Introduction 
The purpose of this Information about personal data management document is to inform natural persons affected by personal data processing about the data processing principles, standards and conditions applied by RR Donnelley Magyarország Kft. (H-4031 Debrecen, Kígyóhagyma utca 7., hereinafter: “Company”) as the data controller, and to inform them about the purpose and legal basis of the data processing, the persons entitled to data management and data processing, the duration of the data processing and who can get access to the data, as well as about the available legal remedies in accordance with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter: the ‘GDPR’) and Act CXII of 2011 on Informational Self-determination and Freedom of Information (hereinafter: Info Act).

This document provides information in a transparent, comprehensible and easily accessible form, clearly and comprehensively, on the procedures applied by the Company for the protection of personal data, and facilitates the exercise of the rights of the natural persons concerned.

The Information about personal data management document will be published on the Company's website or sent to the data subjects by post or electronically upon their request. When processing personal data, the Company always complies with the GDPR, the Info Act, as well as the relevant other legal regulations, as amended from time to time.

The European Privacy Notice of the RR Donnelley & Sons Group is available at https://www.rrd.com/privacy-policy/euro/hungarian.

Definitions
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘data processing’ means the implementation of data management transactions and technical tasks, regardless of the method and means or the place of the implementation of the transactions, provided that the technical task is implemented on the data;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘data destruction’ means the complete physical destruction of the storage medium containing data;

‘data transmission’ means the act of making data available for a specified third party;

‘data erasure’ means the act of making the data unrecognizable so as to ensure that data repair is not possible anymore;

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘data subject’ means any natural person identified or, directly or indirectly, identifiable on the basis of any specific personal data;

‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

‘publication’ means the act of making data available for anybody;

‘objection’ means the statement of the data subject by which he or she objects to the processing of his or her personal data and request termination of the data processing and/or deletion of the processed data;

‘business secret’ means any fact, information and other data, or a compilation thereof connected with business operations, which are not publicly known or which are not easily accessible to other persons pursuing the same business activities, and which, if obtained and/or used by unauthorized persons or published or disclosed to others or to the public are likely to harm or jeopardise the rightful financial, economic or commercial interest of the owner of such secrets, provided that the disclosure of such data is not imputable to the lawful owner. Technical, business or organizational knowledge, experience or a combination thereof (proprietary knowledge) recorded in an identifiable manner shall be given the same protection as trade secrets if it is acquired, exploited, or disclosed to a third party or to the public in breach of the principles of good faith and fairness.

Basic principles of processing personal data
In all personal data processing operations, we respect the principles set out in the GDPR, which are the following:

• Lawfulness, fairness and transparency
  The Company must process personal data lawfully, fairly and transparently to the data subject. Transparency: at all stages of data processing, it should be clear and unambiguous for all parties who processes the relevant data, for what purpose, on what legal basis, where it is stored, how it is protected, who has access to it, when it is erased, etc.
• Clear and legitimate purpose
  Personal data shall be collected for specific, explicit and legitimate purposes only and shall not be processed by the Company in any manner incompatible with such purposes.
• Data minimization
  The Company only processes as much personal data as is absolutely necessary, and personal data are only accessed by those data controllers or data processors for whom it is absolutely in order to perform their work.
• Accuracy and currency
  The Company will take all reasonable measures to ensure that any personal data that is inaccurate for the purposes of data processing is erased or rectified without delay.
• Data storage and retention only for as long as necessary
  Personal data shall be stored in such form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Data security and protection
  The Company applies appropriate technical or organizational measures to properly ensure the security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or corruption of data.
• Compliance with data protection principles
  The Company is responsible for compliance with the above principles in relation to the personal data processed and is able to prove this by documentary evidence.

Legal basis for the processing
The Company processes personal data on the following legal bases:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the performance of a task carried out in the public interest;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Data Protection Officer / Personal Data Protection Officer
No data protection officer has been appointed for the RR Donnelley Group. In data protection matters, data protection specialists and legal advisers provide assistance in the field of privacy and data protection, working with clients, employees and regulators across Europe. The European IT Governance Group, directly responsible for privacy and data protection issues can be contacted at DataPrivacyEurope@rrd.com. Its responsibilities also include the investigation and handling of complaints and reports related to the personal data processing operations of the Group, and the provision of information to those concerned.

Enquiries can be sent to the above address in local language, they will be translated and processed by the Company.

In Hungary, a Personal Data Protection Officer has been appointed at the company, who will receive data protection related notifications, suggestions, requests and complaints directly at the following contact details: adatkezeles@rrd.com

Controller

RR Donnelley Magyarország Kft.
Registered office: 4031 Debrecen, Kígyóhagyma u. 7.
Company registration number: 09-09-021925
Tax number: 13082626-2-09
Represented by: Managing Director Dávid Cservenka / Director Erik Preczlik
Phone number: +36 52 506 400
E-mail address: HUN_Admin_Office@rrd.com
Website: https://www.rrd.com/global/hungary/hu

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processors
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The data processing service providers shall not make any important decisions concerning the data processing, may only process the personal data disclosed to them exclusively in accordance with the Company’s instructions and shall not process data for their own purposes.

The use of the processor does not require the prior consent of the data subject but the data subject must be informed, which is the responsibility of the principal. Accordingly, we provide the following information:

7.1 IT service

The company's website is maintained and managed by the data processor within the company group, who provide the IT services (hosting service), as part of which they process the personal data submitted via the website and store personal data on the server.

System administration is performed by the employees of the IT Support Team in the United States, who handle the data as data processors and do not process data for their own purposes.

The purpose of the data processing: automatic filtering and sorting by employment preferences, selective compilation and forwarding and making accessible to the Company, deleting and destroying the job application documents (CVs, application forms, motivation letters, accompanying e-mails) submitted for the positions announced by the Company as an employer.

7.2 Postal services, delivery, parcel delivery, freight transport

We transmit the personal data required for the delivery of the mail, parcel or substance or product (name, address, telephone number, etc. of the consignee and/or contact person) to these data processors and they perform the contractual service using this data.

7.3 Property protection and security services

For the purposes of property protection, security and protection of business secrets, the Company employs a security service provider who records and processes the data of natural persons entering the Company's premises, e.g. camera recordings, exit and entry data.

7.4 Archiving documents

7.5 Auditing

7.6 Services provided by the Shared Services Center

7.6.1 Billing, bookkeeping, financial administration

In order to prepare, carry out and audit its invoicing and accounting processes, the Company employs an administrative service provider within the company group, the Shared Service Center. The scope of data processed by this unit includes the personal data of purchasing, sales and service partners (if they are natural persons) and the personal data of the personal contacts (in case of legal entities), and processing includes recording partner data in the Company’s corporate management system in relation to purchase orders, invoicing, preparing and making payments.

7.6.2 Corporate management IT system administration

The Company employs a number of cross-border, uniformly applied corporate management systems in order to ensure the smooth operation of each corporate function. Among the global corporate management systems used by the Company, personal data are processed in JDE (customers, suppliers, service providers, personal contacts) in the field of finance and accounting, and in VMS (suppliers, personal contacts) in the field of supplier management. These systems are administered by staff from administrative units set up by the Group at one or more designated locations, regardless of the geographical location of corporate units worldwide, so personal data processed in the systems are treated by system administrators as data processors who do not process data for their own purposes.

When using the services of the Shared Services Center, the personal data collected may be transferred to a third country within the RR Donnelley Group of Companies in accordance with the relevant data security procedures, the General Terms and Conditions (also known as Model Terms or Data Transfer Agreements) while ensuring adequate protection of personal data.

Ensuring the lawfulness of personal data processing

8.1 Processing personal data with the data subject’s consent

If the Company wishes to perform personal data processing based on consent, it will request the consent of the data subject for the processing of personal data in the manner specified in the Privacy Policy.

It also qualifies a consent if the data subject ticks a box when visiting the Company’s website or makes any other statement or conducts in a way which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.

Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for each of them.

If the data subject's consent is given in a written declaration which also concerns other matters, e.g. conclusion of sales or service contracts, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration containing the data subject's consent which constitutes an infringement of the Regulation shall not be binding.

The Company shall not make the conclusion or performance of the contract conditional on the data subject’s consent to the processing of any personal data which is not necessary for the performance of the contract.

Consent can be simply withdrawn using the same method (based on a written request suitable for identifying the data subject) by which it was given.

In case the personal data were collected with the consent of the data subject, the Company may, unless otherwise required by law, process the collected data for compliance with a legal obligation without additional consent, and even after the data subject has withdrawn his or her consent.

8.2 Processing personal data for compliance with a legal obligation

In the case of personal data processing based on a legal obligation, the provisions of the relevant law shall apply to the range of data that can be processed, the purpose of data processing, the retention period and the recipients.

The processing of personal data based on compliance with a legal obligation is independent of the data subject's consent, as the processing is required by law. Before starting the data processing, the Company shall inform the data subject that the data processing is mandatory, and provide detailed information about all the facts related to the processing of his or her data. In particular, it shall inform him or her about the purpose and legal basis of the data processing, the persons entitled to data processing, the duration of the data processing, where the data controller processes the data subject’s personal data for compliance with a relevant law, and who can get access to the data.

The above information should also describe the data subject’s rights and legal remedies relating to the given data management. In the case of mandatory data processing, the said information may also be provided by publishing a reference to the legal provisions containing the relevant information.

Personal data are deemed to be processed by the Company for compliance with a legal obligation where it has a documentation obligation.

8.3 Processing to pursue a legitimate interest

Processing personal data may be necessary for the purposes of the legitimate interests pursued by the controller or a third party. A third party can be anyone other than the data controller, data processor or the data subject such as the data controller's contractual partners, suppliers and customers.

If the Company processes any personal data on the basis of a legitimate interest, it shall carry out an interest balancing test in advance, during which it shall take into account the interests or fundamental rights and freedoms of the data subject that require the protection of the processed personal data. If these take precedence over the legitimate interests of the Company or the third party, the data may not be processed by the Company. Such a fundamental individual interest is the protection of one’s reputation or the right to privacy.

The Company shall always tailor the interest balancing test to the given data processing operation, and act prudently during its assessment, and inform the persons affected by the data processing about the result in advance.

8.4 Enforcement of the data subject’s rights

The Company shall ensure the exercise of the rights of the data subject during all data processing operations.

Processing data of visitors on the Company's website - notification about the use of cookies

The Company does not use cookies on its Hungarian website. For more information about cookie management on the corporate websites of the Group, see RRD’s European Privacy Notice: https://www.rrd.com/cookie-policy/hungarian

Information on the data subjects’ rights

Overview of the rights of data subjects whose personal data are processed by the Company:

1. Transparent information, communication and facilitating the exercise of the data subject’s rights
2. Right to prior information – if personal data are collected from the data subject
3. Informing the data subject and the information to be provided if the personal data were not collected by the data controller from the data subject
4. Right of access by the data subject
5. Right to rectification
6. Right to erasure (‘right to be forgotten’)
7. Right to restriction of processing
8. Notification obligation regarding rectification or erasure of personal data or restriction of processing
9. Right to data portability
10. Right to object
11. Communication of a personal data breach to the data subject
12. Right to lodge a complaint with a supervisory authority (right to obtain legal remedy from authorities)
13. Right to an effective judicial remedy against a supervisory authority
14. Right to an effective judicial remedy against a controller or processor

10.1 Transparent information, communication and facilitating the exercise of the data subject’s rights

• The Company shall provide the data subject with all information concerning the processing of personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
• The Company shall facilitate the exercise of the rights of the data subject.
• The Controller shall provide information on any action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. This period may be extended by two months under the conditions specified in the Regulation, and the data subject must be informed of such extension.
• If the Company does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
• The company shall provide information on the rights of the data subject and take action free of charge.

10.2 Right to prior information – if personal data are collected by the Company from the data subject

• The data subject has the right to be informed of the facts and information related to the data processing before the data processing starts. In this context, the data subject shall be informed of:
  • the identity and contact details of the controller and its representative;
  • the contact details of the Data Protection Officer and the Personal Data Protection Officer;
  • the purpose of the intended processing of personal data as well as the legal ground for such processing;
  • where the processing is based on legitimate interests, the legitimate interests pursued by the controller or by a third party;
  • the recipients of personal data – i.e. to whom the personal data are disclosed;
  • where applicable, the fact that the Company intends to transfer personal data to a third country or an international organization.
• In order to ensure fair and transparent data processing, the Company provides the data subject with the following additional information:
  • the period for which the personal data will be stored;
  • the data subject’s right to request from the Company access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • where the processing is based on the data subject’s consent, the right of the data subject to withdraw his or her consent at any time, without prejudice to the lawfulness of processing based on consent before its withdrawal;
  • the right to file a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a condition precedent for the conclusion of a contract, as well as whether the data subject is obliged to provide the personal data, and of the possible consequences of failure to provide such data;
  • Where the Company intends to further process the personal data for a purpose other than that for which the personal data were collected, it shall provide the data subject with information on such other purpose prior to such further processing.

10.3 Informing the data subject and the information to be provided if the Company has not collected the personal data from the data subject

• Where personal data have not been collected by the Company from the data subject, the Company shall inform the data subject about the facts and information described in the previous two sections, as well as about the categories of personal data concerned and its source and, if applicable, about whether the data originates from publicly available sources no later than one month after obtaining the personal data; if the personal data are to be used for communication with the data subject, at the time of the first communication to that data subject, at the latest; or if disclosure to another recipient is also envisaged, when the personal data are first disclosed, at the latest.

10.4 The data subject’s right of access

• The data subject shall have the right to obtain from the Company confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
• Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer provided for by the Regulation.
• On the data subject’s request, the Company shall provide the data subject with a copy of the personal data being processed.

10.5 Right to rectification

• The data subject has the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning him or her.
• Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed by means of providing a supplementary statement.

10.6 Right to erasure (‘right to be forgotten’)

• The data subject has the right to obtain from the Company the erasure of his or her personal data without undue delay and the Company shall be obliged to erase such personal data without undue delay if
  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to and there are no overriding legitimate grounds for the processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services offered directly to children.
• The right to erasure may not be exercised if data processing is necessary
  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation under Union or Member State law applicable to the Company, or in the public interest;
  • for the interest of the public in the area of public health;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair data processing; or
  • for the establishment, exercise or defence of legal claims.

10.7 Right to restriction of processing

• The data subject has the right to obtain from the Company restriction of processing where any of the following applies:
  • the accuracy of the personal data is contested by the data subject, in which case the restriction shall last for a period enabling the Company to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the Company no longer needs the personal data for the purposes of the processing, but the data subject requests the same for the assertion, exercise or defense of legal claims; or
  • the data subject has objected to processing; in this case such restriction shall be valid until it is determined whether the legitimate grounds of the Company override those of the data subject.
• Where processing has been restricted, personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
• The Data Subject shall be informed before the restriction of processing is lifted.

10.8 Notification obligation regarding rectification or erasure of personal data or restriction of processing

The Company shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. At the data subject's request, the Company shall identify the recipients to the data subject.

10.9 Right to data portability

• Subject to the provisions of the GDPR, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and also have the right to transmit those data to another controller without hindrance from the Company to which the personal data have been provided, where:
  • the processing is based on consent or a contract; and
  • the processing is carried out by automated means.
• The data subject can also request that his or her personal data be directly transmitted to another controller.
• Exercising the right to data portability shall not conflict with the right to erasure of data (‘right to be forgotten’).

10.10 Right to object

• The data subject has the right to object, for reasons relating to their particular situation, at any time to the processing of his or her personal data on the basis of a legitimate interest. In this case, the Company shall no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing which override the data subject’s interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
• These rights shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information at the time of the first communication with the data subject, at the latest.
• The data subject may exercise the right to object also by automated means based on technical specifications.
• Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

10.11 Communication of a personal data breach to the data subject

• When the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall communicate the data breach to the data subject without undue delay. In this communication it shall describe the personal data breach clearly and intelligibly, and provide at least the following details:
  • the name and contact details of the Data Protection Officer, the Personal Data Protection Officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach; and
  • the measures taken or proposed to be taken by the Company to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
• The communication to the data subject is not required if any of the following conditions are met:
  • the Company has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
  • after a data breach, the controller has taken additional measures to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
  • it would involve disproportionate effort. In such a case, there shall be a public communication or similar measure instead whereby the data subjects are informed in an equally effective manner.

10.12 Right to file a complaint with a supervisory authority (right to legal remedy)

The data subject has the right to file a complaint with a supervisory authority, in particular in the Member State of their habitual place of stay, place of work or the place of the alleged infringement, in case the data subject believes that the processing of his or her personal data violates the GDPR. The supervisory authority with which the complaint has been filed shall inform the complainant on the progress and the outcome of the complaint handling process including the complainant’s right to seek judicial remedy.

10.13 Right to an effective judicial remedy against a supervisory authority

• Each natural person and legal entity has the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning them.
• Each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
• Proceedings against a supervisory authority shall be brought before the courts of the member state where the supervisory authority is established.

10.14 Right to an effective judicial remedy against a controller or processor

• Each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
• Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

The scope of data processed by the Company

1.1. Data processing relating to employment

• Job applicants
• Employees / Temporary workers
• Other legal relationship for work
• Former employees

1.2. Personal data processing for the performance of a contract

• Natural person customers, suppliers and service providers
• Natural person representatives and contacts of legal entity customers, buyers and suppliers
• Visitors

1.3. Processing personal data based on a legal obligation

• Performance of tax and accounting obligations
• Processing of payers’ data
• Data processing for compliance with anti-money laundering / anti-terrorist financing obligations and restrictive measures

11.1 Processing the data of job applicants

As an employer, the Company processes personal data in connection with the Applicants applying for vacant positions, which the Applicant provides to the Company in any way in order to get the announced position and to work. Applicants need to acknowledge that they must provide certain information required to participate in the selection, failing which participation is not possible.

Type of data processed:

• Name of the applicant
• Place and date of birth
• Nationality
• Home address, place of residence
• Telephone number, e-mail address
• Qualifications
• Employment history
• Photo
• Interview report notes
• Job aptitude test results

By contacting the Company, the Applicant expresses his or her consent that his or her correspondence may be stored and retained by the Company for the necessary period.

Legal basis for processing personal data: the data subject's consent; purpose: evaluation of applications, concluding an employment contract with the selected applicant. The data subject will be informed by the Company if he or she has not been selected for the position he or she applied for.

If the Company intends to use the data provided by the Applicant for a purpose other than the original one contained in this Information about personal data management document, it shall inform the Applicant thereof and obtain the Applicant’s prior express consent or provide the Applicant with an opportunity to prohibit such use.

The Company only accepts documents from Applicants who have reached the age of 18; the applications of applicants younger than that will be automatically deleted together with their personal data.

Data processor of applicants’ data: R.R. Donnelley & Sons.

The purpose of the data processing: automatic filtering and sorting by employment preferences, selective compilation and forwarding and making accessible to the Company, deleting and destroying the job application documents (CVs, application forms, motivation letters, accompanying e-mails) submitted for the positions announced by the Company as an employer.

The data processing service provider shall not make any important decisions concerning the data processing, and may process the personal data disclosed to it exclusively in accordance with the Company’s instructions and shall not process data for its own purposes.

If the Company wishes to transfer the data provided by the Applicant to a third party for the purposes described above, it shall inform the Applicant in advance or provide the Applicant with an opportunity to prohibit such transfer.

Retention period of personal data: 3 years after the closing of the application process, based on the legitimate interests of the Company.

11.2 Processing personal data of natural person customers, suppliers and service providers

The Company processes the data of the natural person with whom a contract was made as a buyer, supplier or service provider on the legal basis of performance of the contract, and for the purpose of concluding, fulfilling, terminating the contract and providing a contractual discount. Type of data processed:

This data processing is also deemed lawful if processing is necessary in order to take the steps requested by the data subject prior to entering into a contract.

The recipients of the personal data are: the Company's customer service and procurement staff, the contact persons of the department requesting the services, as well as the employees performing accounting and tax administration tasks, and the data processors. Retention period of personal data: 10 years after the termination of the contract or the service relationship.

The data subject shall be informed before the start of the processing that the legal basis for the processing is the performance of the contract. The information shall be provided primarily in the contract and if there is no contract, a separate letter of consent / consent form must be completed also indicating that the Company informs the data subject about the transfer of his or her personal data to the data processor.

11.3 Natural person contacts of legal entity customers, buyers and suppliers

The scope of personal data that may be processed:

• natural person’s name
• position
• workplace address
• phone number
• e-mail address
• ID

Purpose of personal data processing: communication and liaising for business purposes with the legal entity partner to perform the contract concluded between the Company and its legal entity partner, processing general business data (processing personal data disclosed under the contract made with the legal entity partner for the purpose of accounting, book-keeping, enforcement of claims and tracking); legal basis for processing: performance of a contract and the legitimate interest of the Company and its customers, buyers and suppliers.

The recipients of the personal data are the Company's customer service and procurement staff, the contact persons of the department requesting the services, as well as the employees performing accounting and tax administration tasks, and the data processing employees.

Personal data are transferred by the Company to a third party in a contractual relationship with the Company if the Company uses the services of the legal entity partner to provide its own services (such as carrying the Company's goods to the Company's customers) and this is necessary for performing the contract made between the third party and the Company. The legal basis for data transfer is the legitimate interest of the Company and the third party.

The Company also agrees with its legal entity partners that the personal data collected during the performance of the contract will be processed in accordance with the relevant data protection rules. In addition, if the personal data are transferred to a third party in a contractual relationship with the Company, the Company shall enter into an agreement to this effect also with such third party.

Retention period of personal data:

• Until communication and liaising regarding the performance of the contract is necessary, but no later than until the termination of the contract.
• The retention period in connection with the enforcement of a civil law claim or compliance with an obligation is 5 years after the termination of the civil law relationship with the person concerned pursuant to Subsection (1) of Section 6:22 of Act V of 2013 on the Civil Code.
• If the data are provided by the Company in accordance with Sections 168-169 of Act C of 2000 on Accounting, the Company will delete the data only 10 years after the termination of the contractual relationship. This is the case if the data are part of the accounting evidence, for example they are contained in the documentation of the contract (e.g. in the purchase order) or in the invoice issued.

11.4 Processing personal data for compliance with tax and accounting obligations

The Company processes the statutory data of natural persons establishing a business relationship with it as buyers, suppliers or other service providers on the legal basis of performance of a legal obligation and for the purpose of compliance with its legal obligations related to tax administration and accounting. Pursuant to Sections 169 and 202 of Act CXXVII of 2017 on Value-added Tax, the data being processed include in particular: tax number, name, address, tax status, pursuant to Section 167 of Act C of 2000 on Accounting: name, address, name of the person or organization ordering the economic transaction, signature of the payer and the employee confirming performance of the order and, depending on the organization, of the inspector; the signature of the recipient in certificates of movements of inventories and cash handling certificates, and the signature of the payer in counter-receipts; pursuant to Act CXVII of 1995 on Personal Income Tax: entrepreneurial license number, primary producer’s license number, tax ID.

Retention period of personal data: 10 years after the termination of the underlying legal relationship.

Recipients of personal data: employees and data processors of the Company performing tax, accounting, payroll and social security tasks.

The Company uses an electronic surveillance system at its site, which allows for recording and storing images, for the purpose of protecting human life, bodily integrity, personal freedom, trade secrets, property protection, prevention of theft, vandalism and other criminal offences as well as for tracking quality assurance compliance. In this context, the conduct of the data subject recorded by the camera is deemed to be personal data.

Direct surveillance is only enabled on the outdoor surveillance cameras at the Company, where direct surveillance is performed by the security staff of Pannon Guard.

The legal basis for this data processing is the enforcement of the employer’s legitimate interests, and the consent of the data subject.

The Company shall display a warning sign and notice on the use of the electronic surveillance system in a visible spot, in a clearly legible manner, and so as to facilitate the information of the persons wishing to enter the premises.

Images of third parties (customers, visitors, guests) entering the monitored area may be recorded and processed with their consent. Consent may also be given by implied conduct. Implied conduct includes, in particular, if the natural person present enters the monitored area despite clear indication of the use of the electronic surveillance system installed there.

The video recordings will be retained for a period of 30 days, unless they will be used, in order to comply with the Good Manufacturing Practice (GMP) requirements of the company's business partners and the confidentiality obligations relating to business secrets. It shall also be deemed as use if the recorded images and other personal data are used as evidence in court, infraction, accident investigation or other authority or quality assurance proceedings.

Any person, whose right or legitimate interest is affected by the image recording, may, within three working days after the image recording, providing proof of his or her right or legitimate interest, request the data controller not to destroy or erase the data concerned.

The Company will not use an electronic surveillance system in a room where surveillance may violate human dignity, especially in locker rooms, showers and toilets.

Data of recordings made on the Company's premises may be disclosed only to such persons and only to such extent which is absolutely necessary and sufficient for performing the job duties of the person requesting the data. Publication of camera recordings managed by the Company is prohibited, and they will not be transmitted, except in cases prescribed by law.

At the request of the person visible on the recordings, the Company shall enable the person concerned to view the recordings in accordance with legal requirements. If a third party is visible on the recordings in addition to the person concerned, the consent of such third party is also required to view the recordings by the employee concerned.

Processing entry and exit data on site

The Company uses an electronic access system at its site, which stores the movement data of natural persons entering and leaving the site, for the purpose of protecting human life, bodily integrity and business secrets, property protection and crime prevention. The administration of the access cards and the necessary personal data processing are performed by the staff of the Pannon Guard security service.

The scope of personal data that may be processed: the name of the natural person, the serial number of the access card, the dates of entries and exits through access gates and doors equipped with electronic locks.

The legal basis for this data processing is the enforcement of the employer’s legitimate interests, and the retention period is 12 months after the last entry.

The company, or the security service provider acting on its behalf, is entitled to request the visitor entering or leaving the site to present their bags, stating the reason and purpose of the proposed measure, if

1. it is reasonably assumed that the person concerned is in possession of a thing originating from a criminal act or offence which should be protected by the security guard according to his or her contractual obligation;
2. the person concerned fails to present that thing on request; and
3. the measure is necessary for preventing or stopping an unlawful act.

If an inspection (bag check) is carried out on the basis of the conditions set out above, it will be carried out in a room designated by the Company (separate room). The security guard acting on behalf of the Data Controller shall inform the data subject about the checking procedure, the reason thereof and shall request the voluntary presentation of the object unlawfully possessed by the person concerned. The items in the bag shall be presented individually by the individual, and only the person being checked may touch the items in the bag. As a guarantee rule, in addition to the persons acting on behalf of the Data Controller, another individual nominated by the individual and present at the Data Controller's registered office may also participate in the audit. In each case, a report shall be drawn up on the inspection and its results, which shall be signed by the persons present.

The legal basis for this data processing is the enforcement of the employer’s legitimate interests, and the retention period is 5 years.

Data security

The Company and the data processing service providers entrusted by it shall take the technical and organizational measures and establish the procedural rules necessary for the enforcement of the GDPR and the Info Act in order to ensure the security of personal data for all purposes and legal bases.

To this end, the Company and the data processing service providers shall establish procedural rules to make sure that the processed data are protected against unauthorized access, modification, transmission, disclosure to the public, erasure, destruction, accidental loss or damage, as well as against data becoming inaccessible due to changes in the technology used. The Company and the data processing service providers shall take into account the current state of the art when defining and applying data security measures.

The Company shall plan and execute its data processing operations so as to guarantee the protection of the data subject’s privacy in line with the provisions of the GDPR, the Info Act and the other laws and regulations relevant to data processing.

All employees of the Company involved in data processing shall comply with the above principles regarding data management, data processing and data security on the basis of their employment or other legal relationship.

The Company may make a copy of the personal data transferred in electronic format (e.g. by e-mail) as part of the Company's backup procedure, and it shall ensure the destruction or access of such copies upon termination of the data processing.

The Company shall make every effort to ensure that data processors provide protection equivalent to the data protection guarantees provided by the Company.

Changes of the document

The Data Controller reserves the right to modify or update this document at any time without prior notice and to publish the updated version on its website. The current document is available at www.rrd.com. The processing of personal data shall always be governed by the current version of the Information about personal data management document, even if a previous document was in force when the personal data of the data subject were collected or his or her personal data were otherwise provided.

Contact / Complaint handling

If you have any questions, comments or requests regarding this information document, or would like to make a complaint or initiate the erasure of your data as described above, please contact us at the following contact details:

RR Donnelley Magyarország Kft.
4031 Debrecen, Kígyóhagyma u. 7.
Phone number: (+36) 52 / 506-410
E-mail: adatkezeles@rrd.com

or

Department in charge of European Data Protection: DataPrivacyEurope@rrd.com

In case of violation of your privacy rights as well as in the cases specified in the GDPR, you may request the assistance of the National Authority for Data Protection and Freedom of Information, and are also entitled to file a lawsuit before a court that has jurisdiction according to your permanent or temporary residence.

Contact details of the National Authority for Data Protection and Freedom of Information:

Mailing address: 1363 Budapest, Pf.: 9.
Address: 1055 Budapest, Falk Miksa u. 9.-11.
Phone number: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Web: naih.hu E-mail: ugyfelszolgalat@naih.hu