The legitimate interest exists	The transfer of goods/services and its verification in the performance of the contract is an interest that is not solely the Data Controller's interest, but also the interest of the contracting party as a third party, and this interest can be traced back to the fulfillment of contractual obligations.  he Data Controller also has a significant interest in properly fulfilling its contractual obligations, thus avoiding potential legal disputes. It is in the Data Controller's legitimate business interest to ensure satisfaction among its contractual partners and maintain a good business relationship with them.
The data processing is necessary	The data processing is necessary because without the personal data of the representative of a legal entity, the legal entity and the Data Controller cannot establish contact. In the absence of the representative's personal data, communication with contractual partners and the performance of the contract would be significantly hindered, which could impede the fulfillment of contracts.
The data processing is proportionate, and it represents a restriction on the data subject	The Data Controllers will only process the personal data of the data subject's representative to the extent necessary to achieve the legitimate business purpose and/or to establish contact with another external body. The processed data does not belong to the special categories of personal data, which supports the permissibility of this data processing. No harm results from the data processing for the data subject's representative, as the data processing represents a proportionate restriction for them, because the Data Controller ensures the right for the data subject's personal data to be deleted from the Data Controller's records upon request or objection. The Data Controller restricts access to the personal data and limits it to its own employees. In addition, the Data Controller guarantees the appropriate firewall and antivirus protection to ensure the protection of the data, providing a guarantee for the risk-appropriate protection of the data processing.

 

The handling of the signature sample is necessary for the Data Controller's compliance with its legal obligation [GDPR Article 6(1)(c)]. Under Section 3:116 (1) of Act V of 2013, the Data Controller is required to process the signature of the representative of the contracting partner.

(5) Recipients of personal data, or categories of recipients: The personal data may be accessed by the Data Controller’s employees who are involved in the preparation, execution, and storage of the contract. This includes the company’s executives, employees responsible for customer service, contact persons, and employees responsible for the company’s business activities. In addition, the bodies authorized by law to conduct audits under relevant legislation.

(6) Duration of personal data storage: 8 years after the termination of the contract.

Data processing related to non-signatory natural persons designated as contact persons in contracts

(1) Purpose of data processing: Ensuring contact related to the fulfillment of the specific contract or document, facilitating the completion of the contract, and maintaining the contractual relationship.
(2) Data subjects: Natural persons designated as contact persons (non-signatories).
(3) Scope of personal data processed: For the contact person (natural person):

• Name, position (job title)
• Email address
• Phone number
• Mailing address

(4) Legal basis for data processing: The enforcement of the Data Controller’s legitimate interests based on the following balancing test. [GDPR Article 6(1)(f)] The Data Controllers assess that the legal basis for processing the contact data of external partners aligns with the legitimate interest outlined in GDPR Article 6(1)(f), and the processing does not infringe upon the interests or fundamental rights and freedoms of the data subjects in a way that would override the legitimate interests of the Data Controllers (the data subject’s specific interests or fundamental rights and freedoms do not take precedence over the legitimate interest).

Existence of Legitimate Interest	The Data Controllers' legitimate interest lies in maintaining communication related to the contracts they enter into, ensuring contact with the contractual partner, and facilitating the fulfillment of these contracts through such communication. The Data Controllers also have a legitimate interest in storing and using the personal data of potential business partners and/or contact persons from external organizations in relation to future official communication and/or the possibility of entering into contracts, which is consistent with the Data Controllers' activities and business acquisition goals.
Necessity of Data Processing	The processing of personal data is necessary because, without the contact information, communication with contractual partners would be significantly more difficult, which could hinder the fulfillment of contracts.
Proportionality of Data Processing and Restrictions on the Data Subjec	The Data Controllers process the contact person’s personal data only to the extent necessary to achieve the legitimate business acquisition goal and/or to establish contact with external bodies. The data being processed does not fall under the special categories of personal data, which supports the permissibility of the data processing. There is no disadvantage to the data subject’s contact persons arising from the processing of their data. The processing represents a proportional restriction, as the Data Controller ensures the right of the data subject to have their personal data erased from the Data Controller’s records upon request or objection. The Data Controller restricts access to personal data and limits it to relevant employees only. Additionally, the Data Controller guarantees appropriate firewall and antivirus protection for data security, providing a guarantee regarding risk-based protection for the data processing.

 

 

 

(5) Recipients of Personal Data and Categories of Recipients: The personal data may be accessed by employees of the Data Controller who are involved in the preparation, execution, or storage of the contract. The Company’s executive officers, employees responsible for customer service, contacts, and those responsible for the Company's business negotiations. Additionally, any bodies authorized by law to conduct inspections.

(6) Storage Duration of Personal Data: The personal data will be stored for 8 years following the termination of the contract.

Sending Messages via the Company’s Website

(1) Consent for Data Processing

The natural person sending a message on the website can give consent for the processing of their personal data by checking the relevant box.

(2) Scope of Personal Data Processed: The natural person’s name (last name, first name), phone number, and email address.

(3) Purpose of Data Processing: To request a service, inquire about information, or request an offer.

(4) Legal Basis for Data Processing: The data processing is based on the data subject’s voluntary consent [GDPR Article 6 (1)(a)]. Consent can be withdrawn at any time. We inform you that withdrawing consent will not affect the lawfulness of the data processing prior to the withdrawal. In the deletion request, please specify your name and email address for identification purposes.

(5) Recipients of Personal Data and Categories of Recipients: Employees responsible for customer service and marketing activities at the Company, data processors acting on behalf of the Company, especially the Company’s IT and marketing service providers.

(6) Storage Duration of Personal Data: The personal data will be stored for 5 years or until the data subject withdraws their consent (or until their deletion request).

(7) Notice to the Data Subject: The data subject acknowledges that providing personal data is not a prerequisite for entering into a contract, and they are not obligated to provide personal data. The potential consequence of not providing data may be the failure to receive information or the inability to enter into a contract.

Data Processing in the Company’s Online Store (for Resellers Only)

(1) Contractual Relationship in the Online Store: Purchasing from the Company’s online store is considered a contract, in accordance with Section 13/A of Act CVIII of 2001 on Electronic Commerce and Information Society Services and Section 45/2014 (II. 26.) Government Decree on detailed rules for contracts between consumers and businesses. When purchasing through the online store, the legal basis for data processing is the contract.

(2) Purpose of Data Processing: The Company, as a service provider, may process personal identification data and address (residential address) of the natural person registering or making a purchase in the online store to create, define, modify, monitor the performance of, invoice, and enforce claims related to the electronic commerce service agreement under Section 13/A (1) of Act CVIII of 2001. Additionally, with consent, the Company may process their phone number, email address, bank account number, and online identifier.

(3) Purpose of Data Processing for Invoicing: For invoicing purposes, the Company may process the personal identification data, address, delivery address, and data regarding the time, duration, and location of the service use, as per Section 13/A (2) of Act CVIII of 2001.

(4) Recipients of Personal Data and Categories of Recipients: The personal data may be accessed by employees of the Company involved in customer service, finance, shipping, and marketing activities. Data processors of the Company, especially employees of enterprises responsible for tax and accounting duties for tax and accounting compliance, employees of the Company’s IT service provider for hosting service provision, and employees of courier services for delivery-related data (name, address, phone number).

(5) Duration of Data Storage: The data will be stored for as long as the registration or service is active, or until the data subject withdraws their consent (or requests deletion). In case of purchase, the data will be stored until the end of the 8th year following the year of the purchase.

COMPUTHERM E SERIES, COMPUTHERM B SERIES AND COMPUTHERM SMART Mobile Applications

(1) Purpose of Data Processing: If the application encounters a problem, it collects device information (device model, operating system, and version) to help identify the problem and expedite resolution. Location data is used when syncing with local Wi-Fi networks of Wi-Fi thermostats. For security reasons, the app needs permission to automatically retrieve the Wi-Fi network name to which the mobile device is connected. Location data is not used or collected for any other purpose.

(2) Data Subjects: Users of the application.

(3) Types of Personal Data Processed:
Relevant information for the data subject, including:

• Device information
• Device name and MAC address
• Phone operating system/version

The applications implement preventive security measures to protect personal data from loss, leakage, misuse, unauthorized access, disclosure, modification, and deletion, ensuring the protection of user data as a top priority.

(4) Legal Basis for Data Processing: The data processing is based on the voluntary consent of the data subject. [GDPR 6(1)(a)]. Consent can be withdrawn at any time. We inform you that withdrawing consent will not affect the lawfulness of data processing before the withdrawal.

(5) Recipients of Personal Data and Categories of Recipients: Employees of the Company and Data Controller.

(6) Duration of Data Storage: The data will be stored until the consent is withdrawn.

Data Processing in Social Media (Facebook, YouTube, TikTok)

(1) Influence of the Company on Social Media Platforms: The Company has limited influence over data processing by social media platform operators. Where we can influence and parameterize it, we ensure that data processing is compliant with privacy regulations within the available options. In most cases, however, we cannot control the activities of the platform operators, and we do not have information about the specific data they process. The data processing policy of Facebook can be found here: Facebook Privacy Policy The data processing policy of YouTube can be found here: YouTube Privacy Policy The data processing policy of TikTok can be found here: TikTok Privacy Policy

(2) Company’s Facebook Page Data Processing:The Company manages its own Facebook page. Users can subscribe to the page's news feed by clicking the "like" button on the posts. To contact the Company via Facebook, users must log in. Facebook requires and processes personal data for this purpose. The Company has no influence over the type, scope, or processing of this data and does not receive personal data from Facebook’s operator. The personal data of followers on the Facebook page is processed by the Company based on the followers’ voluntary consent, which is considered given by liking, following, or commenting on posts. The data subject declares that they are over 16 years old when requesting services on the Company's Facebook page. Under GDPR Article 8(1), those under 16 years of age require parental consent for data processing. The Company is unable to verify the age or consent of the individual, and the individual guarantees that the provided information is true.

(3) Purpose of Data Processing: The purpose of data processing is to provide information about current news and updates related to the Company, promote the Company’s services, and advertise on social media platforms. The Company uses Facebook for marketing purposes to help potential customers learn about its services and to enable communication with the Company.

(4) Legal Basis for Data Processing: The legal basis for data processing is the voluntary consent of the data subject (in accordance with the data processing regulations of Facebook, YouTube, and TikTok).

(5) Types of Personal Data Processed: The personal data processed includes the name of the data subject; data subjects: users of the social media platforms.

(6) Duration of Data Processing: The data subject may unsubscribe from the Company’s Facebook page by clicking the "dislike" button or by removing unwanted content using the settings. The data will be processed for as long as the service remains active.
(7) Recipients of Personal Data: Employees of the Company involved in customer service and marketing, data processors of the Company, particularly the Company’s IT service provider.
(8) Voluntary Nature of Data Provision: The data subject acknowledges that providing data is not a prerequisite for entering into a contract, and they are not obligated to provide personal data. The potential consequence of not providing data is the lack of receiving information regarding current news and services related to the Company.

Data Processing for Complaint Handling

(1) Complaint Submission Opportunity: We provide the opportunity for natural persons who purchase from the online store or physical store to submit complaints regarding the products sold by the Company.

(2) Types of Personal Data Processed:

• Name and address of the data subject
• Unique complaint identification number (for complaints communicated verbally in the store, by phone, or via other electronic communication services)
• The location, time, and method of complaint submission
• Detailed description of the complaint
• List of documents, photographs, and other evidence submitted by the data subject
• Content of the report, including location and time of recording
• Signature of the data subject, except for verbal complaints via phone or other electronic communication services
• Response to the complaint
• Essential details about the product (order number)
• Email address and phone number of the data subject.

(3) Purpose of Data Processing: The purpose of processing personal data is to manage the sale of products by the Company, customer satisfaction, warranty and guarantee claims, and investigation of complaints as well as fulfilling claims based on legal requirements. The Company ensures a thorough investigation of the complaint submitted by the data subject.

(4) Legal Basis for Data Processing: Compliance with legal obligations (GDPR Article 6(1)(c)), the Hungarian Accounting Act 2000, Section 169, the Hungarian Consumer Protection Act (1997 CLV, Section 17/A), and Government Decree 19/2014 (IV. 29.), Section 4.

(5) Recipients of Personal Data: Employees of the Company involved in customer service, marketing, and complaint handling (business development manager, store manager, sales personnel, warehouse and store clerks), data processors of the Company, particularly the Company’s IT service provider.

(6) Duration of Data Storage:

• For invoices: 8 years, in accordance with the Hungarian Accounting Act, Section 169(2).
• For written complaints: 3 years from the date the complaint was recorded.
• For entries in the complaint book: 3 years from the date of the entry.
• For verbal complaints recorded in a report: 3 years from the date of recording.
• For warranty or guarantee claims: 3 years from the date the report was recorded.

Data Processing for Job Applicants, Applications, and CVs

(1) Types of Personal Data Processed: The personal data that can be processed includes the applicant's name, date and place of birth, mother’s name, address, photograph, phone number, email address, professional history, experience, qualifications, and education. If an interview is conducted with the applicant after their application, the Company will make a record of it, and the content of this record will also be considered personal data.

(2) Purpose of Data Processing:

• Identifying the applicant
• Evaluating the job application submitted by the applicant
• Participation in the selection process
• Selecting the applicant with the appropriate skills and professional experience for the position announced by the Company
• Contacting the applicant and maintaining contact throughout the selection process
• Offering future job opportunities to the applicant if they are not selected for the position applied for.

(3) Legal Basis for Data Processing: The applicant’s consent is given by submitting the job application (GDPR Article 6(1)(a)) and is considered given when the application is sent.

(4) Recipients of Personal Data: The recipients of the personal data are the persons authorized to exercise employer rights at the Company and employees involved in labor-related tasks.

(5) Duration of Data Storage: The Company will delete the personal data of the applicant by December 31 each year following the submission of the job application or will continue processing the data until the withdrawal of the applicant’s consent. The Company will promptly delete the documents submitted by the applicant upon their request. If the applicant requests the deletion of their personal data before the completion of the selection process, the applicant will no longer be able to participate in the selection process.

(6) Social Media Checks: Please note that during the evaluation of applications, we may review publicly available information on social media platforms (Facebook, LinkedIn, Instagram, Twitter, etc.). These will only be processed for informational purposes; they will not be copied, printed, or stored in any way.

Data Processing for Tax and Accounting Obligations

(1) Tax and Accounting Data Processing: The Company processes personal data in order to fulfill its legal tax and accounting obligations (bookkeeping, taxation) as required by law. The data processed includes, particularly, the following:

• VAT Act 2017, Section 169 and Section 202: Tax identification number, name, address, tax status
• Accounting Act 2000, Section 167: Name, address, and the name of the person or organization that ordered the transaction, the approving person, and the person verifying the transaction, and depending on the organization, the signature of the auditor
• Personal Income Tax Act 1995, Section 117: Tax identification number.

(2) Data Processing Related to Mileage and Vehicle Logs: For cost accounting, invoicing, tax base determination, and fuel savings accounting, the Company processes legally required data concerning the use of company and employee vehicles for official and business purposes. This includes:

• Driver’s name
• Vehicle type, license plate number
• Date and purpose of the trip
• Route traveled and visited business partners.

This is in accordance with the Personal Income Tax Act (1995: CXVII) Section 27/2 and 3, Annexes 6 and 7.

(3) Duration of Data Storage: The personal data will be stored for 8 years after the termination of the legal relationship that justifies the data processing.

(4) Recipients of Personal Data: The recipients of personal data are the Company’s employees responsible for tax, accounting, payroll, and social security tasks, as well as the Company’s data processors.

Employer Data Processing

(1) Legal Basis for Data Processing: The Company processes personal data of employees, their family members, workers, and other beneficiaries of allowances, in accordance with the tax laws, for the purpose of fulfilling its legal obligations related to taxes and contributions (tax, tax advance, social security, pension administration, payroll, and social insurance). The processed data includes personal data specified in the tax laws (Act 2017:CL - Tax Procedure Act, Section 7.31), such as:

• Personal identification data (including previous names and titles)
• Gender, nationality, tax identification number, and social security number (TAJ number). Additionally, the Company may process health-related data (Section 40 of the Personal Income Tax Act) and union membership data (Section 47(2)(b)) when required by tax laws, for the purpose of fulfilling tax and contribution obligations (payroll, social insurance).

(2) Duration of Data Storage: Personal data will be stored for 8 years after the termination of the legal relationship that justifies the processing.

(3) Recipients of Personal Data: The recipients of the personal data are the Company’s employees responsible for tax, payroll, social security (employer) duties, and data processors.

Data Processing for Archival Purposes (Permanent Records)

(1) Legal Basis for Data Processing: The Company processes certain documents that are classified as having permanent value according to the Hungarian Archive Act (1995: LXVI), which deals with public documents, archives, and the protection of private archives. The purpose of this processing is to ensure that the permanent records of the Company’s archival materials remain intact and accessible for future generations. The duration of data storage is until the materials are transferred to the public archives.

(2) Recipients of Personal Data: The recipients of these personal data include the Company’s manager, the employee responsible for document management and archiving, and staff from the public archive.

CHAPTER V:

VISITOR DATA MANAGEMENT ON THE COMPANY'S WEBSITE – INFORMATION ON THE USE OF COOKIES

1. Visitors to the website must be informed about the use of cookies, and their consent must be obtained—except for technically essential session cookies.

A cookie is a small text file stored on the long-term storage of the user’s computer or mobile device (HDD, SSD) for the duration defined in the cookie's settings. It reactivates during subsequent visits. Its purpose is to record data related to the visit and personal settings, which, however, are not associated with the visitor's identity. Cookies help create a user-friendly website and enhance the user's online experience. If the user does not consent to the use of cookies by the Data Processor, they must cease using the website.

Purpose of Data Processing:

• To facilitate navigation on the website by recording your preferences and usage habits, making the website easier to use.
• To improve user experience by gathering information on how you use the website, which pages you visit or interact with most frequently, enabling the provision of an enhanced experience during future visits.
• To collect statistics that help us analyze and improve both the website and our other online services.
• To refine and develop the website to better meet your needs.
• To identify potential malicious IT operations.

Legal Basis for Data Processing: For cookies essential for the proper operation of the web interface, the legal basis is the legitimate interest of the Data Controller [GDPR Article 6(1)(f)]. The Data Controller has a legitimate interest in ensuring the secure operation of the website.

If the legal basis for data processing is the legitimate interest of the Data Controller, you as the data subject (i.e., the website user) have the right to object to the processing of your personal data on this basis at any time. In such cases, the Data Controller is obliged to review your objection substantively and decide, based on a so-called balancing test (weighing the interests of the Controller against those of the data subject), whether to continue, restrict, or cease data processing. The Data Controller has conducted a legitimate interest assessment to justify its interests.

The legal basis for processing other types of cookies is the user's voluntary consent [GDPR Article 6(1)(a)]. This consent can be withdrawn at any time. Please note that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. To facilitate identification, please include your name and email address when submitting a deletion request.

Scope of Data Processed: Through placing and reading cookies, we process data related to the visitors' website usage and browsing activities, in line with the purposes of data processing.

Duration of Data Processing: Cookies may be stored for the duration of a session or a defined longer period. Different cookies are stored only for as long as necessary to achieve their purpose. Users can delete cookies stored on their computer or mobile device at any time via their browser settings.

2. Detailed Information About Cookies

2.1. A cookie is a piece of data sent by a visited website to the visitor’s browser (in variable name-value format) for storage and later retrieval by the same website. Cookies can have varying validity periods, ranging from the duration of a browser session to an indefinite period. During subsequent HTTP(S) requests, these data are sent back to the server, allowing the website to modify the data stored on the user’s device.

2.2. Due to the nature of modern web services, cookies are essential for marking a user (e.g., identifying that they have logged in) and enabling customized management during future visits. The potential risk lies in the fact that users are not always aware of this process. Cookies can allow the website operator or third parties with embedded content (e.g., Facebook, Google Analytics) to track users, thereby creating profiles. In such cases, the content of the cookies may qualify as personal data.

2.3. Types of Cookies
2.3.1. Technically Essential Session Cookies: These are necessary for the functional operation of the website. For example, they are used to identify users (e.g., verifying login status or handling items in a shopping cart). Typically, these cookies store a session ID, while other data are stored on the server, ensuring enhanced security. Improperly generated session cookies may pose a risk of session hijacking attacks. It is therefore essential to generate these values securely.
In some terminologies, "session cookies" refers to all cookies deleted when the browser is closed (a session being the period from starting to exiting the browser).
2.3.2. Cookies That Facilitate Usage: These cookies remember user preferences, such as how the user wishes to view the website. Essentially, they store configuration data within the cookies.
2.3.3. Performance Cookies: Although the term "performance" is somewhat misleading, these cookies typically gather information about how users behave on a website, such as time spent, clicks, and navigation patterns. These are often associated with third-party applications (e.g., Google Analytics, AdWords, Yandex.ru cookies) and may be used to create user profiles.

• You can learn more about Google Analytics cookies here.
• You can learn more about Google AdWords cookies here.

2.4. Acceptance of Cookies: It is not mandatory to accept or enable cookies. You can configure your browser settings to reject all cookies or notify you when a cookie is being sent. Most browsers accept cookies by default, but these settings can usually be modified to prevent automatic acceptance.
You can find cookie management information for popular browsers at the following links:

• Google Chrome: Cookie Settings
• Firefox: Enable and Disable Cookies
• Microsoft Internet Explorer 11: Cookie Management
• Microsoft Internet Explorer 10: Cookie Management
• Microsoft Internet Explorer 9: Cookie Management
• Microsoft Internet Explorer 8: Cookie Management
• Microsoft Edge: Privacy FAQ
• Safari: Manage Cookies

However, please note that certain website functions or services may not operate properly without cookies.

3. Information About Cookies Used on the Company’s Website and Data Generated During Visits

3.1. Data Processed During Visits
While using our website, the following data about the visitor or the device used for browsing may be recorded and processed:

• The IP address used by the visitor,
• The type of browser,
• The characteristics of the device’s operating system (including the set language),
• The time of the visit,
• The visited (sub)page, function, or service,
• Clicks.

These data are retained for a maximum of 90 days and are primarily used to investigate security incidents.

3.2. Cookies Used on the Website
3.2.1. Technically Essential Session Cookies

Purpose of Data Processing: Ensuring the proper functioning of the website. These cookies are necessary for visitors to browse the site, use its features smoothly and fully, and access the services available through the website. This includes, but is not limited to, remembering actions performed by the visitor on specific pages or identifying logged-in users during a session.
The processing duration of these cookies is limited to the visitor's current session; they are automatically deleted from the user’s device when the session ends or the browser is closed.

Legal Basis for Data Processing: According to Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Elkertv.), the service provider may process personal data necessary for providing the service. The provider must choose and operate the tools used for delivering services related to the information society in a manner that ensures personal data processing occurs only if it is indispensable for providing the service and fulfilling the purposes outlined in this Act, and even then, only to the extent and duration necessary.

3.2.2. Cookies Facilitating Usage
These cookies remember the user’s preferences, such as how they wish to view the website. Essentially, they store configuration data within the cookies.
Legal Basis for Data Processing: Visitor’s consent.
Purpose of Data Processing: Increasing the efficiency of services, enhancing user experience, and making website usage more convenient.
These data typically reside on the user’s device, and the website only accesses them and may recognize the visitor based on them.

3.2.3. Performance Cookies
These cookies collect information about the user’s behavior on the website, including time spent, clicks, and navigation patterns.

Legal Basis for Data Processing: Visitor’s consent.
Purpose of Data Processing: Analyzing website performance and sending advertising offers.

CHAPTER VI:

INFORMATION ABOUT THE RIGHTS OF THE DATA SUBJECT

I. Summary of Your Rights You may request the following from the Data Controller:

• Information about the processing of your personal data (before the data processing begins and during the processing). This Privacy Policy ensures your right to information through its preparation and publication.
• Access to your personal data (making the personal data processed by the Data Controller available to you).
• Correction or supplementation of your personal data.
• Deletion or restriction (blocking) of your personal data, except in cases of mandatory data processing.
• The right to data portability.
• The right to object to the processing of your personal data.
• The right not to be subject to a decision based solely on automated processing, including profiling, which would have legal effects or similarly significant impacts on you.
• The right to legal remedy.

You may submit your request related to data subject rights in writing to the Data Controller as described in the section on enforcing rights and seeking legal remedies. The Data Controller will fulfill your legitimate request within 30 days and inform you of this via the contact details you provided.

II. Detailed Information About Your Rights

Right to Information
(Based on the obligations outlined in Articles 13–14 of the GDPR)

You may request information from the Data Controller in writing, as described in the section on enforcing rights and seeking legal remedies, regarding:

• What personal data are processed,
• On what legal basis,
• For what purpose,
• From what source,
• For how long the data are processed,
• Whether a data processor is used, and if so, the name, address, and activities of the processor concerning data processing,
• To whom, when, and under what legal basis your personal data were accessed or transmitted,
• Details of any data protection incidents, their effects, and the measures taken to address them.

Right of Access
(Based on Article 15 of the GDPR)

You have the right to receive confirmation from the Data Controller as to whether your personal data are being processed. If data processing is ongoing, you are entitled to access the personal data being processed. You can request this in writing as described in the section on enforcing rights and seeking legal remedies.

The Data Controller will provide a copy of the personal data being processed unless restricted by other legal obligations. If the request is submitted electronically, the information will be provided in a widely used electronic format unless requested otherwise.

Right to Rectification or Supplementation
(Based on Article 16 of the GDPR)

You may request in writing, as described in the section on enforcing rights and seeking legal remedies, that the Data Controller modify your personal data (e.g., update your email address or postal contact details).

Considering the purpose of data processing, you may also request that incomplete personal data be supplemented appropriately.

Right to Erasure
(Based on Article 17 of the GDPR)

The deletion of personal data can generally be requested if the data processing is based on your voluntary consent, such as when you provide your consent for the processing of your email address or phone number. In such cases, your personal data will be deleted upon request.

Voluntary consent can be withdrawn at any time. Please note that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. To identify you, please include your name and email address in your deletion request.

Right to Restriction of Processing (Blocking)
(Based on Article 18 of the GDPR)

You may request in writing, as described in the section on enforcing rights and seeking legal remedies, that your personal data be restricted (clearly marked as being restricted and separated from other data).

Restriction continues for as long as the reason specified by you justifies the retention of the data. For instance, you may request restriction if you believe your data have been processed unlawfully but require the data to pursue a legal or administrative claim.

In such cases, the Data Controller will retain the personal data until contacted by the authority or court, after which the data will be deleted.

Right to Data Portability
(Based on Article 20 of the GDPR)

You may request in writing, as described in the section on enforcing rights and seeking legal remedies, that the personal data you provided to the Data Controller be supplied to you in a structured, commonly used, machine-readable format. You also have the right to transfer these data to another data controller without obstruction by the Data Controller, provided that:

• The data processing is based on consent under Article 6(1)(a) or Article 9(2)(a) of the GDPR, or
• The data processing is necessary for the performance of a contract under Article 6(1)(b), and
• The data processing is carried out by automated means.

Right to Object
(Based on Article 21 of the GDPR)

You may object to the processing of your personal data based on the legitimate interests of the Data Controller or a third party under Article 6(1)(f) of the GDPR, including profiling based on those provisions, by submitting a written request as described in the section on enforcing rights and seeking legal remedies.

In such cases, the Data Controller will no longer process your personal data unless it demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms or are required for the establishment, exercise, or defense of legal claims.

Automated Individual Decision-Making, Including Profiling
(Based on Article 22 of the GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you.
This right does not apply if the decision:
a) Is necessary for the performance of a contract between you and the Data Controller,
b) Is authorized by Union or Member State law applicable to the Data Controller, which also lays down suitable measures to safeguard your rights, freedoms, and legitimate interests, or
c) Is based on your explicit consent.

In the cases mentioned under points (a) and (c), the Data Controller must implement appropriate measures to safeguard your rights, freedoms, and legitimate interests. These include ensuring you have at least the right to:

• Request human intervention on the part of the Data Controller,
• Express your point of view, and
• Contest the decision.

CHAPTER VII:

LEGAL REMEDIES AND ENFORCEMENT OF DATA PROCESSING RIGHTS

Contacting the Data Controller
We recommend that before initiating court or administrative proceedings, you submit your inquiry or complaint regarding the processing of your personal data to the Data Controller. This allows us to investigate and address your concerns adequately and promptly or fulfill your request as specified in the section on Information about the Rights of the Data Subject, provided it is justified.

The Data Controller will investigate your inquiry or complaint concerning data processing and will provide information without undue delay and within the timeframe prescribed by applicable law. In the case of complex issues or multiple inquiries, this timeframe may be extended in accordance with the law.

If your request is submitted electronically, we will respond electronically where possible unless you request otherwise. Should the Data Controller fail to act on your request within the legally prescribed timeframe, you will be informed of the reasons for the delay or refusal, and you will have the option to initiate court or administrative proceedings as detailed below.

To enforce your data protection rights, inquire about any concerns, request information, or file a complaint, you can submit a data subject request in writing via traditional mail or email to the contact information below:

QUANTRAX Industrial, Commercial and Service Limited Liability Company
Address: 6726 Szeged, Fülemüle utca 34.
Phone: +36 62 423 133
Email: iroda@quantrax.hu

Initiating Administrative Proceedings
 

You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or the location of the alleged infringement, if you believe that the processing of your personal data violates GDPR provisions.
For contact details of supervisory authorities within the EU, see: EDPB Member Directory.

In Hungary, you can contact the National Authority for Data Protection and Freedom of Information (NAIH) to initiate an investigation or administrative procedure:

• Address: 1055 Budapest, Falk Miksa u. 9-11.
• Website: http://naih.hu
• Mailing address: 1363 Budapest, Pf.: 9.
• Phone: +36-1-391-1400
• Fax: +36-1-391-1410
• Email: ugyfelszolgalat@naih.hu

You may request:

• An investigation if you believe that the Data Controller has restricted or denied the exercise of your rights as detailed in the section on Information about the Rights of the Data Subject.
• An administrative procedure if you believe the Data Controller or its processor has violated the applicable laws or EU legal provisions on personal data processing.

Initiating Court Proceedings

You may file a lawsuit if you believe that the Data Controller processes your personal data in violation of applicable laws or EU legal acts. Such a lawsuit can also be initiated in the courts of your habitual residence in the Member State.

In Hungary, these cases fall under the jurisdiction of the Regional Courts (Törvényszék). You may choose to file the case with the court competent for your residence or habitual address.

For information on the jurisdiction and contact details of Hungarian courts, see: https://birosag.hu.

CHAPTER VIII:

DATA SECURITY

The Data Controller is committed to ensuring the security of personal data it processes. Taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of data processing, and the varying likelihood and severity of risks to the rights and freedoms of natural persons, the Data Controller implements technical and organizational measures and establishes procedural rules to:

• Protect collected, stored, and processed data,
• Prevent unauthorized use and alteration, and
• Prevent destruction or loss of the data.

Additionally, the Data Controller ensures that any third party receiving or accessing personal data under any legal basis adheres to data security requirements. Access to personal data is restricted to authorized personnel only, preventing unauthorized disclosure, transfer, modification, or deletion.

Access to the processed data is limited to the Data Controller, its employees, and the data processors or recipients it engages, based on defined authorization levels. The Data Controller ensures that personal data is not disclosed to third parties without the appropriate authorization. Employees of the Data Controller and data processors are granted access to personal data based on specific job roles, defined procedures, and authorization levels.

IT Security Measures

To protect IT systems:

• Firewalls are employed to safeguard systems.
• Antivirus and anti-malware programs are used to prevent internal and external data loss.
• Inbound and outbound communications are monitored to detect and prevent potential misuse.

The Data Controller classifies and treats all personal data as confidential. For electronically managed datasets, measures ensure that stored information cannot be directly linked or attributed to an identifiable data subject, except as permitted by law.

Key Measures for Security

The Data Controller ensures an appropriate level of data security proportional to the risk, including, where applicable:

• Pseudonymization and encryption of personal data.
• Maintaining the confidentiality, integrity, availability, and resilience of systems and services processing personal data. This includes security in operations, development, intrusion prevention and detection, and unauthorized access prevention.
• Ensuring the ability to restore access to personal data in a timely manner in the event of a physical or technical incident.
• Regular testing, assessment, and evaluation of technical and organizational measures to guarantee data processing security.

These measures may include ensuring business continuity, protection against malicious software, secure storage, transmission, and processing of data, as well as providing security training for employees.

When determining the appropriate level of security, specific consideration is given to risks such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to transmitted, stored, or otherwise processed personal data.

For more detailed information about data security, please contact the Data Controller at the following email address: iroda@quantrax.hu.

CHAPTER IX:

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

1.  Transfers Based on Adequacy Decisions (Article 45 of the GDPR)
   Personal data may be transferred to a third country or an international organization if the European Commission has determined, through an adequacy decision, that the country, a specific territory, sector, or the international organization ensures an adequate level of protection equivalent to that under EU data protection standards. Article 45(2) of the GDPR specifies the criteria the Commission considers when assessing adequacy. The Commission periodically reviews the adequacy of the protection in these countries, territories, sectors, or organizations, and if it finds that adequate protection is no longer ensured, it may revoke, amend, or suspend the decision.
2. Trans-Atlantic Data Privacy Framework
   On July 10, 2023, the European Commission adopted an adequacy decision for the new EU-US Data Privacy Framework, concluding that personal data can be securely transferred from the EU to participating U.S. companies under the framework. The United States is deemed to provide adequate protection for personal data transferred to U.S. companies participating in the framework. Joining the framework requires U.S. companies to commit to implementing GDPR-compliant data protection measures as data controllers.
3. Transfers Based on Appropriate Safeguards (Article 46 of the GDPR)
   In the absence of an adequacy decision under Article 45, the Data Controller or Data Processor may transfer personal data to a third country or international organization only if appropriate safeguards are in place to ensure the data transfer’s adequacy. These safeguards must also ensure enforceable data protection rights and effective legal remedies for data subjects.

The Data Controller informs you that your personal data provided during processing may be transferred to third countries.

CHAPTER X:

MISCELLANEOUS

• No automated decision-making or profiling occurs during the processing of personal data as outlined in this Privacy Notice.
• The Data Controller reserves the right to unilaterally amend this Privacy Notice with future effect. The current version of the Privacy Notice is available on the Data Controller’s website. Any amendments will be communicated to Data Subjects via the website.

Issued in Szeged, on April 10, 2024.
QUANTRAX Industrial, Commercial and Service Limited Liability Company
Represented by: Gábor Dobó, Managing Director