MVM GROUP DATA PRIVACY PROGRAM
1. MVM Group's personal data management and data protection governance structure
MVM Group Central Directive On Personal Data Processing and Data Protection (KIE-16) directive sets out the MVM Group’s provisions with regard to the processing of personal data, thus fulfilling the requirements of the applicable legal statutes. This regulation defines the technical and organisational measures and expectations required of the companies in order to protect the rights of data subjects. The central and internal regulations applicable to data processing activities must be interpreted and applied in accordance with this directive. In the event of a conflict between the two, this regulation shall prevail with regard to matters of data protection.
The methodology-related information and models for the practical application of this directive are set out in the MVM Group’s Personal Data Processing and Data Protection Manual. This Manual is available for every group member subsidiary and every employee in the central directory under the MVM Group’s Quality Management and Regulation Document Repository.
The proper functioning of the company’s data protection operation and the performance of day-to-day data protection tasks must be ensured by a network of employees at three levels:
• data protection officers (group-level common data protection officers)
• company data protection coordinators
• specialist data protection representatives.
2. Data protection reporting for company management
The group-level common data protection officers prepare a summary report for MVM Zrt’s board of directors every calendar half year in order to management could respond if necessary. This report provides detailed group-level information about data protection incidents, the risks that occur, and the status of any regulatory proceedings. In addition the data protection officer assigned to the member company prepares a quarterly summary report on the company’s data protection tasks for the CEO of the company.
3. Data protection risk assessments, reviews
MVM Group is committed to GDPR compliance across the group and conducts regular internal audit related to data protection activities of different business processes. Data Protection Impact Assessment (DPIA) is mandatory for high-risk data protection activities. Chapter XVI of the Data Protection Manual of MVM Group contains a detailed methodological template for conducting an impact assessment following the model of the French Data Protection Authority (CNIL). The data protection impact assessment must be carried out first prior to the processing. This is in line with the principle of built-in and default data protection. The data protection impact assessments should be seen as a tool to help make decisions related to the data processing. But it is not enough to carry out a data processing impact assessment only once before data processing starts, but that it should be carried out on an ongoing basis, continuously monitoring the data processing, especially if the data processing operation or its risk changes frequently; therefore it should be considered a process for the entire duration of the data processing.
4. General rules for data protection incident management
The prevention of data breaches occurring despite technical and organisational measures taken to ensure data security, the minimisation of the risks of data security breaches within as short a time as possible, and the risks of damage arising as a consequence of such breaches is the obligation of every Controller company.
In case of data privacy breaches, relevant and appropriate procedures are set in place. Incidents that have occurred and that are of non-negligible risk shall be reported by the member company’s data protection officer or Company data protection coordinator in accordance with template form. The methodology for managing data breaches is set out – in line with the central information security regulations – in Chapter VIII of the Manual, while the methodology for the risk assessment of data breach incidents and the contact details necessary for reporting incidents are specified in Chapter XV of the Data Protection Manual of MVM Group.
The detailed procedures for managing data protection incidents shall be carried out in accordance with MVM Group central rules of procedure on data breach incident management (KER-16-01).
Any employee of a Controller must immediately forward the information obtained in relation to personal data processing that is indicative of an extraordinary event requiring action – a suspected data breach – to his/her superior and to the Security Dispatch Service, while also informing the Company data protection coordinator and the data protection officer designated to the Controller company. Any employee of a Processor within the MVM Group must immediately forward the information obtained in connection with data processing regarding an extraordinary event related to personal data processing requiring action to the Controller, by simultaneously notifying the Company data protection coordinator. Data protection officer and Company data protection coordinator are responsible for dealing with the breach incident in cooperation with the company’s competent manager, the Specialist data protection representative, and the Company’s competent employees with information on the circumstances of the breach.
A risk assessment must be conducted whenever a data breach occurs at any company – a risk assessment guide is provided in Chapter XV of the Data Protection Manual of MVM Group. A decision must be taken without delay by the CEO of the Controller company as to whether the report to the regulator is mandatory, or whether the notification of the Data Subjects is mandatory, taking into account all circumstances of the case, as well as the opinion of the competent data protection officer and the opinion of the Company data protection coordinator.
In all data breach cases, it is necessary to define the measures taken to respond to the data breach, in accordance with the requirements of the central directive on data security, in order to maintain the data processing tools in compliance with the legal obligations.
5. Raising and maintaining data protection awareness
New employees must attend mandatory data protection training. In order to increase data protection awareness, annual data protection awareness training courses should be held. The preparation of the professional content of the data protection training materials is ensured by the group-level joint data protection officers. The organizational unit responsible for training at the company is responsible for holding the training sessions. In the absence of such an organizational unit, the HR department is responsible for holding the training based on the central training curriculum issued by the group-level joint data protection officers (by organizing e-learning or, in the case of oral training, by involving the data protection officer).