Sprint Consulting Agile Consulting and Service Limited Liability Company as data controller (hereinafter the Company or the Data Controller) hereunder informs the natural and legal persons using its services (hereinafter Client), the employees of the legal entity’s and its contact persons about their personal data management by the Company.
Company also provides information on the personal data management concerning the visitors of the Company’s websites and those interested in its services (hereinafter Website Visitors).
INFORMATION ON THE DATA CONTROLLER
Company name: Sprint Consulting Llc.
Seat: 1082 Budapest, Corvin sétány 2. A
Company registration number: 01-09-981936
Company Registry: Metropolitan Court of Registration
Tax number: 14567975-2-42
Representative: Árpád Zsolt Bodó (independent), Bernadett Bugnyár, Judit Üveges, Tamás Rábaközi
Telephone number: +36209777466
CHAPTER I. INFORMATION ABOUT CERTAIN DATA PROCESSES FOR CLIENTS AND CLIENTS’ EMPLOYEES
1. Data management related to the application for training, coaching or consulting service provided by the Company, the establishment and fulfillment of the contract for the use of the service, including data processing for the purpose of invoicing and fulfillment of provision obligation in the Adult Education Data System
The range of personal data processed for legal entity clients
- the name, birth name, mother’s name, place of birth, country of birth, date of birth, tax identification number, e-mail address, telephone number, highest level of education of the client participating in the training or consultation, existence of residence in Hungary in the case of non-Hungarian citizens
- the name, email address, phone number and in some cases a LinkedIn profile link of the client’s contact
The range of personal data processed is for natural persons
- worn name, birth name, mother’s name, place of birth, date of birth, tax identification number, e-mail address, telephone number, highest level of education, in case of non-Hungarian citizens, the existence of a Hungarian address.
We inform our clients that the provision of the personal data listed above is a precondition for concluding a contract for the use of the training service, the provision of the data is mandatory, in case of failure to do so we cannot enter into a contract, thus we cannot provide services.
The data subject
In case of legal entity clients
- an employee of the client participating in training or consulting
- the client’s contact person
In the case of natural person clients, the natural person is the client who enters into a contract with the Company for the use of a training service.
The purpose of data management is to process applications for training services for legal entity clients and natural person clients, to create and fulfill a contract for the use of the service, to fulfill the data provision obligation in the Adult Education Data Reporting System, to provide the service, to contact the client / training or counseling participant. The purpose of managing the contact details is to keep in touch with the client, to fulfill the contractual obligations.
The legal basis for data management for legal entity clients
- The processing of the personal data of the employee of the client who has applied for training / participates in training or consulting, is based on the legal basis of Article 6 (1) (f) GDPR, the data processing is necessary for the legitimate interest of the Company to comply with the training services obligations arising out of the contract.
- Balance of interest test: due to the nature of the training or consulting service, it is essential that the Data Controller handles personal data of the employees participating in the training or consulting. Data management covers only the most necessary data that ensures the fulfillment of the data provision obligation or the contact with the employee. Data management also serves the interests of employees, as it allows them to participate in training or consulting and to keep in touch with the Company. The data management in question does not constitute an unjustified interference with the privacy of employees.
- Guarantees: The Company manages personal data only to the extent necessary for the provision of training or consulting services, in order to conduct the training. The data is accessed only by those authorized to do so, and in order to preserve the confidentiality of the data, the Company takes the necessary data security and organizational measures.
Data management in case of contact persons
- Our company manages the contact details of legal entity clients (name, e-mail, telephone number) on a legal basis in accordance with Article 6 (1) (f) of the GDPR. to be able to fulfill our obligations under the contract, to be able to keep in touch with the customer smoothly at all times, and this is possible through the contact person appointed by the customer. The contact person’s right for protection, on the other hand, the right related to his / her privacy, however, the legitimate business interest of the Company and the client in the performance of the contract is stronger than this right. The right to privacy is not violated, as the Company is generally and most likely given the company contact information to the contact person provided by the customer, on which the contact person is required to be available and communicate in order to fulfill his / her job responsibilities.
- Guarantees: The Company handles the contact details only for the purpose of concluding a contract with the customer or performing the contract. Only authorized persons have access to the data.
- Summary: Based on the above, the data controller considers that a legitimate interest in the processing of the data of the customer’s contact person can be established, and this legitimate interest is not overridden by the contact person’s right to privacy.
- If the preliminary negotiations and correspondence do not lead to the conclusion of a contract, the Company shall store the personal data (including the business card) disclosed to it for the purpose of a subsequent contact, establishment of a business relationship based on its legitimate interest (Article 6 (1) (f) GDPR).
- It is in the legitimate interest of the Company to have the client’s data available for the purpose of a possible subsequent conclusion of the contract, thus enabling the contact and conclusion of the contract, which is not only in the interest of the Company, but also in the interest of the client.
The legal basis for data management in case of natural person clients
- The provision of the above data is necessary for the preparation of the contract for the use of the training service, taking preventive legal steps, establishing and fulfilling the contract and fulfilling the obligation to provide data in the Adult Education Reporting System (Article 6 (1) (b) GDPR).
Duration of data management for legal entity clients and natural person clients
- The personal data of the data subjects are stored for 5 years from the termination of the contract for the use of the service (civil limitation period).
Recipients of personal data in the case of legal entity clients and natural person clients:
- In the case of participation in Scrum Alliance Inc. certified training, the data controller is, in addition to the Company, the Scrum Alliance Inc. The Company conducts training, while Scrum Alliance Inc. organizes and conducts the exam and issues certificates.
- As part of this, Scrum Alliance Inc. manages the following personal data: name, address, e-mail address, telephone number, exam result.
- For details on data management by Scrum Alliance Inc., see the following page: https://www.scrumalliance.org/privacy-policy
- See Section III. – Data processors
- In the case of participation in Scaled Agile, Inc. certified training, the data controller in addition to the Company is Scaled Agile, Inc. The Company conducts training, while Scaled Agile, Inc. organizes and conducts the exam and issues certificates.
- As part of this, Scaled Agile, Inc. manages the following personal data: name, address, e-mail address, telephone number, exam result.
- For more information on data management by Scaled Agile, Inc., see the following page: https://scaledagile.com/privacy-policy/
- See Section III. – Data processors
- In the case of participation in Management 3.0 B.V. certified training, the data controller in addition to the Company is Management 3.0 B.V. The Company conducts training, while Management 3.0 B.V. organizes and conducts the exam and issues certificates.
- As part of this, Management 3.0 B.V. manages the following personal data: name, address, e-mail address, telephone number, exam result.
- For more information on data management by Management 3.0 B.V., see the following page: https://management30.com/privacy-policy/
- See Section III. – Data processors
1/a Invoicing related data management information
Data management for the purpose of invoicing and the fulfillment of related legal obligations is closely related to data processing related to the creation and fulfillment of a service contract, however, due to legal requirements for invoicing, data processing related to invoicing for tax and accounting purposes is detailed below.
Scope of personal data
- The invoice issued to the legal entity clients does not contain personal data. The performance certificate attached to the invoice contains the name, email address, telephone number of the employee(s) participating in the service and the detailed name of the service.
- The invoice issued for the name of the natural person client contains the client’s name, address, tax identification number, as well as the name of the service, the date of use and other mandatory data.
- Pursuant to Section 169 of the VAT Act, the name and address of the client are the mandatory data content of the invoice, so their provision is mandatory due to the force of this legislation, in the absence of such data, it is not possible to conclude a contract and provide services.
The data subject is the employee of the legal entity client as well as the natural person client.
The purpose of data management is to issue an invoice for the service used, to preserve the invoice, and to fulfill tax and accounting obligations.
Legal basis for data management
- The data processing takes place on a legal basis in accordance with Article 6 (1) (c) of the GDPR, i.e. the data processing is necessary to fulfill the legal obligation (tax and accounting obligations) of the Company (e.g. Act CXXVII of 2007 on Value Added Tax) – hereinafter referred to as the VAT Act, the obligation to issue invoices pursuant to Section 159 (1) of the VAT Act, to Section 169 of the VAT Act and to Section 167 of Act C of 2000 on Accounting, hereinafter referred to as the Accounting Act, compliance with the data content requirements of the invoice / accounting document).
- The indication of the name, email address and telephone number of the legal entity client’s employee on the certificate of performance and thus its management is based on the legitimate interest of the Company, the detailed information on which is provided in point 1 above.
Duration of data management
- The preservation of the issued invoice as an accounting document on paper basis takes place until the deadline pursuant to Section 169 of the Accounting Act (currently 8 years), until 31 December 2017, Act XCII of 2003 on the order of taxation (old Art.) pursuant to Section 47 (3) and Section 164, while after 1 January 2018, Section 78 (3) of the Tax Act 2017 (new Art.) and pursuant to Section 202 takes place until the right to a tax assessment expires.
Recipients of personal data
- The Company complies with the 2017 CLI on tax administration regulations pursuant to Section 98 of the Act, in the event of a possible tax audit procedure, it is obliged to make the issued invoices and accounting documents available to the tax authority.
- See Section III – Data processors
2. Handling and answering inquires
Scope of personal data processed
- The content of the email, email address, phone number, response to the request.
- In case the request is made or the Company is contacted by filling in the form at the address https://www.sprintconsulting.com/contact, the range of personal data processed is: name, email address, telephone number, the content of the request, the response to the request.
The purpose of data management is to handle and answer the request.
The data subject is the sender of the request or, depending on the content of the letter, an additional person that can be identified by the personal data contained therein.
Legal basis of data management
- If your inquiry is about the training service in the request or you want to negotiate the service contract, we will process the provided personal data on the legal basis according to Article 6 (1) b) of the GDPR, i.e. data processing is necessary to create a service contract and to take steps at your request prior to concluding a contract.
- The request related to the already concluded / performed contract and the personal data contained therein are also processed on the legal basis according to Article 6 (1) (b) GDPR, i.e. the processing is necessary for the performance of the contract and settlement of any claims related to the performance.
- If the subject of the request is not related to the training service, or if the request comes from a natural person acting on behalf of a legal entity, the personal data of the data subject(s) under this point shall be provided in accordance with Article 6 GDPR pursuant to subsection (1) (f), we treat it in the light of our legitimate interest in responding to the data subject’s request and in settling the claims arising from the request.
Our company has performed the balance of interest test and examined the relationship between the above legitimate interest and the right to the protection of privacy concerned. The Company has established that in the case of inquiries, the data subject is the person, who initiates the contact with the Company, voluntarily provides his / her personal data to the Company. It is in the interest of the data subject to receive a response to the request, which requires the processing of the personal data contained in the request by the Company. Based on the above, the Company considers that a legitimate interest in the processing of personal data contained in the request can be established; data processing is essential to respond to the request which do not override a legitimate interest in the data subject’s right to privacy, also given that the request is initiated by the data subject itself.
Duration of data management
- Inquiries and responses to them will be stored until the inquiry is processed and for an additional 10 years for future contact.
- The data processing is subject to the provisions of Section II / 1, if the request is necessary for the establishment of a contract, for taking pre-contractual steps and if our Company finally concludes a contract with the data subject.
- If the request is followed by an application for a training course, the personal data will be processed as set out in point 1 below.
Recipients of personal data: See Section III – Data processors
3. Data management for the purpose of handling complaints
Scope of managed personal data
- In case of a complaint made via e-mail: e-mail address, the content of the request, complaint, the response of the Company
- In case of a complaint made via written request: the content of the request, the complaint, a copy of the reply
- In the case of an oral complaint communicated via telephone or in person, if the client does not agree with the handling of the complaint or it is not possible to investigate the complaint immediately: the Company takes a report about the complaint, and its opinion about the complaint, with a content set out in CLV of 1997 on Consumer Protection and treats the report and a copy of the reply as personal data.
- Pursuant to Article 17/A (5) on Consumer Protection the report on the complaint must contain the following information:
- name and address of the consumer,
- the place, time and manner of submitting the complaint,
- a detailed description of the consumer’s complaint, a list of documents, documents and other evidence presented by the consumer,
- a statement by the Company of its position on the consumer’s complaint, if an immediate investigation of the complaint is possible,
- the signature of the person who took the minutes and the consumer, with the exception of an oral complaint made by telephone,
- place and time of recording the minutes,
- in case of an oral complaint communicated by telephone, the unique identification number of the complaint.
The data subject is the natural person client making the complaint and, depending on the content of the complaint, an additional data subject can be identified by the personal data contained therein.
The purpose of data management is to handle complaints received by the Company orally, via telephone, in writing and via electronic mail based on Article 6 (c) of the GDPR, fulfillment of the legal obligation contained in Article 17/A on Consumer Protection.
Duration of data management: Pursuant to Article 17/A (7) on Consumer Protection the report of the complaint and a copy of the reply to the complaint shall be kept by the Company for five years and shall be presented to the audit authorities upon request.
Recipients of personal data:
- The consumer protection authority, if the Company is obliged to present the report of the complaint and a copy of the reply are presented by the Company in accordance with Article 17/A (7) on Consumer Protection
- See also Section III – Data processors
4. Data management related to adult education activities
In order to fulfill its data provision obligation under this chapter, the Company requests the participants to provide data prior to the training, at the same time as providing the data required for the mandatory data provision in the Adult Education Data System, by filling in the relevant form.
Scope of managed data
- The participant’s name, birth name, mother’s name, place of birth, date of birth, highest level of education, e-mail address, and in the case of non-Hungarian citizens, the existence of a Hungarian address.
The data subject is the person taking part in the training.
The purpose of data management is to fulfill the obligation to provide data on adult education prescribed by law.
Legal basis for data management
- Data management takes place in order to fulfill the legal obligation contained in Section 21 (4) of the Act. LXXVII Section 21 (4) of 2013 on adult education.
Recipient of personal data: Pest County Government Office.
5. Sending direct marketing inquiries
Scope of managed data
- First name, surname, email address, in case of subscription through the website, the date of subscription.
The data subject is the person who has subscribed to the dm (direct marketing) inquiries / newsletter.
The purpose of data management is to send an e-mail message, direct marketing inquiry with information about the new training opportunities, promoting the Company’s services.
The legal basis for data processing is the voluntary consent of the data subject (Article 6 (a) GDPR), which can be provided when registering on the website, in person during the training or with a statement of consent given online after the training.
Duration of data processing: until the withdrawal of consent.
Recipients of personal data: See Section III – Data processors
6. Data management relating to taking and publication of photographs and videos
Our company or its cooperating partner makes photo and video recordings of the participants in the training with their consent.
The scope of personal data: image and sound recording (photo, movie, video).
Data subject is the person participating in the training.
Purpose of data management
- Recordings are made and published for the purpose of promoting and advertising our services. Publication takes place at the website https://www.sprintconsulting.com, on the Company’s electronic and paper-based advertising and marketing materials and on social media interfaces.
- The further purpose of the recording is to subsequently check and improve the quality of the service provided by the Company.
Legal basis for data management
Data processing is carried out on the basis of Article 6 (a) of the GDPR, i.e. with the consent of the data subject. Participants are therefore asked to consent to the recording and publication of photographs and videos at the training site prior to the training.
Duration of data management
- Until withdrawal of the data subject’s consent.
- Withdrawal of consent may be notified at any time by post or e-mail to the registered office of the Company (see Chapter I for contact details).
- If the consent is withdrawn, the Company will delete the photo or video recording, terminate its publication or, if possible, make the data subject unrecognizable on the published photo or video recording in order to prevent further processing of personal data.
- Withdrawal of consent shall not affect the lawfulness of data processing, photo and video recording and publication prior to the withdrawal.
Recipients of the personal data
- The person making the recording, if the Company instructs a third party to do so.
- See Section III – Data processors
CHAPTER II. DATA PROCESSING REGARDING THE DATA OF THE COMPANY’S BUSINESS PARTNERS
The scope of personal data
- Name, address, email address, telephone number of the natural person’s business partners, contract with the partner.
- Personal data processed in case of legal entity business partners are the name, email address and telephone number of the contact person of the legal entity.
- The invoice received and the data on it.
Purpose of data management
- Pre-contractual negotiations and concluding contracts with business partners in order to use our services, fulfillment of the concluded contract, related administration, contact, enforcement of possible claims, fulfillment of tax and accounting obligations related to the contractual relationship.
Legal basis for data management
- Our Company manages the data of natural person clients on the legal basis pursuant to Article 6 (1) (b) of the GDPR, the data processing is necessary for the establishment and performance of the contract between the Company and the natural person client. The processing of personal data brought to the attention of the Company during the negotiations prior to the conclusion of the contract is also carried out on the legal basis pursuant to Article 6 (1) b) of the GDPR (data necessary for the establishment and performance of the contract).
- Our company manages the contact details of the legal entity clients (name, email address, telephone number) on the legal basis according to Article 6 (1) (f) of the GDPR, data management is necessary to enforce our legitimate interest and the legitimate interest of the client, to be able to enter into a contract, to use the service under the contract, to be able to keep in touch with the client at all times, and to fulfill our contractual obligations, and these are possible through the contact person designated by the client. The protected right of the contact person, on the other hand, may be a right related to his / her privacy, however, the legitimate business interest of the Company and the client in the performance of the contract is stronger than that right. The right to privacy is not violated, as the Company is generally and most likely given the company contact details provided to the contact person by the client, on which the contact person is required to be available and communicate in order to fulfill his / her job responsibilities.
- Guarantees: The Company manages the contact details exclusively for the purpose of concluding a contract with the client and fulfilling the provisions of the contract. Only authorized persons have access to the data.
- Summary: Based on the above, the data controller considers that a legitimate interest in the processing of the data of contact persons included in the contract can be established, and this legitimate interest is not overridden by the right of the contact person to protect privacy.
- If the preliminary negotiations and correspondence do not lead to the conclusion of a contract, the Company shall store the personal data (including the business card) disclosed to it, for the purpose of subsequent contact and establishment of a business relationship based on its legitimate interest (Article 6 (1) (f) GDPR). It is in the legitimate interest of the Company to have the data of the client available for the purpose of concluding a subsequent contract, thus enabling keeping in contact and the conclusion of the contract, which is not only in the interest of the Company, but also in the interest of the client.
- The contract and the account (and its data) are managed on a legal basis in accordance with Article 6 (1) (c) of the GDPR in order to fulfill a legal obligation, the data processing is necessary to fulfill the tax and accounting obligations of the Company.
Duration of data management
For the preservation of the contract and the received invoices until the deadline according to § 169 of the Accounting Act (currently 8 years), § 78 (3) and § 202 of the CL Act 2017 on the taxation system (new Art.) until the tax limitation period.
Recipients of personal data
- The Company is subject to the 2017 CLI on tax administration regulations, pursuant to Section 98 of the Act, in the event of a possible tax audit procedure, it is obliged to make the received invoices, accounting documents and contracts available to the tax authority.
- See Section III – Data processors
CHAPTER III DATA PROCESSORS
Our company uses the following data processors during data management. A data processor is a natural person or legal entity that performs data processing operations on personal data on behalf of the Company as a data controller and on the basis of its instructions.
1. Website, email and server related service providers of our Company
1/a Web hosting, email server and email hosting service
The operation of www.sprintconsulting.com and the www.sprintconsulting.hu websites is provided and operated by Jakus és Jakus Szolgáltató Kft. Jakus és Jakus Kft. also provides e-mail services to the Company, in the framework of which it provides an e-mail server and e-mail hosting.
company name: Jakus és Jakus Szolgáltató Kft.
seat: 2030 Érd, Szigetvári u. 39., Hungary
company registration number: 13-09-118040
tax number: 14208304-2-13
E-mail address: jakus [dot] henrietta [at] nicro [dot] hu
Jakus és Jakus Kft. does not process personal data (data according to Chapter II during the visit to the website) for its own purposes, it performs technical operations on them only to the extent strictly necessary for the performance of the service.
1/b Hosting provider of the e-mail system connected to www.sprintconsulting.com and www.sprintconsulting.hu
company name: Google Ireland Limited
seat: Gordon House, Barrow Street, Dublin 4, Ireland
company registration number: 368047
The hosting provider does not manage personal data for its own purposes, it only provides storage space for our Company for the storage of e-mails and the content of www.sprintconsulting.com and www.sprintconsulting.hu.
1/c The hosting provider of www.sprintconsulting.com and www.sprintconsulting.hu websites
company name: Dotroll Kft.
seat: 1148 Budapest, Fogarasi út 3-5., Hungary
company registration number: 01-09-882068
e-mail address: support [at] dotroll [dot] com
The hosting provider does not process personal data for its own purposes, it only provides storage space for our Company to store the content of the www.sprintconsulting.com and www.sprintconsulting.hu websites and the data provided there.
2. Operator of our company’s internal management system (including the data stored there)
company name: Cloud Consulting Kereskedelmi és Szolgáltató Bt.
seat: 2100 Gödöllő, Mohács utca 10., Hungary
company registration number: 13-06-069671
email address: robert [dot] vlajk [at] gmail [dot] com
As the operator of the business system, Cloud Consulting Bt. does not process personal data for its own purposes, it only provides storage space for our Company to store personal data managed by the Company.
company name: Backupify Inc.
seat: 17 Sellers Street, Cambridge, MA 02139, United States
e-mail address: backupify-info [at] datto [dot] com
The provider responsible for backing up electronic storage. Backupify Inc. does not process personal data for its own purposes, it only provides storage space for our Company to store personal data managed by the Company.
3. Maintainers of our company’s computers, printers and their operating system
company name: X-kontroll Irodatechnikai és Informatikai Kereskedelmi Szolgáltató Kft.
seat: 2220 Vecsés, Álmos utca 7., Hungary
tax number: 13008345-2-13
company registration number: 13-09-094157
The maintenance and repair works of the Company’s printers and their operating systems are performed by X-kontroll Kft. During the performance of the above tasks, the data processor may access electronically stored personal data to the extent and for the purpose strictly necessary for the performance of the task, but may not process them for its own purposes.
company name: LANSYSTEM Számitástechnikai Szolgáltató és Fejlesztő Korlátolt Felelősségű Társaság
seat: 1113 Budapest, Diószegi út 60/b. I. em. 3, Hungary
tax number: 10491623-2-43
company registration number: 01-09-074423
e-mail address: klambauer [at] lansystem [dot] hu
The maintenance and repair works of the Company’s computers, printers and their operating systems are performed by Lansystem Kft. During the performance of the above tasks, the data processor may access electronically stored personal data to the extent and for the purpose strictly necessary for the performance of the task, but may not process them for its own purposes.
4. Accounting service providers of our company
company name: IronAge Kereskedelmi és Szolgáltató Bt.
seat: 2310 Szigetszentmiklós, Petőfi utca 9., Hungary
company registration number: 13-06-049297
tax number: 21823411-1-13
e-mail address: ironagekonyveloiroda [at] gmail [dot] com
company name: Creative Account S.R.L.
seat: Str. Petuniel nr. 5 ap. 53, Cluj-Napoca, jud. Cluj, Romania
company registration number: J12/2528/2008
tax number: RO 24025436
E-mail address: creative [dot] account [at] consultingro [dot] com
In order to fulfill its tax, accounting and payroll obligations, our Company uses the above external service providers, who manage the invoices issued to clients and received from business partners in order to fulfill the tax, accounting and payroll obligations of our Company. On behalf of the Company they also manage the data contained therein, as well as the contracts concluded with partners and employees.
5. Foreign partner companies, which participate in the organization of trainings abroad
company name: GoodWill Consulting EOOD
seat: Iztok quarter, 8A `Dimcho Debelyanov` Str., fl. 2 1113 Sofia, Bulgaria
tax number: BG201346683
e-mail address: office [at] gwconsulting [dot] ro.
company name: Mentor plus doo
seat: Visegradska 12a 11000, Belgrade, Serbia
tax number: SR105478527
e-mail address: office [at] mentoreductaion [dot] co [dot] rs
company name: Nowe Motywacje
seat: Nowe Motywacje Sp. z o.o ul. Gustawa Ehrenberga 15, 31-309 Krakow, Poland
tax number: PL6762022871
e-mail address: biuro [at] nm [dot] com [dot] pl
6. Trainers conducting training on behalf of our Company
CHAPTER IV DATA SECURITY
The Company will take the necessary technical and organizational measures and develop appropriate procedural rules to ensure the security of personal data throughout the data management process. The Company undertakes to ensure data security, to take the technical and organizational measures and to establish the procedural rules to ensure that the recorded, stored and processed data are protected and to prevent their destruction, unauthorized use and unauthorized change.
Personal data may only be accessed by designated persons with the highest level of access controls in place. Within the framework of the above, the Company develops and selects IT solutions in such a way as to ensure the exclusive access of those who are entitled to have access to the data and that the data retains their authenticity and integrity. It uses among other measures, password-protected access systems, user authentication, certificates, activity logging, firewall settings, and regular backups. The Company shall take appropriate measures to protect the servers used for data storage.
Communication takes place via an encrypted channel between the browser of the user visiting the website and the web servers.
The Company always monitors the development of technology, applies the available technical, technological, organizational solutions and solutions that meet the level of protection justified by its data management.
CHAPTER V INFORMATION ABOUT THE RIGHTS OF THE DATA SUBJECT
- Right to information (Article 13 GDPR)
- Right of access (Article 15 GDPR)
You may at any time request information about whether our Company is processing your personal data and, if so, exactly which personal data is being processed by our Company. Upon request, we will provide information on the purposes, legal basis, duration of data processing related to you, as well as who receives or has received your data and for what purpose.
In case there is data that we did not obtain from you, you may at any time request information on the source of the data. If automated decision-making or profiling takes place in relation to you, we will inform you about this and the logic used, indicating also the expected consequences of such data processing for you. At present, neither automated decision-making nor profiling takes place at our Company. Should personal data be transferred to a third country or international organization, we will inform you of the appropriate guarantees under Article 46 of the GDPR regarding the transfer.
We provide the first copy of the personal data that is the subject of data processing free of charge. Additional copies may be subject to a reasonable fee based on administrative costs, depending on the amount of data, but it will be communicated to you in advance. If you have submitted your request for information / access electronically, the information will be provided to you in electronic format, unless you request otherwise. The right to request a copy must not adversely affect the rights and freedoms of others.
- The right for correction or supplementation (Article 16 GDPR)
You have the right to request that we correct inaccurate or incorrectly recorded personal information about you. If the data is incomplete, you can request it to be supplemented.
- Right to delete personal data (“right to be forgotten) (Article 17 GDPR)
You can request the deletion of your personal data from us at any time, which we are obliged to comply with, if you have any of the following reasons:
- personal data are no longer required for the purpose for which they were collected or processed;
- you have withdrawn your consent to the processing and there is no other legal basis for the processing;
- you object to the Company’s processing of data based on public interest or a legitimate interest pursuant to Article 21 (1) of the GDPR and there is no overriding legitimate reason for such processing, or you object to the processing of data for direct business purposes pursuant to Article 21 (2) of the GDPR against data management;
- we have processed your personal data unlawfully;
- your personal data must be deleted in order to comply with a legal obligation under Union or Member State law applicable to the Company;
- personal data have been collected in connection with the provision of information society services referred to in Article 8 (1) of the GDPR.
We will not delete the requested data if the data processing is:
- necessary for the exercise of the right to freedom of expression and information;
- necessary for the performance of a legal obligation applicable to the Company (e.g. fulfillment of tax and accounting obligations) or for the performance of a task performed in the public interest or in the exercise of a public authority conferred on the Company;
- in the public interest in the field of public health, in accordance with Article 9 (2) (h) and (i) and Article 9 (3) of the GDPR;
- in accordance with Article 89 (1) of the GDPR, for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes, if the right of deletion would make such processing likely to be impossible or seriously jeopardize, or
- necessary for the submission, enforcement and defense of legal claims.
- Right to restrict data management (Article 18 GDPR)
You may request that we restrict the processing of certain of your personal information. We comply with this request by indicating that the processing of the personal data in question is restricted. Restrictions can occur in the following cases:
- You dispute the accuracy of your personal information, in which case the restriction applies to the period of time that allows us to verify its accuracy;
- The data processing is illegal and you oppose to the deletion of the data, instead requesting a restriction on their use;
- Our Company no longer needs personal data for data processing purposes, but you do so in order to make, enforce or protect legal claims;
- You have objected to the processing pursuant to Article 21 (1) of the GDPR. In this case, the restriction applies as long as it is determined whether we have a legitimate reason to process the data, i.e. whether our Company’s legitimate reasons for retaining and processing the data take precedence over the legitimate reasons for deleting your data.
During the restriction period, we will only store the data, we do not perform any other data processing operation, and we will not modify the data, unless i) you consent to further operations or ii) if the processing of data is necessary for the submission, enforcement or protection of legal claims, further (iii) if the processing is necessary to protect the rights of another natural or legal person, or (iv) where the processing is necessary in the overriding public interest of the Union or of a Member State.
In the event of a restriction on data management, we will inform you in advance of the lifting of the restriction in the form and manner in which you requested the restriction of data management.
Our company will inform all recipients of the rectification, deletion or restriction of data processing you have requested and we carried out, with whom we have communicated personal data, unless this proves impossible or requires a disproportionate effort. Upon your request, we will inform you who and which recipients we are informing as detailed above.
- Right to protest (Article 21 GDPR)
You have the right to object to the processing of your personal data at any time for reasons related to your situation, if the processing is carried out in the public interest or in the legitimate interest of the Company or a third party (Article 6 (1) (e) and (f) GDPR). In this case, our Company will not further process your personal data, unless we prove that the processing is still justified by legitimate reasons that take precedence over your interests, rights and freedoms, or that are necessary to bring, enforce or protect legal claims.
You have the right to object at any time to the processing of personal data related to you for the purpose of direct business acquisition, including profiling (if the Company decides to use such information, we will provide you with prior notice) if it relates to direct business acquisition. In the event of an objection, personal data will no longer be processed for direct business purposes. The Company does not perform data processing for direct business purposes currently. If we will do so, we will inform the data subjects separately and obtain their consent in advance.
In the case of data processing for statistical purposes, you have the right to object to the processing of personal data related to you, for this purpose, for reasons related to your own situation, unless the data processing is necessary for the performance of a task in the public interest.
- Right to data portability (Article 20 GDPR)
The data subjects have the right to receive the personal data concerning them provided to us in a structured, widely used, machine-readable format, and to transfer this data to another data controller without our Company preventing this. The data subject’s right to data portability applies to data the processing of which is subject to consent (Article 6 (1) (a) or Article 9 (2) (a) of the GDPR) or performance of a contract (Article 6 (1) of the GDPR) paragraph (b)). If the data subject requests the direct transfer of personal data between data controllers, our Company will indicate whether this is technically feasible on our part.
- Right to complain (Article 77 GDPR)
You can complain to the supervisory authority about the Company’s processing of data, in particular in the Member State where you are habitually resident or where the alleged infringement takes place. In Hungary, the supervisory authority is the National Data Protection and Freedom of Information Authority (1055 Budapest, Falk Miksa utca 9-11., E-mail: ugyfelszolgalat [at] naih [dot] hu, + 36-1-391-1400, chairman: Dr. Péterfalvi Attila, www.naih.hu).
- Right to an effective judicial remedy against the supervisory authority (Article 78 GDPR)
You can seek legal redress and bring an action against a binding decision of the supervisory authority that applies to you (in Hungary, the National Data Protection and Freedom of Information Authority).
You are also entitled to a judicial remedy if the supervisory authority competent under Article 55 or 56 of the GDPR does not deal with the complaint or does not inform you within three months of any procedural developments or the outcome of a complaint under Article 77.
Proceedings against the supervisory authority shall be brought to a court of the Member State in which the supervisory authority has its seat. In Hungary, the Metropolitan Administrative and Labor Court has jurisdiction over legal proceedings against the National Data Protection and Freedom of Information Authority.
- The right to an effective judicial remedy against the controller or processor (Article 79 GDPR)
You have the right to take legal action if, in your opinion, your personal data has not been processed in accordance with the GDPR and as a result, your rights under the GDPR have been violated. The procedure must be initiated in the Member State where our Company operates, i.e. in Hungary. Proceedings can also be brought to a court in your Member State of habitual residence (if different from Hungary).
- Right to compensation (Article 82 GDPR)
If you have suffered material or non-material damage as a result of our breach of the GDPR, you are entitled to compensation. If we violate your right to privacy in this area, you are entitled to claim damages.
- Your information about a data incident (Article 34 GDPR)
A privacy incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal information processed, such as the hacking of our computer system, loss of your personal information, and so on.
In the event of a data protection incident, we assess its effects and risks (what data are affected, in what quantities, whether they can be replaced, etc.) and take the necessary steps to remedy them immediately.
If a privacy incident is likely to pose a high risk to your rights and freedoms, we will notify you without delay about the incident. This notification shall include all information relating to the incident, in particular:
- The name and contact details of the person who can provide further information on the incident;
- Description of the probable consequences of the incident;
- Description of the measures taken or planned to remedy the data protection incident, including our measures to mitigate any adverse consequences of the incident.
You, as a data subject, do not need to be notified of a data protection incident if any of the following conditions are met:
- appropriate technical and organizational protection measures have been implemented and these measures have been applied to the data affected by the data protection incident, in particular measures that make the data incomprehensible to persons not authorized to access personal data;
- we have taken additional measures following the data protection incident to ensure that the high risk to your rights and freedoms is no longer likely to materialize;
- information would be a disproportionate effort. In this case, we will provide information through publicly available platforms or take a similar measure to ensure effective information.
We will report the incident to the data protection authority within 72 hours of becoming aware of the incident, unless it is not likely to endanger your rights and freedoms. We also keep records of data protection incidents in the detail required by law.
CHAPTER VI ENFORCEMENT OF THE RIGHTS OF THE DATA SUBJECT, SUBMISSION OF THE APPLICATION, CONTACT WITH THE COMPANY
In case you are enforcing your rights, please send your request i) in writing, by post ii) in person to the Company’s registered office or iii) by e-mail to our Chapter I e-mail contact details.
In the case of all requests, it is necessary that the sender of the request confirms his / her identity, so please indicate your personal identification data in the request. In case of a contact person, please also provide the details of the business partner.
If we have any doubts about your identity or the information provided is not sufficient for identification, we may request additional identifying information from you that is necessary and appropriate to confirm your identity.
If you are unable to provide the above information, so there is an obstacle to your identification, please contact our Company in person. If you do not have the opportunity to do so and you cannot prove your identity beyond reasonable doubt, we may refuse to process the application.
Our company will inform you of the action taken on the request without undue delay, but in any case within one month of receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by the Company for another two months. Our Company will inform you about the extension of the deadline within one month from the receipt of the request, indicating the reasons for the extension.
If you have submitted your application electronically, we will provide the information electronically where possible, unless you request otherwise.
If the Company does not take action on your request, we will inform you without delay, but no later than one month from receipt of the request, of the reasons for the failure to take action and of the fact that you may lodge a complaint with a supervisory authority and have legal redress.
Information pursuant to Articles 13 and 14 of the GDPR and Articles 15 to 22 and action pursuant to Article 34 shall be provided free of charge. If a request is manifestly unfounded or, in particular because of its repetitive nature, excessive, having regard to the administrative costs involved in providing the information requested or in taking the action requested:
- we may charge a reasonable fee, or
- we may refuse to act on the request.
What are cookies? The web server places small text files on the computer, mobile phone, tablet, and any other device used to view the website when you visit the website. Cookies are stored in a separate directory on the visitor’s computer, mobile phone, tablet, and any other device.
An HTTP cookie is a packet of information that a server sends to a browser, and then the browser sends it back to the server each time a request is made to the server. Cookies are created by the web server itself using a browser on the user’s machine, where they are stored in a separate directory.
Essential cookie, Session cookie
Some of the cookies are essential for the operation of the website and its certain functions, for navigating the website. Essential cookies help us make our website usable by enabling basic features such as navigating the site and accessing secure areas of the website. The website cannot function properly without these cookies. These cookies are session cookies and do not store personal information and are not suitable for identifying the user. Session cookies remain on the device until the browser window is closed, and these cookies are automatically deleted when the browser window is closed.
Language selection cookie
In order to provide a personalized service to our website visitors, we place language selection cookies on the website that record the language chosen by the user. The cookies that record the language selection remain temporarily on the device and are automatically deleted when you leave the page.
3rd party cookies
These cookies are not necessarily required to use the website, and we ask for your consent in the window at the bottom of the website before placing them. Third-party cookies are downloaded by the visitor’s browser when viewing the website, not from the (sub) domain of the Company, but from the domain of a third party (typically an advertising agency or Facebook), given that the website partly consists of such Third-party modules. Third-party cookies are returned to the third party when a visitor views one of their advertisements or visits their website, for example. Visitors can delete cookies anytime on their own device.
The Company has no control over Third-party cookies, therefore visitors are kindly requested to review the information about these third-party cookies (Third-party cookies):
- Google Analytics
We use the following cookies when browsing our website:
|Cookie name||Cookie description||Cookie lifespan|
|_gat_gtag_UA_15303581_1||Google Analytics||1 minute|
|_gid||Google Analytics||1 day|
|_ga||Google Analytics||2 years|
|Language selection cookie||Immediately after leaving the website|
Cookies can usually be managed in browsers’ Tools/Settings menu under the Privacy/History/Custom Settings menu, called a cookie or trace.
For more information on changing cookie settings, see your browser’s help or the following links:
Mozilla Firefox: https://support.mozilla.org/hu/kb/S%C3%BCtik%20kezel%C3%A9se
Internet Explorer: https://support.microsoft.com/hu-hu/help/17442