MOL – Corvinus Organizational Network Research – Data Protection Information

Name and purpose of data processing

The purpose of the data processing is to develop measures (improving information flow, integrating colleagues, improving satisfaction) for the HR organisations of the MOL Group companies to develop metrics on cooperation between employees, at departmental level and between departments.

Legal basis for data processing

Article 6(1)(f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by data controllers). Legitimate interest: In MOL Group companies, the HR organization is a key player in meeting the business human resources needs of the business, facilitating cooperation and information flow between employees. It can perform its tasks to an adequate standard if the HR organisation functions well as a team, information flows well, individuals are integrated into the organisation in their daily work, and communication between members of the HR organisation within the group functions well.

Employee interest: the right to protection of personal data and privacy at work.

The result of the balancing of interests:

  1. Completion of the questionnaire is voluntary and some questions are also optional, i.e. the questionnaire can be completed in a way that the participant does not answer all the questions.
  2. The target group of the questionnaire is the HR organisation, where good communication between employees is a key issue.
  3. Stakeholders, due to the nature of their job, may have a reasonable expectation that the employer will use questionnaires to map and develop effective workplace communication, with several employees in the HR organisation having a responsibility to complete questionnaires with similar purposes with employees in the business areas they support.

The interest assessment test will be provided upon request.

 

Scope and source of the data processed

The data processed to compile the evaluation logic of the questionnaire and to send out the questionnaire: name, department, position, company name, email address, place of work, language of completion.

The data provided in the Informal network survey for MOL HR team questionnaire (name, gender, age group, highest level of education, job title, etc.), the answers to the questions asked in the questionnaire.

On the basis of the completed questionnaires, the data processor produces a network diagram, which statistically illustrates the effectiveness of the communication between colleagues in the form of a graph (e.g. information flow is dense by default, but the team is divided into several parts, certain employees are on the periphery, etc.)

MOL Plc as Data Controller will formulate team level action plans based on the network diagram.

 

The measures will target 3 main areas:

  • identification of communication centres: the diagram will help to identify the teams in which people who are information centres (hubs) are located, so that if rapid and efficient information sharing is needed in the future, it will be possible to start at these points.
  • It will identify possible gaps in cooperation where improvement actions can be developed.
  • identification of knowledge centres and integration of new entrants with them: support the integration process of new entrants according to the identified professional knowledge centres.

Source of data: Recorded from the participant.

 

Duration of data processing

MOL Plc will delete the questionnaires after two weeks from the date of the creation of the network diagram by the data processor.

Recipient of data transfer

MOL Plc will only provide the subsidiaries with the network diagram, which does not contain any personal data.

Data processor and data-processing activities

MOL IT & Digital GBS Kft. (1117 Budapest, Galvani út 44.) – the provision of IT and server services closely related to data management.

Corvinus University of Budapest NETI LAB (NETI) Address for correspondence: 1093 Budapest, Fővám tér 8.

E-mail: netilab@uni-corvinus.hu

Website: www.netilab.hu – create network diagrams based on the evaluated questionnaires.

  1. MOL Plc. will first provide NETI as the data processor with the data necessary to compile the evaluation logic of the questionnaire and to send the questionnaire: name, department, position, company name, email address, place of work, language of completion. NETI will delete these data immediately after the questionnaire evaluation logic has been compiled.
  2. MOL Plc staff will provide the data from the completed questionnaires in pseudonymised form and NETI will use this pseudonymised data to produce a network graph containing statistical data.

BELBIN Associates 3 – 4 Bennell Court | West Street | Comberton | Cambridge | UK | CB23 7EN NETI’s sub-processor – Provider of some of the questions in the questionnaire, operation of the interface for completing the questionnaire, production of reports.

When logging in to the BELBIN interface, the data subject enters a name (not required to be their own name, can be a nickname/artist name/surname) and email address.

Qualtrics LLC [company seat: Utah, 333 West River Park Drive, Provo; registration number: 5133831 – operating the interface for filling in the questionnaires

Name, address, telephone number, website (where the privacy notice is available) and e-mail address of the data manager(s):

MOL Nyrt., 1117 Budapest, Október huszonharmadika u. 18.

Contact person(s) of the data manager(s): DVigvari@MOL.hu

Name and contact details of the Data Protection Officer(s) at the Data Controller: dpo@mol.hu

Persons entitled to access data at the Data Controller (per processing purpose):

MOL Plc. HR Group HR Executive Director Professional Assistant – Only the Professional Assistant will be able to link employees to names.

Name, address, telephone number, website (where the privacy notice is available) and e-mail address of the data processor(s) and other data controller recipient(s):

MOL IT & Digital GBS Kft. (1117 Budapest, Galvani út 44.) Email: itu@mol.hu

Corvinus University of Budapest NETI LAB (NETI) Address of correspondence: 1093 Budapest, Fővám tér 8.

E-mail: netilab@uni-corvinus.hu

Qualtrics LLC company seat: Utah, 333 West River Park Drive, Provo; registration number: 5133831

Contact person(s) of the Processor(s) and other data controller recipient(s):

MOL IT & Digital GBS Kft.

Email: itu@mol.hu

Corvinus University of Budapest NETI LAB (NETI)

E-mail: netilab@uni-corvinus.hu

Qualtrics LLC company seat: Utah, 333 West River Park Drive, Provo; registration number: 5133831

 

Name and contact details of the Data Protection Officer(s) of the Data Processor:

MOL IT & Digital GBS Kft.

Email: dpo@mol.hu

Corvinus University of Budapest, Dr. Locsmándi Balázs

E-mail: adatvedelem@uni-corvinus.hu

Qualtrics LLC company seat: Utah, 333 West River Park Drive, Provo; registration number: 5133831

Individuals entitled to access the data at the Data Processor:

MOL IT & Digital GBS Kft. employees responsible for system operation

Corvinus University of Budapest NETI LAB (NETI) Staff: Rebeka O. Szabó, László Lőrincz

Processing of special personal data(s) for the purposes set out in this Privacy Notice: –

Transfer of data to a third country: BELBIN Associates is based in the United Kingdom, which is a third country outside the European Union. According to Article 45(1) of the GDPR, a transfer of personal data to a third country or an international organisation may take place if the Commission has determined that the third country, a territory or one or more specific sectors of a third country, or the international organisation in question ensures an adequate level of protection. Such a transfer does not require a specific authorisation.  The United Kingdom ensures an adequate level of protection for personal data, a decision of the European Commission on this matter is available at the link below.

decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf (europa.eu)

 

The fact of automated decision-making, including profiling, and, at least in these cases, clear information on the logic used and the significance of such processing and its likely consequences for the data subject: –

Data security measures:

Information security management system Ensure the confidentiality, integrity and availability of organisational information by implementing policies, processes, process descriptions, organisational structures, software and hardware functions.
Physical access Securing physical assets that contain data relating to the MOL Group.
Logical access To ensure that only approved and authorised users have access to data used by MOL Group companies.
Data access To ensure that only persons authorised to use the systems have access to MOL Group corporate data.
Data transmission/storage/destruction To ensure that MOL Group company data cannot be transmitted, read, modified or deleted by unauthorised persons during transmission or storage. In addition, ensure the immediate deletion of MOL Group Corporate Data when the purpose of the processing ceases.
Confidentiality and integrity To ensure that MOL Group’s corporate data is processed in a confidential and up-to-date manner and to preserve its integrity.
Accessibility To ensure that MOL Group corporate data is protected against accidental destruction or loss, and in the event of an incident that results in such consequences, to provide timely access to and recovery of the affected MOL Group corporate data.
Data segregation To ensure that data of MOL Group companies is treated separately from data of other customers.
Incident management In the event of any breach of MOL Group’s corporate data, the impact of the breach should be minimised and the owners of MOL Group’s corporate data should be notified immediately.
Audit Ensuring that the processor regularly tests, reviews and evaluates the effectiveness of the technical and organisational measures outlined above.

 

Your rights regarding data processing:

Your data protection rights and remedies and their limitations are set out in detail in the GDPR (in particular Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79 and 82 of the GDPR). You may request information about your data at any time, request the rectification, erasure or restriction of processing of your data, object to processing based on legitimate interest and to the sending of direct marketing messages, and have the right to data portability. The most important provisions are summarised below.

Right to information:

Where the Data Controller processes personal data relating to you, the Data Controller is obliged to provide you with information, even without your request, on the most important features of the processing, such as the purposes of the processing, the legal basis for the processing, the duration of the processing, the identity and contact details of the Data Controller and its representative, the recipients of the personal data (with appropriate and suitable safeguards in the case of transfers to third countries), the legitimate interests of the Controller and/or third parties in the case of processing based on legitimate interests, and your rights and remedies (including the right to lodge a complaint with a supervisory authority) in relation to the processing, if you do not already have this information. In the case of automated decision-making and profiling, the data subject must also be informed of the logic used and be provided with clear information on the significance of such processing and the likely consequences for the data subject. The controller provides this information by making this notice available to you.

Right of access:

You have the right to receive feedback from the Data Controller on whether or not your personal data are being processed and, if such processing is ongoing, the right to access your personal data and certain information relating to the processing, including the purposes of the processing, the categories of personal data concerned, the recipients of the personal data, the (envisaged) duration of the processing, the rights and remedies of the data subject (including the right to lodge a complaint with a supervisory authority) and, where the data are collected from the data subject, information on the source of the data. Upon your request, the Data Controller will provide you with a copy of the personal data which are the subject of the processing. For additional copies requested by you, the Controller may charge a reasonable fee based on administrative costs. The right to request a copy must not adversely affect the rights and freedoms of others. The Controller will provide you with information on the possibility of obtaining a copy, the method of obtaining a copy, the possible costs and other details at your request.

In the case of automated decision-making and profiling, the data subject shall have access to the following information: the logic used, the significance of such processing and the likely consequences for the data subject.

Right to rectification:

You have the right to have inaccurate personal data relating to you corrected by the Data Controller without undue delay upon your request. Taking into account the purposes of the processing, you have the right to request that incomplete personal data be completed, including by means of a supplementary declaration.

Right to erasure:

You have the right to have your personal data erased by the Data Controller without undue delay upon your request, and the Data Controller is obliged to erase your personal data without undue delay if certain conditions are met. Among other things, the Controller is obliged to delete your personal data at your request if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; if you withdraw your consent on the basis of which the data are processed and there is no other legal basis for the processing; or if the personal data have been unlawfully processed; or you object to the processing and there is no overriding legitimate ground for the processing; the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Controller; the personal data were collected in connection with the provision of information society services.

Right to restriction of processing:

You have the right to have the Controller restrict processing at your request if one of the following conditions is met:

  1. You contest the accuracy of the personal data, in which case the limitation applies for the period of time that allows the Controller to verify the accuracy of the personal data;
  2. the processing is unlawful and you object to the deletion of the data and instead request the restriction of their use;
  3. the Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims; or
  4. you have objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over your legitimate grounds.

If processing is restricted on the basis of the above, such personal data, except for storage, may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.

In the event that the restriction on processing is lifted, the Controller shall inform you in advance.

Right to data portability:

This right is not applicable to the present processing.

Right to object:

You have the right to object, at any time, on grounds relating to your particular situation, to the processing of your personal data based on the legitimate interests of the Controller. In such a case, the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

In the case of the present processing, you may decide whether to complete the questionnaire or, if you object to the processing after completion, you may notify the contact person indicated above.

The framework for the exercise of rights:

The controller shall inform you, without undue delay and in any event within one month of receipt of the request, of the action taken in response to the request concerning your rights listed above. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Data Controller shall inform you of the extension, stating the reasons for the delay, within one month of receipt of the request. If the Data Controller does not take action on your request, it shall inform you without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to take action and of your right to lodge a complaint with the competent data protection supervisory authority (in Hungary, the National Authority for Data Protection and Freedom of Information; “NAIH”) and to exercise your right to judicial remedy. The contact details of the NAIH (address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1373 Budapest, P.O. Box 9., Tel: +36 1 391 1400, +36 (30) 683-5969 or +36 (30) 549-6838 Fax: +36-1-391-1410, e-mail: ugyfelszolgalat@naih.hu, website: http://naih.hu/).

You can take legal action if your rights are infringed. The court has jurisdiction. You can also choose to bring the case before the court of the place where you live or where you are domiciled.  The court may order the controller to provide information, to rectify, restrict or erase the data, to annul a decision taken by automated processing, or to take into account your right to object. The court may order the publication of its judgment in such a way that the Controller or any other controller and the infringement committed by it can be identified.

You may seek compensation from the controller responsible for the damage caused by unlawful processing (including failure to take security measures). If the controller infringes your privacy rights by unlawfully processing your data or by breaching data security requirements, you may claim damages from the controller. The controller shall be exempted from liability if it proves that the damage or the infringement of the data subject’s personality right was caused by an unforeseeable event outside the scope of the processing.

No compensation shall be payable and no damages shall be recoverable in so far as they result from the intentional or grossly negligent conduct of the injured party.