processing:
    1. the data subject is entitled for the right to restriction, in relation to each processing based on legal basis;
    2. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
    3. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    4. the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; e
    5. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
  11. Right to object
    1. the data subject is entitled for the right to object, in relation to the processing based on public powers or legitimate interests;
    2. the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims;
    3. where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing;
    4. where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  12. Right to data portability:
    1. the data subject is entitled for the right to data portability in relation to the processing based on a contract or consent, if the processing is carried out by automated means;
    2. the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used format and have the right to transmit those data to another controller.

XI. Records of processing activities

  1. The controller, in relation to the accountability principle, keeps records of data processing activities in order to track if the process meets the requirements of GDPR and being able to confirm it
  2. Each controller shall maintain a record of processing activities under its responsibility:
    1. records of data transfers;
    2. records of requests for asserting subject rights and the responses given by the controller;
    3. records of official inquiries and responses given by the controller;
    4. records of requests for termination of data processing;
    5. records of data subjects;
    6. records of marketing inquiries;
    7. records of personal data processing related to employment relationship;
    8. records of recruitment;
    9. records of personal data breach.
  3. The records shall contain all of the following information:
    1. the name and contact details of the controller and the data protection officer;
    2. the purposes of the processing;
    3. a description of the categories of data subjects and of the categories of personal data;
    4. the categories of recipients to whom the personal data have been or will be disclosed;
    5. where possible, the envisaged time limits for erasure of the different categories of data;
    6. where possible, a general description of the technical and organizational security measures.
  4. The records shall be held in writing or in electronic form by the company.

XII. Security of processing

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  2. Accordingly, the controller shall guarantee the confidentiality, inviolability and availability of the data she/he manages.
  3. In order to determine the appropriate level of data security measures, the controller evaluates each of the data files he/she manages regarding the defense needs and classifies them to security grades.
  4. The controller shall analyze the following ones in order to determine the security grades of each processing:
    1. the risks and expected damage relating to unauthorized knowledge, change or erasure of personal data processed, and impairment of hardware- and software tools.
    2. whether it is possible to restore damaged data files and the cost of any restoration. The availability of data sources for reproducing personal data, and the possibility of replacing lost data from manual background records.
    3. whether it is reasonable to apply differentiated safety standards, according to the nature of handled personal data;
    4. other risk elements that endanger the security of personal data.
  5. In order to ensure the security of data processing, the controller uses physical and logical controls.
  6. Physical controls:
    1. the controller shall ensure with a card control system that the entry of unauthorized persons are blocked in the building of the controller, also ensure that unauthorized persons cannot enter into the lockable offices;
    2. the controller shall ensure that unauthorized persons are blocked physically from accessing the data which are handled by the controller, in electronic or in paper form.
  7. Logical controls:
    1. the controller shall ensure that the data she/he manages is accessible only to those who has got appropriate rights;
    2. the controller shall use the updated Microsoft 365 Office package during the electronic data processing activity;
    3. the access to computer databases will be determined according to permission levels;
    4. access to the internal computer network is requiring a user name and password.

XIII. Cookie usage

  1. For the proper function of the website, it is essential to use cookies. By using this website, you consent to the use of cookies. We use cookies in certain areas of our website.

    Cookies are files that store information on your hard drive or web browser. Cookies allow the website to recognize you, if you have visited the page already. Cookies helps us understand which part of our website is the most popular, as they let us know which pages the visitors enter and how much time do they spend there. By studying this, we can better adjust our website to your needs and provide a more varied user-experience for you.

XIV. Handling of personal data breach

  1. A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
  2. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the authority. There is no need to notification, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
  3. Where the notification to the authority about the personal data breach is required, the controller share provide the following information:
    1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
    2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. describe the likely consequences of the personal data breach;
    4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  4. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall without undue delay, notify the personal data breach to the data subjects.
  5. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach, and contain these information:
    1. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    2. describe the likely consequences of the personal data breach;
    3. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  6. The communication to the data subject shall not be required if any of the following conditions are met:
    1. the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
    2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
    3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

XV. Processing related to employment relationship

  1. The controller refers to this policy by indicating the contact details in the job application which was written by him or her.
  2. If the controller wishes to store the documents submitted by the jobseeker after the application is expired and job is already filled, the controller shall ask for the consent of the jobseeker.
  3. The contribution shall be voluntary, specific, clear and it shall be based on appropriate information.
  4. For this purpose, the declaration of consent contribution statement shall include at least:
    1. the name and the contact details of the controller's representative;
    2. purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
    3. the period for which the personal data will be stored;
    4. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject;
    5. the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    6. the right to lodge a complaint with an Authority.
  5. After the evaluation of the application, the personal data of unsuccessful candidates shall be destroyed in the absence of any consent about further use. The destruction (deletion) shall be recorded.
  6. The controller shall handle employees’ personal data according to provisions of the Lc., and inform it as specified in the Lc., in compliance with the data processing principles included in GDPR.

XVI. Law enforcement options

  1. Should you have any further questions or observations, please contact the data controller on the following e-mail address: .
  2. The data subjects may contact the Hungarian National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet street 22/c.; phone number: +36-1-391-1400; e-mail: ; website: www.naih.hu) directly with their complaints regarding their data processing.
  3. You have the right to turn to a court in any cases of infringement of the rights of a data subject. The final judgment belongs to the jurisdiction of the General Court.

XVII. Data protection officer

  1. Taking into account the data protection legislations and the recommendation of the working group according to Article 29 of the GDPR, the controller shall appoint a data protection officer on a voluntary basis in order to facilitate the compliance with the data protection rules, to carry out and facilitate audits, to promote cooperation with the supervisory authority and the data subjects, and to increase accountability.

    Name of the data protection officer: Juhász Marcell
    postal address: 4026 Debrecen, Kálvin sq. 11.
    e-mail address:
    phone number: + 36 20 292 2629

XVIII. Entry into force and final provisions

  1. It shall apply from 25 May 2018.


Done at Debrecen, 15 May 2018.

Get in touch

In case of any questions, please feel free to contact us. We are looking forward to hearing from you.

Contact us

International Educational Center of Debrecen (DENOK) – International School of Debrecen (ISD)
H-4026, Kálvin sq. 11, Debrecen
+36 20 404 4822
I agree to the terms of the Privacy Policy and managing my personal data by pressing the send button.

Send