Please Feel Free To Contact Us.
Data Privacy statement
Of data requested by Bipros to provide payroll services to its Clients
DATA PROCESSOR, PURPOSE, LEGAL BASIS AND TERM OF DATA PROCESS, TYPES OF PROCESSED DATA
Bipros while processing Personal Data, is acting as “processor” of the Client, and the latter qualifies as “data controller”.
Bipros, in its capacity as a processor, will process the Personal Data only in accordance with (i) the applicable legislation, (ii) its service agreement concluded with the Client and (iii) other documented instructions of the Client.
Personal Data are only processed for (i) the performance of the Payroll services under the service agreement and (ii) during the duration of the service agreement, to the extent required for compliance with data retention obligations of the Client and to protect Bipros’s rights under the agreement (e.g. in the context of legal proceedings, authority investigations or similar events);
Types of personal data processed by Bipros include (i) personal identification data, including first name, last name, residential address, date and place of birth, citizenship, mother`s name, spouse and children first and last name, residential address, date and place of birth and citizenship (ii) tax and social security details, including social security number, tax number, spouse and childen tax and social security number, pension fund membership; (iii) employment data including gross salary, other income, job title, employment period, working hours, vacation data and bank account details; (iv) certain medical information such as sickness, disability, maternity, work accident information; (v) any other information provided by the Client for the purpose of enabling Bipros to perform its obligations under the agreement, to comply with applicable laws, regulations, orders of a competent court or requests form a respective authority that Client or Bipros are subject to (‘Personal Data’).
Data supply is based on employment agreement concluded between the Data subject and Client and purpose of processing is to comply with the employer data provision obligation associated with employment relationships as defined by the applicable legislation. In this case the data process is based on law.
SUB-PROCESSING, TRANSFER OF DATA
Bipros delegates the processing of personal data to subcontractor (the “Sub-Processor”) as approved by the Client in the agreement or otherwise. Bipros will remain liable towards Client for any acts and omissions of any Sub-Processor.
Bipros will ensure that any Sub-Processor having access to (or otherwise processing) personal data is subject to written terms imposing on it substantially the same duties regarding data security, confidentiality, privacy as those applying to Bipros.
Bipros is using Microsoft Azure cloud-based services, which is not transferring data outside of the European Union.
Bipros is applying administrative service providers (e.g. IT experts) necessary for its daily operation, which service providers might have limited access to the personal data, in case it is necessary for their performance. Client hereby expressly accepts these necessary data transfers
Bipros implements all necessary technical and/or organizational measures as required by the GDPR (such as, for instance, the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing) to ensure the protection of the personal data processed from any accidental or unlawful destruction, loss, deterioration, unauthorized disclosure or access and any other unlawful form of processing. Bipros is ISO 27001 (ISO/IEC 27001 Information security management) certified.
RIGHTS OF DATA SUBJECTS
Categories of data subjects concerned by the processing of Personal Data are (i) employees of the Client, (ii) close family members of the Client employees (spouse, children, mother) and (iii) any other categories of data subjects that the Client may submit (’Data Subject’).
Rights of the Data Subjects concerning processing:
- Right to information (access): the Data Subject may request information about the processing of their Personal Data at any time. When requested by the data subject in writing, the controller provides information about the categories of personal data concerned, the purpose and duration of processing, the recipients, the rights of the data subject and the possibility to file complaints to the authority.
- Right to rectification: the Data Subject has the right to request the clarification or supplementation of their processed data at any time. The Data Subject must submit facts and evidence supporting the need for rectification to any request for the rectification of data.
- Right to erasure: a Data Subject may request their data to be erased when processing is no longer required in line with the applicable legislation or the Data Subject’s data are processed unlawfully, or
- Right to restriction: the Data Subject has the right to request the restriction of the processing of their data by the controller when the validity of the personal data is disputed.
- Right to legal remedy In case their rights are violated, Data Subjects have the right to turn to the competent court according to their place of permanent or temporary residence, and anyone may request the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, postal address: 1530 Budapest, Pf. 5., e-mail: firstname.lastname@example.org , website: https://naih.hu/ ) to conduct an investigation due to the fact that an infringement of right occurred or there is an imminent threat thereof. The court shall proceed in relation to the subject of the request immediately
In case Bipros receives any request concerning the exercise of the Data Subject’s right, it informs the Client as controller in writing within 8 (eight) days from the receipt of the request. The controller shall only be obliged to comply with the Data Subject’s request to restrict the processing of their data or to erase their data when the conditions of processing of data specified in this policy do not prevail.
Data subjects may make their declarations concerning the processing of their data and may submit requests and questions to Client. Bipros will, upon the written request from the Client, and in so far as this is technically or legally possible, assist with appropriate technical and organizational measures (taking into account the nature of the processing) for the fulfilment of the Client`s obligations to respond to requests from data subjects for access to, or rectification, erasure or portability of Personal Data or for restriction of processing or objections to processing of Personal Data.
“Controller” means a controller or data controller (as defined in the Data Protection Legislation).
“Client” means the Company which employs individuals concerning with data processing services and engages Bipros to provide payroll services under a service agreement.
“Data Protection Legislation” means the following legislation to the extent applicable from time to time: (a) national laws implementing the Data Protection Directive (95/46/EC) and the Directive on Privacy and Electronic Communications (2002/58/EC); (b) the General Data Protection Regulation (2016/679); and (c) any other similar national privacy law.
“GDPR” means the General Data Protection Regulation (EU) (2016/679).
“Payroll services” amongst other, means (i) incorporation and verification of source data (holiday, sickness, bonus, etc) for payroll calculation, (ii) effecting monthly gross-to-net calculation in line with local legislation and Client specific configuration, as well as the calculation of payroll related employee and employer taxes/social contributions, (iii) generation of payslips, (iv) preparation and filing of statutory related taxes/social contributions/statistics and other government reports, (v) preparation of the necessary data sheets, certifications for employees, etc.
“Processor” means a data processor or processor (as defined in the Data Protection Legislation).
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed (as further defined in the Data Protection Legislation).