Name of the Foundation: Lexis Foundation
1. The order of meetings of the Board of Trustees:
The Board of Trustees of the Foundation shall meet as necessary, but at least once a year. Meetings shall be convened by the Chairperson of the Board of Trustees in writing at least 15 days before the meeting, thus informing the members of the place, date and agenda of the meeting. The general meetings of the Foundation may be held in person or online.
A meeting of the Board of Trustees shall be convened at the request of any member of the Board of Trustees. Any member of the Board of Trustees shall be entitled to propose the agenda of the meeting and the proposed agenda item shall be discussed by the Board of Trustees.
Any report to be included or discussed at a meeting of the Board of Trustees must be sent as an annex to the invitation. A quorum shall be constituted if more than 50 % of the members of the Board of Trustees are present.
Meetings of the Board of Trustees shall be chaired by the Chairperson (or, in his/her absence, by the Chairperson in the Chairperson’s absence).
Decisions of the Board of Trustees are generally taken by show of hands and simple majority. In the event of a tie, the Chairperson (or, in his/her absence, the presiding Chairperson) shall have a casting vote. The chief executive officer (i.e. the member of the Board of Trustees) or the person nominated as such must inform all the public benefit organisations concerned in advance that he/she holds such an office at the same time in another public benefit organisation.
Minutes shall be taken at each meeting of the Board of Trustees for the purpose of recording the decisions taken thereat. The minutes shall state the place and date of the meeting and the names of the participants. The minutes shall be signed by the minute-taker and authenticated by the Chairperson. A copy of the signed and certified minutes shall be sent to each member of the Board of Trustees. The Foundation operates in public. Any person may inspect the Foundation’s documents relating to its activities at a time and place agreed in advance with the President, provided that he or she has given at least 15 working days’ notice of his or her request for inspection. Access to documents may not be refused except in cases where such access is covered by data protection, personnel matters, rights relating to personality, business secrets or other confidentiality recognised by law. Decisions taken at a meeting of the Board of Trustees shall be entered in the Register of Decisions after each meeting of the Board of Trustees, numbered in such a way as to show the content, date, scope and number of members (including, where possible, their identity) in favour or against the decision.
The decisions of the Board of Trustees shall be communicated in writing to all concerned within 30 days and published on the Foundation’s website.
The Board of Trustees shall have exclusive decision-making powers:
2. Duties and powers of the Chairperson of the Board of Trustees
3. Functioning of the Supervisory Board, the Supervisory Commissioner
The Supervisory Board, the Supervisory Commissioner, supervises the operation and management of the Foundation. In so doing, it may request reports from the members of the Board of Trustees and information or clarification from the employees of the organisation, and may inspect and examine the books and records of the Foundation. The member of the supervisory board, the supervisory commissioner, may participate in the meetings of the board of trustees with the right to be present in the deliberations. The supervisory commissioner shall be obliged to inform the board of trustees and to call a meeting of the board of trustees if he becomes aware that
a) an infringement of the law or an event (omission) which otherwise seriously harms the interests of the Foundation has occurred in the course of its operation and the elimination or mitigation of the consequences of which requires a decision of the Board of Trustees;
b) facts have arisen which give rise to the liability of the directors or officers.
The Board of Trustees shall be convened on the proposal of the Supervisory Board or the Supervisory Commissioner within thirty days of the date on which the proposal was submitted. If this time limit has expired without result, the supervisory board or the supervisory commissioner shall also be entitled to convene the board of trustees. If the Board of Trustees fails to take the necessary measures to restore the lawful functioning of the Foundation, the Supervisory Board or the Supervisory Commissioner shall immediately inform the body responsible for overseeing the legality of the Foundation.
The chairman of the supervisory board shall be responsible for the functioning of the board, for convening its meetings, for drawing up its reports and for taking the steps required by law in the event of infringements. The chairperson shall be responsible for the annual work of the Committee until the date of the closure of the financial and accounting accounts for the year. The Supervisory Committee may call on outside experts to assist it in its investigations. The Supervisory Committee shall report to the founder on its findings as necessary, but at least once a year. Within the above framework, the Supervisory Committee shall draw up its rules of procedure, the content of which shall not be in contradiction with these rules of organisation and operation and the founding documents.
4. Representation of the Foundation vis-à-vis third parties
The Chairperson of the Board of Trustees is authorised to represent the Foundation vis-à-vis third parties. The President shall represent the Foundation in his/her own capacity. The name of the person authorised to represent the Foundation shall be used in accordance with the notarially certified specimen of the signature when representing the Foundation. The Board of Trustees, acting by a majority, shall have the power to impose restrictions on the right of signature of individual representatives when representing the Foundation.
5. Financial management The Board of Trustees of the Foundation shall determine the rules for the management of funds on the basis of these rules of organisation and operation.
5.1. Financial tasks and powers
The financial functions of the Board of Trustees:
5.2. Disposition of the bank account and powers to issue orders.
The power to authorise the transfer of funds authorises the collection or accounting of revenue or the payment of expenditure after verification of the account or the corresponding supporting documents. This power is conferred on the authorising officer. The powers of authorising officer shall extend to the Chairperson of the Board of Trustees and the financial representative in respect of all the Foundation’s affairs. In all cases, the bank account shall be signed by the person designated by the statutes.
The Foundation shall hold its funds, except for cash payments, in a bank account with a financial institution(s) and shall carry out its cash operations. The bank account shall be used for the payment of debts and the collection of claims.
5.3. House Treasury
Cash transactions are carried out by the cash desk. The President is responsible for the cash management. This responsibility shall include the operation of the treasury in accordance with the law, the establishment of accounting and record-keeping procedures and regular monitoring of compliance with these procedures.
5.4. Document management, records management
The Foundation’s document management is centralised at the Foundation’s headquarters/office. Centralised document management is carried out by the President or the administrator under his/her direct authority. The President shall be responsible for the management and control of the Foundation’s document management. Evidence shall mean any document drawn up for the purpose of recording an accounting event. The supporting documents issued by the Foundation shall be drawn up at the time when the transaction or event takes place. The particulars in the supporting documents must be authentic, reliable and correct in form and content and must be drawn up in accordance with the principle of clarity. Data may be entered in the accounting records only on the basis of a duly drawn up voucher. The Foundation must keep its documents and supporting documents for at least 5 years.
6. Management of the Foundation:
The Foundation shall be managed in accordance with the applicable laws and regulations, as set out in the Foundation’s Articles of Association. In managing the Foundation’s assets, the Board of Trustees shall act with the diligence of a good steward.
The initial assets earmarked for the purposes of the Foundation, the proceeds thereof and the assets subsequently generated during the operation of the Foundation may be used in their entirety during the operation of the Foundation in order to achieve the objectives of the Foundation.
The assets of the Foundation shall be used in accordance with its objectives:
Any natural or legal person or other organisation may apply for a grant from the Foundation. The Foundation may make any grant for any purpose subject to an application. In this case, the application may not contain any conditions which, after consideration of all the circumstances of the case, would lead to the conclusion that there is a predetermined winner (sham application). A fictitious tender may not be used as a basis for the grant of a specific allocation.
The Foundation, the person involved in the management of the Foundation, the sponsor and the relatives of such persons may not receive a grant for a specific purpose, except for services which are available to any person without restriction. The benefits provided by the Foundation for a specific purpose shall be public and may be made known to any person.
The income of the Foundation shall be:
Any income received can be passed on.
Any income/income of the foundation may increase the assets of the foundation or be used directly for the purposes of the foundation. The Foundation may acquire, purchase, lease, own and encumber any property to achieve these purposes. The assets of the Foundation may be used for the purposes and for the operating expenses of the Foundation as laid down in the Statutes and may be used in their entirety. The Board of Trustees shall manage the assets of the Foundation with due care.
Fundraising in the name of or for the benefit of the Foundation shall not involve any harassment of donors or other persons or any violation of personal rights or human dignity. Fundraising on behalf of or for the benefit of the Foundation shall be carried out only on the basis of a written authorisation from the Foundation. Donations to the Foundation shall be recorded at book value or, failing this, at the normal market value.
The costs of the Foundation are as follows:
7. Employment rules.
Obligations of the Foundation as an employer, exercise of employer’s powers. Employer’s powers shall be exercised by the chairman of the board of trustees. The chairman shall propose the employment relationship or use a contract of engagement under the Civil Code.
As an employer, the Foundation is obliged to:
8. Data management by the Foundation
The controller aims to ensure that data is processed in accordance with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter „GDPR”).
The use of personal data processed by the controller for private purposes is prohibited.
Employees of the Controller’s departments carrying out processing and employees of organisations involved in processing on behalf of the Controller and carrying out an operation of the Controller shall keep the personal data they have obtained as business secrets. Persons who process personal data and have access to them shall be required to sign a confidentiality declaration.
The data protection obligations applicable to natural or legal persons or unincorporated bodies carrying out processing activities on behalf of the controller shall be enforceable in the contract of engagement with the processor. The Data Controller shall conclude a Data Processor Contract with the Processor, as required by the GDPR.
The current chief executive of the Data Controller (President), taking into account the specificities of the Data Controller, shall determine the organisation of data protection, the tasks and responsibilities for data protection and related activities, and shall appoint the person responsible for supervising data processing.
The head of each department concerned shall be responsible for ensuring compliance with the provisions of the internal rules.
In the course of their work, the staff of the controller shall ensure that personal data are stored and filed in such a way that they cannot be accessed, accessed, altered or destroyed by unauthorised persons.
The data protection system of the controller is supervised by the President.
In relation to data protection, the President shall:
It is forbidden to remove data, documents, files, contact details held by the Data Controller from the office. The Data Controller may authorise this only in exceptional cases, by drawing up documentation containing an appropriate itemised list of which files, documents and for what reason they must be removed from the office.
Changes to entitlements (existing entitlements, assignment of new entitlements, modification, termination of entitlements) shall be documented in the IT system.
In all cases, the person responsible for IT shall consult the holder of the entitlement and the person exercising the right of employer over the claimant on the granting or modification of the entitlement on the order form as to its justification. The chief administrative officer and the person exercising the right of employer over the claimant shall have the right of veto over the granting or modification of the entitlement.
The controller shall also compensate for any damage caused to others by unlawful processing of the data subject’s data or by a breach of data security requirements, or for any damages awarded by a court of law in the event of an infringement of the right to privacy caused by the controller or by a processor of the data subject’s data. The controller shall be exempted from liability for the damage caused and from the obligation to pay the damages if it proves that the damage or the infringement of the data subject’s personality right was caused by an unforeseeable cause outside the scope of the processing. Likewise, it shall not compensate the damage if it was caused by the intentional or grossly negligent conduct of the injured party.
The data subject may exercise his or her right of redress or lodge a complaint with the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa u.9-11.) or with the competent court of law of his or her place of residence or domicile.
The Data Controller shall provide the employee with an e-mail account – the employee may use this e-mail address and account exclusively for the purposes of his/her job duties, in order to keep in touch with each other or to correspond with clients, other persons and organisations on behalf of the employer.
Employees may not use the e-mail account for personal purposes or store personal correspondence in the account. Although a company e-mail address is linked to a specific person, its content can only be work-related, as other interested parties may have access to its content if necessary.
The employer has the right to regularly monitor the entire content and use of the e-mail account, the legal basis for data processing being the legitimate interest of the employer. The purpose of the monitoring is to check compliance with the employer’s provisions on the use of the e-mail account and to check the employee’s obligations (Articles 8 and 52 of the Labour Code).
The head of the employer or the person exercising the employer’s rights is entitled to carry out the inspection.
Where the circumstances of the inspection do not preclude this, it must be ensured that the employee is present during the inspection.
The employee must be informed before the inspection about the employer’s interest in the inspection, who on the employer’s side may carry out the inspection, – the rules according to which the inspection may take place (compliance with the principle of gradual approach) and the procedure to be followed, – the employee’s rights and remedies in relation to the processing of data in connection with the inspection of the e-mail account.
The principle of gradualness should be applied in the monitoring process, so that the e-mail address and subject of the e-mail are the primary means of establishing that it is related to the employee’s job and not personal. The content of non-personal e-mails may be examined by the employer without restriction.
If, contrary to the provisions of this policy, it can be established that the employee has used the e-mail account for personal purposes, the employee must be requested to delete the personal data immediately. In case of absence or non-cooperation of the employee, the personal data will be deleted by the employer without being read upon verification. The use of the e-mail account in violation of this policy may lead the employer to take legal action against the employee under labour law.
The computer, laptop, tablet provided by the Company to the employee for work purposes may be used by the employee only for the performance of his/her job duties, the Company prohibits the private use of these devices, the employee may not manage and store any personal data or correspondence on these devices. The Employer may monitor the data stored on these devices. The employer’s control of these devices and the legal consequences thereof shall otherwise be governed by the provisions of the preceding point.
Employees may only consult websites related to their work; the employer prohibits the use of the Internet for personal purposes at the workplace.
The Data Controller is the holder of the Internet registrations carried out on behalf of the Data Controller as part of the employee’s job duties, and the registration must be carried out using an identifier or password that refers to the Data Controller. If the provision of personal data is also required for registration, the Data Controller shall initiate the deletion of such data upon termination of the employment relationship.
Employees’ use of the Internet at work may be monitored by the employer, for which the provisions of the above point apply, as well as the legal consequences.
The employer does not allow the private use of the company mobile phone, the mobile phone may only be used for work-related purposes, the employer may monitor the caller ID and data of all outgoing calls and the data stored on the mobile phone.
Everyone is responsible for the data they handle, whether it is personal data, documentation, trade secrets of other companies or trade secrets of the Data Controller. This data cannot be disclosed to unauthorised persons and all reasonable steps must be taken to protect it.
Persons subject to this Policy shall, in the case of any IT system operated by or with the assistance of the Data Controller, report without delay, but no later than 12 hours, to the Data Protection Officer if they suspect a data breach or if they are aware that a data breach has occurred.
The notification shall be made primarily during working hours, by telephone, and shall also be confirmed by electronic mail at the request of the Data Protection Officer.
Procedure to be followed in the event of a data breach
The Data Protection Officer and other data subjects shall proceed as set out in this Chapter to investigate and determine the seriousness of a personal data breach reported to them or determined under their authority.
Data breach handling procedure:
1. The person responsible for data protection shall contact the administrator of the IT system affected by the data breach (if the incident involves an IT system).
2. The person responsible for data protection must classify the personal data breach in one of the following categories:
3. in the case of a low-level personal data breach, the person responsible for data protection:
4. In case of a medium level data breach:
5. In the event of a high-level personal data breach
The Controller shall, through the person responsible for data protection, keep a register of data protection incidents for the purpose of monitoring the measures taken in relation to the data protection incident and informing the data subject, which shall include the scope of the personal data affected by the data protection incident, the scope and number of data subjects affected by the data protection incident, the date, circumstances, effects and measures taken to remedy the data protection incident, and other data specified in the legislation providing for data processing.
If the data subject so requests, the data protection officer shall provide information on data breaches involving the personal data of the data subject.
The above provisions shall be interpreted in accordance with the applicable law and the statutes.