PRIVACY POLICY & COOKIES

Sprint Consulting Llc. as data controller (hereinafter Company or Data Controller) hereunder informs the natural and legal persons (hereinafter Client), employees and contact persons of legal persons using its services, regarding processing their personal data by the Company.

Company also informs website visitors and others interested in its services (hereinafter Website Visitors) regarding processing their personal data.

By the current Privacy Policy (hereinafter Privacy Policy) Company performs its obligations set in the Regulation of the European Parliament and Council of Europe (EU) 2016/679 (known as: General Data Protection Regulation or GDPR) and the Act CXII of 2011 on  Informational Self-determination and Freedom of Information (hereinafter Act on Information

The up-to-date version of the current Privacy Policy is available electronically on the website of the Company (www.sprintconsulting.com) under the menu “Privacy Policy” and further in hard copy in the office of Sprint Consulting Llc.

 

 

 

DATA OF THE DATA CONTROLLER

 

Company name: Sprint Consulting Llc.

Seat: 1085 Budapest, József krt. 77-79. fszt. 2.

Premises: 1082 Budapest, Corvin sétány 2. A. ép.

Company registration number: Cg.01-09-981936

Company Registry: Fővárosi Törvényszék Cégbírósága 

Tax number: 14567975-2-42. 

Representative: Bugnyár Bernadett, Office Manager

Telephone number: +36209777466

E-mail: office [at] sprintconsulting [dot] com

website: www.sprintconsulting.com

 

 

I. INFORMATION ABOUT DATA PROCESSING RELATED TO CLIENTS AND EMPLOYEES OF CLIENTS

1. Data processing in connection with application to trainings and workshops provided by the Company, or regarding service contracts of the Company, regarding performing services by the Company including data processing connected to invoicing of services.

Personal data processed in case of legal persons:
  • Name and e-mail address of the employee of Client participating in training or workshop. 
  • Name, e-mail address, link to Linked-In profile of the contact person of Client.

 

Personal data processed in case of natural persons:

 

  • Name, address, e-mail address, telephone number.
  • Please be informed that giving the above personal data is a precondition to agree to use our training and workshop services, it is compulsory to give the above data, and without receiving these data we are unable to enter into contract or provide services.

 

Data subject in case of legal persons:

 

  • Employee of Client participating in a training or workshop.
  • Contact person of Client.

 

Data subject in case of natural persons:

 

  • The natural person Client entering into contract with the Company for using training services.

 

Purpose of data processing in case of legal persons and in case of natural persons

 

Purpose of data processing in case of natural persons:

 

  • Manage applications for training services, create contract for using and performing services, providing services, keeping contact with Client / participant of training.
  • Purpose of contact persons’ data processing is to keep contact with Client, communication, performance of contract obligations as agreed.

 

Legal basis for data processing in case of legal persons:

 

  • Processing of personal data of Client’s employee who applied to or participated in training is based on the GDPR Article 6. (1) f) to pursue the legitimate interest of the Company to perform its obligations set in the contract for providing training services.
  • Processing of personal data of Client’s employee who applied to or participated in training is based on the GDPR Article 6. (1) f) to pursue the legitimate interest of the Company to perform its obligations set in the contract for providing training services.
  • Balance of interest test: Based on the nature of the training services it is necessary for the Data Controller to process personal data of Client’s employee participating in training. Data processing is related to the necessary data that enables us to keep contact with the employee. It is also in the interest of the employee, since it enables participation in the training and keeping contact with the Company. Data processing does not enable any unnecessary intervention in the employee’s private life or privacy.
  • Guaranties: Company only processes relevant personal data in order to provide training services. Data are only accessible for authorised persons, and Company takes all the necessary data protection and organisation measures in order to keep confidentiality.

 

Processing of contact person data

 

  • Processing of personal data of legal person Client’s employee who applied for or participated in training is based on the GDPR Article 6. (1) f) to pursue the legitimate interest of Company and Client to perform obligations set in the contract for providing training services, to keep contact with Client, which is possible via the contact data given by the Client.
  • The protection rights of contact persons can be the right to privacy, but the legitimate business interest of Company and Client prevails in order to perform the obligations agreed in the contract. Privacy rights are not breached since corporate contact details of contact persons are potentially provided by Client in order for them to be accessible and for communication.
  • Guaranties: Company only processes relevant personal data in order to enter into contract with Client and to perform the contracted obligations. Data are only accessible for the eligible persons.
  • Summary: Data Controller considers that it is its legitimate interest to process the data of Client’s contact persons and their right to privacy does not prevail.
  • In case preliminary discussions and correspondence does not lead to entering into contract, Company keeps personal data (including business cards) based on  the GDPR Article 6. (1) f) to pursue its legitimate interest for later contact and business relationship. It is the Company’s legitimate interest to have access to Client data to enable to contact and enter into contract, which is the interest of the Company and Client as well.

 

 

Legal basis for data processing in case of natural persons:

 

  • Processing personal data is based on the GDPR Article 6. (1) b) to pursue the preparation of the contract for training services, the previous legal steps, creation and performance of the contract, providing services.

 

Term of data processing in case of legal persons and  in case of natural persons:

 

  • We keep personal data for another 5 years from the termination of the contract for services (civil law limitation period). 

 

Recipients of personal data in case of legal persons and in case of natural persons:

 

  • In case of participation in training certified by Scrum Alliance, data controller besides Company is Scrum Alliance Inc. Company is organising trainings, Scrum Alliance Inc. is organising the exam, and issues certification. Scrum Alliance processes the following personal data: name, address, e-mail address, telephone number, result of the exam.
  • Further information regarding data processing of Scrum Alliance Inc. is available here: https://www.scrumalliance.org/privacy-policy 
  • See Section III. – Data Processors.

 

1/a Information regarding invoicing

Data processing in connection with invoicing and related legal obligations is in close connection with data processing related to the creation and performance of the service contract. We deal with data processing related to invoicing and related to accounting obligations separately due to invoicing regulations below.

 

Personal data processed:

 

  • Invoices issued for legal person Clients does not include personal data. The certificate of performance attached to the invoice includes only the name of employees participating in the training, and the detailed name of the service.
  • Invoices issued for natural persons include Client’s name, address, name of service, date of service and other compulsory data. Based on  Section 169 of the Act CXXVII of 2017 on Value Added Tax (hereinafter Act on VAT) it is compulsory to include the name and address of Client, therefore it is compulsory to be included, otherwise we are unable to enter into contract and provide services.

 

Data subject:

 

  • Employee of the legal person Client and the natural person client.

 

Purpose of data processing:

 

  • Issue invoice related to the service used, keep files of invoices, perform tax and accounting obligations.

 

Legal basis for data processing:

 

  • Data processing is performed based on the GDPR Article 6. Section (1) c), namely data processing is necessary due to the legal obligation of Company (tax and accounting obligations (e.g. Section 159 (1) of the  Act on VAT) – regarding the obligation to issue invoices, Section 169 of the Act on VAT and Section 167 of the Act C of 2000 on Accounting (hereinafter: Act on Accounting) – regarding the mandatory data to be included on the invoices).
  • Processing and including the name of Client’s employee in the certificate of performance is the legitimate interest of Company, a detailed information is available above in Section 1.

 

Term of data processing:

 

  • We keep issued invoices printed as accounting records based on the following: deadline is based on Section 169 of the Act on Accounting (for 8 years), until 31st December 2017,  based on Section 164 and 47 (3) of the Act XCII of 2003 on General Taxation, and after 1st January 2018 within the limitation period laid down by law for determining tax under Section 78 (3)and Section 202 of Act CLI of 2017 on Tax Administration and the Regulation of Tax Administration (hereinafter: Act on Tax Administration).

 

Recipients of personal data:

 

  • Company is obliged to hand over received invoices, accounting records, contracts to tax authorities in case of a potential tax inspection under Section 98 of the Act on Tax Administration).
  • See Section III – Data Processors.

 

2. Handling and answering requests

Personal data processed:

 

  • Content of the e-mail, e-mail address, Company’s reply to the e-mail.
  • In case request is sent or contact is made via filling the form available on https://www.sprintconsulting.com/contact/ the processed data are name, e-mail, content of request, reply to request.

 

Data subject:
  • Sender of the request and potential further data subjects depend on the identifiable personal data included.

 

Purpose of data processing:

 

  • Manage and reply to the request.

 

Legal basis for data processing:

 

  • In case you require information about training services in your request or you request discussion about contract for services, we process the received personal data on the legal basis under GDPR Section 6 (1) b), that is it is needed for the creation of a service contract, for the necessary initial steps for the contract following your request.  Request regarding concluded or performed contracts and data included are processed on the legal basis under GDPR Section 6 (1) b) therefore data processing is necessary for the performance of the contract or for settling potential requests related to the performance.
  • In case the subject of the request does not relate to training services, or the request is received from a natural person dealing on behalf of a legal person, processing personal data of data subjects is for replying to requests, and for the legitimate interest of settling requirements in the request.
  • Our Company performed the test for weighting of interests and examined the relation of its above legitimate interest and the privacy rights of data subjects. We found that in relation to requests it is the data subject initiating contact and voluntarily providing personal data to our Company. It is in the interest of the data subject to receive an answer to the request for which it is necessary to process personal data included in the request.
  • We found that it is in the Company’s established legitimate interest to process personal data included in the request, it is essential to process data in order to reply to requests, which prevails over privacy rights of data subjects especially that requests are initiated by data subjects.

 

Term of data processing:

 

  • We store requests and replies until we manage requests in case the request is related to creation of a contract or related to initial steps before entering into contract and our Company enters into contract, the terms of data processing is according to Section II/1 respectively. 
  • In case the request is followed by a registration to a training, personal data processing is according to Section 1 respectively.

 

Recipients of personal data
  • See Section III – Data Processors

 

3. Data processing due to managing complaints

 

Personal data processed

 

  • Complaint received via e-mail: e-mail address, content of complain, the Company’s reply to the complaint.
  • In case of complaint in writing: the request, content of the complaint, copy of the reply.
  • Complaint via telephone or personal contact, in case Client does not agree with the management of the complaint or it is not possible to examine the complaint: Company takes the minutes on the complaint and the Company’s point of view regarding the complaint with content based on Section 17/A (5) of the  Act CLV of 1997 on Consumer Protection (hereinafter: Act on Consumer Protection). The minutes and a copy of the reply is processed as personal data.  Based on Section 17/A (5) of the Act on Consumer protection, the minutes shall contain the following data: 

 

a) name and address of Client,

b) place, time and way of complaint,

c) detailed description of the complaint, documents and other evidences presented by Client,

d) statement of the Company regarding its point of view related to the complaint of Client, in case immediate examination of the complaint is possible,

e) signature of the person taking the minutes and – except for telephone complaints – of Client,

f) place and time of taking the minutes,

g) in case of telephone complaint, the unique identification number of the complaint.

 

Data subject:

 

  • Further identifiable data subjects based on personal data given in the complaint, depending on the natural person Client and the content of the complaint.

 

Purpose of data processing:

 

  • Management of complaints received verbally, via telephone, in writing, via e-mail, performance of legal obligations under Section 17/A of the Act on  Consumer Protection.

 

Legal basis for data processing:

 

  • Data processing is on the legal basis under GDPR Section 6 c), the legal basis is the performance of legal obligations under Section 17/A of the Act on Consumer Protection.

 

Term of data processing:

 

  • Company stores the minutes of the complaint and a copy of the reply to the complaint for five years under Section 17/A of the Act on Consumer Protection and presents them by the request of the supervisory authorities.

 

Recipients of personal data:

 

  • The Consumer Protection Authority in case it obliges the Company to present  the minutes of the complaint and a copy of the reply to the complaint under Section 17/A of Act on Consumer Protection. 
  • See Section V – Data Processors

 

4. Data processing with statistical purposes

Our Company has a legal obligation to provide data to the National Office of Vocational and Adult Education within 10 days following the final exam, or in case the training is less than 25 hours until the 10th January the following year, based on the content of the form provided by law, on one hand about the participants, on the other hand about certain data of the training (OSAP reporting). Data submission is anonymous, training participants are not identifiable directly or indirectly based on the data submitted, therefore data does not constitute as personal data. In order for the Company to comply with the statistical reportable account, it requests training participants to provide data anonymously by filling the relevant form.

Anonymous data processed:

 

  • Training participants’ year of birth, higher education, gender, postal code of address, employment status, date of application, information about finishing the training, information about successful exam, the number of the current qualifications of the participant.

 

Data subject:

 

  • Training participant

 

Purpose of data processing:

 

  • Anonymous statistical reportable account by legal obligation.

 

Legal basis for data processing:

 

  • Data processing is a legal obligation under Section 21 (4) of Act LXXVII of 2013 on Adult Education.
  • Further related regulation: Government Decree on data collection and data transmission by the National Statistics Survey 288/2009. (XII. 15.) Annex 8.

 

Recipients of anonymous data:

 

  • National Office of Vocational and Adult Education.

 

 

5. Direct marketing

Personal data processed:

 

  • Birth name, family name, e-mail address, date of subscription in case of subscription via website.

 

Data subject:

 

  • Person subscribed for direct marketing newsletters.

 

Purpose of data processing:

 

  • E-mail, direct marketing message to promote services of the Company, to inform about new training possibilities.

 

Legal basis for data processing:

 

  • Voluntary consent of the data subject (GDPR Article 6 a) via subscription on the website or via written consent during training.

 

Term of data processing:

 

  • Until consent withdrawal.
Recipients of personal data:

 

  • See Section III – Data Processors

 

 

6. Data processing related to taking or publishing photos and videos

 

Our Company or our assignee takes photos and videos of training participants during training – based on consent.

Personal data processed:

 

  • Picture and record (photo, motion picture, video).

 

Data subject:

 

  • Training participant.

 

Purpose of data processing:

 

  • The purpose of taking and publishing photos and videos is to promote our services. Publishing is via https://www.sprintconsulting.com website, electronic and printed promotion and marketing materials and social media channels.
  • Further purpose of making records is to analyse and develop service quality levels of the Company.

 

Legal basis for data processing:

 

  • Data processing is based on voluntary consent of the data subject (GDPR Article 6 a). Therefore, we request training participants to give their written consent to taking and publishing photos and videos at the place of the training.

 

Term of data processing: 

 

  • Until consent withdrawal.
  • Consent withdrawal can be communicated at any time via post or e-mail addressed to the Company (see contact details in Section I). 
  • In case of consent withdrawal the Company deletes the photos and videos taken, stops publishing or if possible makes the data subject unrecognisable in the published photo or video in order to stop processing the relevant personal data.
  • Consent withdrawal does not relate to data processing or legal basis for making and publishing photos and videos before withdrawal of the consent.

 

Recipients of personal data:

 

  • The person taking the photo or video, in case the Company assigns a third person.

 

  • See Section III – Data Processors

 

II. Data processing regarding data of business partners

Personal data processed:

 

  • Name, address, e-mail address, contract in case of natural person business partners.
  • Name, telephone and e-mail address of the contact person in case of legal persons business partners.
  • Received invoice and data included.

 

Data subject:

 

  • Initial discussions before entering into contract and entering into contract with business partners for service providing, performance of contracted services, related management, contact management, performance of requirements, performance of legal obligations under tax and accounting regulations.

 

Legal basis for data processing:

 

  • Our Company processes data of natural person business partners under the legal basis under GDPR Section 6 (1) b), data processing is necessary for entering into and for performance of contract between the Company and its natural person business partner. Data received during initial discussions before entering into contract is also on the legal basis under GDPR Section 6 (1) b) (data processing is necessary for entering into and for performance of contract). 
  • Our Company processes data of legal person business partners (name, e-mail, telephone) on the legal basis under GDPR Section 6 (1) f), data processing is in our  and our business partner’s legitimate interest to be able to enter into contract, to use the contracted services, to keep contact with the business partners, to perform contracted obligations, which is possible via the contact person(s) received from the business partner. The contact person can be legally protected by privacy rights, however the legitimate interest of the Company and the business partner to perform the contracted services prevails. Privacy rights are not infringed since the Company usually and most likely receives corporate contact details from the business partner, and it is the contact person(s)’ duty to be available and to keep contact.
  • Guaranties: The Company only processes data of the contact person(s) for the purposes related to the contract and performance of the contracted services. Only authorised persons have access to data.
  • Summary: Based on the above, data processor considers its established legitimate interest to process data of the contact persons included in the contract, and the contact person(s)’ privacy rights do not prevail.
  • In case the initial discussions and correspondence does not lead to entering into contract, Company stores the received personal data (including business cards as well) based on its legitimate interest (GDPR Article 6 (1) f)) for the purpose of later contact and creation of business relationship. It is the legitimate interest of the Company to have the data of the business partner enabling contact and entering into contract which is mutual interest of the Company and the business partner.
  • Legal basis for processing the contract and the invoice (and the data included) is the GDPR Section 6 (1) c), for performing legal obligation, data processing is necessary for the performance of legal obligations under tax and accounting regulations.

 

Term of data processing:

 

  • We keep received invoices until the deadline set in Section 169 of the Act on Accounting (currently 8 years), until taxation limitation period under Section 78 (3) and 202 of Act CL of 2017 on the Rules of taxation (hereinafter: Act on the rules of taxation).

 

Recipients of personal data
  • Company is obliged to hand over received invoices, accounting records, contracts to tax authorities in case of a potential tax inspection under Section 98 of Act on the rules of Taxation.
  • See Section III – Data Processors.

 

III. DATA PROCESSORS

Our Company is engaged with the data processors below. Data Processor is a natural person or legal person performing data processing in the name of and based on the orders of the Company as data controller.

 

1.    Website, e-mail and e-mail hosting service providers

 

1/a. Webhosting, e-mail server and e-mail hosting services

The website www.sprintconsulting.com is managed by Jakus és Jakus Ltd. Jakus and Jakus Ltd. provides e-mail services as well, providing email server and e-mail hosting services.

Company name: Jakus és Jakus Szolgáltató Kft.

Seat: 2030 Érd, Szigetvári u. 39.

Company registration number: 13-09-118040

Tax number: 14208304-2-13

E-mail: jakus [dot] henrietta [at] nicro [dot] hu

Jakus és Jakus Kft. Ltd. does not process personal data for its own purposes (data during visiting the website based on Section III) and only performs technical operations for the purpose of performing services.

1/b. The e-mail hosting service provider connected to www.sprintconsulting.com

Company name: Google Ireland Limited

Seat: Gordon House, Barrow Street, Dublin 4, Írország

Company registry number: 368047

The hosting service provider does not process personal data for its own purposes, it only provides hosting services for our e-mails and website www.sprintconsulting.com.

1/c. The hosting service provider of www.sprintconsulting.com

Company name: Dotroll Kft. 

Seat: 1148 Budapest, Fogarasi út 3-5.

Company registry number: 01-09-882068

E-mail: support [at] dotroll [dot] com 

Website:  https://dotroll.com/hu

The hosting service provider does not process personal data for its own purposes, it only provides hosting services for our website www.sprintconsulting.com.

 

2. The internal operation management (including data hosting) service provider: 

2/a.

Company name: Cloud Consulting Kereskedelmi és Szolgáltató Bt. 

Seat: 2100 Gödöllő, Mohács utca 10.

Company registry number: 13-06-069671

E-mail: robert [dot] vlajk [at] gmail [dot] com

The operation management service provider does not process personal data for its own purposes, it only provides hosting services for the personal data.

2/b.

Company name: Backupify Inc. 

Seat: 17 Sellers Street, Cambridge, MA 02139, United States

E-mail:  backupify-info [at] datto [dot] com

Website:  www.backupify.com/

The electronic backup hosting service provider does not process personal data for its own purposes, it only provides hosting services for the personal data.

3. Maintenance service provider for computers, printers and its operational system

3/a.

Company name: X-kontroll Irodatechnikai és Informatikai Kereskedelmi Szolgáltató Kft. 

Seat: 2220 Vecsés, Álmos utca 7

Tax number: 13008345-2-13

Company registry number: 13-09-094157

Website: https://x-kontroll.hu/ 

X-kontroll provides maintenance services for printers and operational systems of the Company. The data processor may have access to personal data while providing services but cannot process personal data for its own purposes.

3/b.

Company name: LANSYSTEM Számitástechnikai Szolgáltató és Fejlesztő Korlátolt Felelősségű Társaság

Seat: 1113 Budapest, Diószegi út 60/b. I. em. 3.

Tax number: 10491623-2-43

Company registry number: 01-09-074423

E-mail: klambauer [at] lansystem [dot] hu

Webiste: https://lansystem.hu/

Lansystem providesmaintenance services for computers and printers of the Company. The data processor may have access to personal data while providing services but cannot process personal data for its own purposes.

 

4. Accounting service providers

4/a.

Company name: IronAge Kereskedelmi és Szolgáltató Bt. 

Seat: 2310 Szigetszentmiklós, Vénusz u. 5752/11

Company registry number: 13-06-049297

Tax number: 21823411-1-13

E-mail: ironagekonyveloiroda [at] gmail [dot] com 

4/b.

Company name: Creative Account S.R.L.

Seat: Str. Petuniel nr. 5 ap. 53, Cluj-Napoca, jud. Cluj, Romania

Company registry number: J12/2528/2008

Tax number: RO 24025436

E-mail: creative [dot] account [at] consultingro [dot] com

Our Company uses the services of the above companies to perform its tax, accounting and payroll obligations. These companies process our invoices issued and received, as well as data included there, furthermore our contracts with partners and employees in order to fulfill tax, accounting and payroll obligations for and on behalf of the Company.

 

5. Foreign partners cooperating in training abroad

5/a. 

Company name: GoodWill Consulting EOOD

Seat: Iztok quarter, 8A `Dimcho Debelyanov` Str., fl. 2 1113 Sofia, Bulgaria

Tax number: BG201346683;

E-mail: office [at] gwconsulting [dot] ro

5/b. 

Company name: Mentor plus doo

Seat: Visegradska 12a 11000, Belgrade, Serbia Tax no.: SR105478527

Tax number: SR105478527

E-mail: office [at] mentoreductaion [dot] co [dot] rs

5/c. 

Company  name: Nowe Motywacje

Seat: Nowe Motywacje Sp. z o.o ul. Gustawa Ehrenberga 15, 31-309 Krakow, Poland

Tax number: PL6762022871[.]

E-mail: biuro [at] nm [dot] com [dot] pl

In case training participants participate in training outside Hungary, our Company cooperates with the above partners. Application for training abroad is via our Company as well as in case of local trainings. After receiving the application our Company forwards participants’ data to the partner company. Partner companies process participants personal data for the purpose of providing the training and performing tax and accounting obligations (see the present information Section 1 and 1a regarding the list of personal data)

 

6. Trainers providing training on behalf of our Company

The trainer has access to the personal data of training participants. Our Company cooperates with several trainers and it varies based on the training. With reference to the various trainings and to the high number of trainers we do not list the name of the trainers in the present information. We inform participants about the person of the trainer before the training or on the day of the training the latest.

 

III. DATA SECURITY

Company does all the necessary technical and organisational arrangements and creates related internal regulations in order to guarantee personal data protection throughout the entire process. Company is obliged to maintain data protection, creates all the technical and organisational actions and internal regulations in order to maintain security of recorded, hosted and processed data, further it prevents loss, unauthorised use or modification.

Only authorised persons have access to personal data by using the highest access control. Information technology solutions of the Company are created and selected to secure exclusive access for authorised persons and to secure that data remain authentic and unchanged. For these purposes we use password protected access systems, certifications, activity logs, firewall settings and regular backup savings. Company takes all the necessary steps to secure protection of hosting servers.

Communication between visitors’ browsers and web servers is through secure channels.

Company monitors technical development and available technological, organisational and other solutions in order to secure reasonable protection levels.

 

IV. INFORMATION ABOUT THE RIGHTS OF DATA SUBJECTS

 

We inform you about your rights regarding processing your personal data processing based on the current guidelines.

 

  • Right to information (GDPR Article 13)

 

Our Company fulfills its obligations regarding information under GDPR Article 13 with the current guidelines considering that both Clients and business partners provide their personal data themselves.

Right to access (GDPR Article 15)

 

You can request information anytime regarding the processing of your personal data and about the nature of your processed personal data. By your request we give you information regarding the purpose, legal basis, term of data processing and further who and for what purpose receives or received your personal data. In case of data we received from other sources than you, you can request information anytime regarding the source of data. We inform you in case of automatic decisions or profiling regarding you and also about the logic applied indicating the consequences of such data processing for you. Currently our Company is not making any automatic decision nor doing profiling. We inform you in case we would forward your personal data to a third country or an international organisation, within the meaning of guaranties in GDPR Article 46.

First copy of the personal data we process is provided by your request free of charge. For further copies we charge a reasonable fee based on the administrative costs and the amount of data, but we inform you about the amount in advance. In case you submitted your access request electronically, we provide you with the information electronically, except in case you request otherwise. Your right to a copy cannot have a negative impact on others’ rights and freedom.

Right to amendment and completion (GDPR Article 16)

 

You are entitled to request the amendment of your imprecise or mistakenly stored personal data. In case your personal data are incomplete, you can request a completion.

Right to delete personal data (“right to be obscured”) (GDPR Article 17)

 

You can request the deletion of your personal data anytime, which we are obliged to do in case the reasons below apply:

  1. we do not need your personal data any longer for the reasons they were collected or processed;
  2. you have withdrawn your related consent and there is no other legal basis for the processing of personal data
  3. you object to data processing of the Company for public interest or legitimate interest under GDPR Article 21 (1) and there is no other law that prevails, or you object to data processing on direct marketing under GDPR Article 21 (2);
  4. we illegally processed your personal data;
  5. we are obliged to delete your personal data under an EU or Member State law;
  6. collection of personal data is under GDPR Article 8 (1) related to service offerings connected to information society.

We do not delete the personal data in case data processing is necessary:

  1. for practicing freedom of expression and information;
  2. for fulfilling legal obligations of the Company (e.g. tax or accounting obligations), and for public interest, or in order to practice public authority conferred on the Company;
  3. based on public interest for public health under GDPR Article 9 (2) h) and i) and Article 9 (3);
  4. for purposes of public interest archiving, scientific and historical research or statistics under GDPR Article 89 (1), in case the right for deletion potentially makes unable or severely endangers data processing; or
  5. for proposing, upholding or protecting rights to legal requests.
Right to restriction of processing personal data (GDPR Article 18)

 

You can request restricted processing of certain personal data. We comply with this request by indicating that processing the given personal data is restricted. Restriction is applicable in the following cases:

  1. you challenge the precision of your personal data, in case the restriction is limited to the period while we are reviewing the precision of your data
  2. data processing is unlawful and you challenge the deletion of your data, instead you request restriction of data processing
  3. Our Company does not need your personal data for data processing, but you request them for for the establishment, exercise or defence of legal claims;
  4. you objected against data processing under GDPR Article 21 (1). In this case restriction applies until it is defined if we have any legal reason for data processing that prevails, meaning our Company has valid grounds for data processing that prevails your valid grounds related to data deletion.

For the period of restriction we only store data and we do not process or modify them unless i) you give your consent to further actions, or ii) data processing is necessary for seeking, validating or defense of a civil action, or iii) it is necessary to protect the rights of other natural or legal persons, or Iv) data processing is public interest of the EU or Member State.

In case restriction of data processing is released, we will inform you in advance in the way and form you have requested the restriction of processing your personal data.

Our Company informs all addresses about correction, deletion, restriction of data processing you requested and we communicated to whom we transfered your personal data to, except for the case this proves to be impossible or involves disproportionate effort. By your request we inform you about the addresses of whom we transfer or transferred your data to.

Right to objection (GDPR Article 21)

 

You are entitled to object to the processing of your personal data sourcing from your personal situation at anytime, if data processing is public interest or the legitimate interest of the Company or other third party (GDPR Article 6 (1) e) and f).  In this case our Company stops processing your personal data, except for the case where we prove that there are legitimate interests which prevail your interests, rights and freedoms, or which are necessary for seeking, validating or defending civil action.

You are entitled to object to processing your personal data for direct marketing, including profiling (if the Company is using profiling, we give information about this in advance), in case it is related to direct marketing. In case you object, we do not process your personal data for direct marketing purposes. Our Company is currently not processing data for direct marketing purposes, in case it happens, we will inform the related persons and request their consent in advance.

In case of data processing for statistical purposes, you are entitled to object to processing your personal data sourcing from your personal situation, except if data processing is necessary for a legitimate interest action.

Right to data portability (GDPR Article 20)

 

Data subjects are entitled to receive their stored data in sections, widely used, machine-readable form, further these data to be forwarded to another data controller without hindrance from our Company. The right to data portability is related to data processed under a consent (GDPR Article 6 (1) a) or Article 9 (2) a)) or completion of a contract (GDPR Article 6 (1) b)). In case data subject requires direct transferring of personal data between data controllers, we shall indicate if this is technically available on our part.

Right to complain (GDPR Article 77)

 

You can lodge a complaint at a supervisory authority related to processing your personal data – especially in your usual place of residence or in the Member State of the presumed infringements. 

Supervisory Authority in Hungary is the Nemzeti Adatvédelmi és Információszabadság Hatóság (national authority for data protection and freedom of information) (1024 Budapest, Szilágyi Erzsébet fasor 22/C., e-mail: ugyfelszolgalat [at] naih [dot] hu, +36-1-391-1400, Chairman: dr. Péterfalvi Attila, www.naih.hu).

Right to an effective judicial remedy against a supervisory authority (GDPR Article 78)

 

You may seek judicial remedy, bring an action to the supervising authority (Nemzeti Adatvédelmi és Információszabadság Hatóság in Hungary) against the decision in force.

You may seek judicial remedy in case the supervisory authority neglects your complaint under GDPR Article 55 or 56, or you do not receive information within three months about the development or the result of your proceedings.

Proceedings can be started against the supervisory authority at the court of the related Member State. Proceedings against the Nemzeti Adatvédelmi és Információszabadság Hatóság is to be started at the Fővárosi Közigazgatási és Munkaügyi Bíróság. 

Right to an effective judicial remedy against a controller or processor (GDPR Article 79)

 

You may seek civil action in court in case you deem we did not process your personal data according to GDPR and as a consequence we breached your rights under GDPR. Proceedings should be started in the Member State related to the action, that is Hungary. Proceedings may be started in the court of your place of residence (if it is other than Hungary). 

Right to compensation (GDPR Article 82)

 

In case you suffered material or non-material damages due to our Company breaching GDPR, you are entitled to compensation. In case your rights and freedoms are infringed, you are entitled to claim damages.

Communication of a personal data breach to the data subject (GDPR Article 34)

 

Personal data breach occurs when personal data is destroyed, lost, changed, unlawfully published, or unlawful access is given accidentally or illegally, for example if our computer system is hacked and your personal data are lost, etc.

In case of personal data breach, effects and risks are assessed (related data, volume of related data, replacement possibilities, etc.) and we take actions for prevention without delay.

If data breach has potential high risk related to your rights and freedoms, we inform you about the incident without delay. In the notification we provide all the details related to the incident, specifically:

  • the name and contact details of the person who can provide you with further information regarding the incident; 
  • the potential consequences related to the incident; 
  • the  actions we take or plan to take to prevent the data breach incident, including actions to mitigate potential adverse consequences of the incident. 

We do not have to inform you as data subject about the data breach if any of the following conditions apply:

a) we took necessary technical and organisational protection measures and we applied these related to the data involved in the data breached, especially those measures that make data unintelligible for unauthorised persons;

b) we took further actions after the data breach to ensure that the risk related to your rights and freedoms fails to realise;

c) the information would need disproportionate effort. In this case we will inform you via publicly available information or we take similar actions which ensure effective information.

We report the incident to the data protection authority within 72 hours following learning about it, except for the case when it means potentially no risk to your rights and freedoms. We keep record of data breach incidents with the details set by law.

 

V. EXERCISING DATA SUBJECTS’ RIGHTS, SUBMISSION OF REQUESTS, CONTACTING THE COMPANY

 

In case of exercising your rights, please send your request to our Company i) in writing, via post, ii) personally to our seat, iii) via e-mail to our e-mail address in Section I.

It is necessary in case of any requests that the sender identifies himself/herself, therefore we ask you to include your personal data in your request. In case you are a contact person, please give the Client details as well. 

In case we have doubts regarding your identity, or the data are insufficient to identify you, we may require you to provide further data for your identification.

In case you are unable to provide us with the above data, and so your identification is difficult, please visit us personally. In case you are unable to do that, and you cannot identify yourself undoubtedly, we can reject your request.

Our Company shall inform the data subject without delay and at the latest within one month of receipt of the request, about the actions we take following your request. That period may be extended by two further months if necessary, taking into account the complexity and the number of requests. We inform you within one month regarding the extension and its reasons. 

If you submitted your request electronically, we inform you electronically except for the case you request otherwise.

If the Company does not take action on the request of the data subject, we shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

We provide information and action under GDPR Article 13 and 14 and 15–22 and 34 free of charge. If a request is clearly unfounded or extreme – especially if repeated, in the light of administrative costs related to providing the information or the action:

a) we charge a reasonable amount, or

b) we reject action based on the request.