I. DESCRIPTION OF DATA CONTROLLER

RSM Connectax Hungary Kft. ( referred as Controller)

• Registered office: 1139 Budapest, Váci str. 99-105. Balance Hall Building 4th Floor
• Correspondence address: H-1139 Budapest, Lomb str. 30-32.
• Company registration number: 01-09-320751
• E-mail: info@connectax.hu
• Telephone: +36 1 886 3700
• Website: https://www.connectax.hu

The Controller does not designate a data protection officer.

II. LEGISLATIVE BACKGROUND FOR DATA PROCESSING

To the type of data processing described in this document, the following legal provisions apply:

• Act No CXII of 2011 on the right to informational self-determination and freedom of information;
• Regulation (EU) 2016/679 of European Parliament and of the Council;

III. DEFINITIONS

1. “data subject”: a natural person identified or identifiable based on any information;
2. “personal data”: any information respective of the subject;
3. “data of public interest”: any information or knowledge recorded in any manner or form that is not considered personal data, and which is being processed by, relevant to the activities of, or arose in connection with the public function of any natural or legal person having public or municipal responsibilities or any other corresponding public duties or functions set out in the applicable legislation, irrespective of its manner of processing, its individual or collective nature, and thus especially of it being data relating to competencies, organisational structure, professional activities and the evaluation thereof that also covers effectiveness, the types of data held, the legislation governing operation, and data in connection with economic management and contracts concluded;
4. “data publicly available due to public interest”: any data, other than data of public interest, the disclosure, availability or accessibility of which is prescribed by an Act for the benefit of the general public;
5. “identifiable natural person”: ”: a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
6. “data processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
7. “restriction on data processing”: the marking of stored personal data with a view to limiting their processing in the future;
8. “profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a data subject, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
9. “filing system”:any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
10. “Controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law;
11. “processor”: a natural or legal person, public authority, agency or other bodies which processes personal data on behalf of the Controller;
12. “recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
13. “third party”: a natural or legal person, public authority, agency or body other than the data subject, Controller, processor and persons who, under the direct authority of the Controller or processor, are authorised to process personal data;
14. “the data subject’s consent”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
15. “personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
16. “enterprise”: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
17. “group of undertakings”: a controlling undertaking and its controlled undertakings;
18. “supervisory authority”: an independent public authority created in accordance with Article 51 of the Regulation, which in Hungary is the Adatvédelmi és Információszabadság Hatóság (the national authority for data protection and freedom of information);
19. “cross border processing”:
    1. a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a Controller or processor in the Union where the Controller or processor is established in more than one Member State; or
    2. b) processing of personal data which takes place in the context of the activities of a single establishment of a Controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
20. “information society service”: a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);

IV. PROCESSING ON THE WEBSITE OPERATED BY THE CONTROLLER IN ACCORDANCE WITH THE PURPOSES OF THE PROCESSING

1. Contacting, concluding a contract

The Controller processes the following data for the purpose of contacting and liaising with the data subject:
a) name (company name)
b) position
c) address
d) e-mail address
e) phone number

Pursuant to Article 6 (1) b) of the GDPR, processing is lawful if necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. If a third party is defined as the contact person when the contract is concluded, the processing of the contact person’s data is in accordance with Article 6(1)(f) of the GDPR. The processed data will be kept continuously during the contractual relationship, unless there is a change in the contact person, in which case the relevant data will be deleted within 1 year of the change. If the contact data are also recorded in a contract concluded between the parties, the data will be kept for 8 years after the termination of the legal relationship, in accordance with the accounting rules on the retention of contracts.

Test for considering legitimate interest in relation to the processing of third party contact details:

The purpose of data processing:	To facilitate effective communication for the performance of contracts concluded
Legal ground:	Processing is necessary for the purposes of the legitimate interests of the Controller’s partner under Article 6 (1) f) of the GDPR
Scope of the personal data concerned:	name, e-mail address, phone number, mailing address
Source of personal data:	Person who concludes the contract and designates the contact person
Term of data processing:	The Controller retains the data for 8 years if they are included in an accounting document, especially in a contract between the parties. If the contact data are not recorded in an accounting document, then the data are deleted within one year following the termination of the legal relationship.
Defining the legitimate interest for the Controller:	Maintaining contact between the contracting parties
Review of the necessity of data processing:	No communication is possible between the parties without designated contact persons.
Violation of the rights and freedoms of data subjects:	The data subject’s data are disclosed to someone who is considered as a third party from the data subject’s point of view, with whom he or she has no legal relationship.
Results of testing legitimate interest:	In the course of data processing, the Controller does not disclose the contact data to third parties, only employees involved in the preparation and subject matter of the contracts may know them; this is a proportionate restriction regarding the contact data. Data is processed only as strictly necessary.

2. Data processed during general use of the Website

a) cookies:
We recommend that you accept “cookies” to make full use of certain features of the website. A “cookie” is a small piece of text containing personalised information that is stored on the data subject’s computer by the data subject’s browser. The purpose of cookies is to help us recognise returning visitors, to implement customised visitor functions and to process user logins (identification, authentication). If you wish to know more about cookies, please click on the link below for more information:
https://europa.eu/youreurope/citizens/cookies/index_hu.htm;

STRICTLY NECESSARY COOKIES

NAME	DOMAIN	TYPE	EXPIRY	DESCRIPTION
_grecaptcha	www.google.com	third party	6 months	When Google performs reCAPTCHA, it sets a required cookie (_grecaptcha) for risk analysis purposes.

STATISTICS COOKIES

NAME	DOMAIN	TYPE	EXPIRY	DESCRIPTION
_gid	.connectax.hu	own	1 day	This cookie is set by Google Analytics. Each page visited stores and updates a unique value and is used to count and track page views.
_gat_UA-120161686-1	.connectax.hu	own	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element of the name contains the unique identity number of the account or website. This is a  _gat cookie, which is used to limit the amount of data that Google records on high-traffic websites.
_ga	.connectax.hu	own	2 years	This cookie name is associated with Google Universal Analytics, a major update to Google’s more commonly used analytics service. This cookie is used to distinguish individual users by assigning a randomly generated number as a client identifier. It is included in all site page requests and is used to calculate visitor, session and campaign data for website analytics reports.

MARKETING COOKIES

NAME	DOMAIN	TYPE	EXPIRY	DESCRIPTION
test_cookie	.doubleclick.net	third party	15 minutes	This cookie is set by DoubleClick (owned by Google) to determine whether a website visitor’s browser supports cookies.
_fbp	.connectax.hu	own	3 months	Facebook uses it to deliver a range of advertising products, such as real-time bidding from third-party advertisers.
_gcl_au	.connectax.hu	own	3 months	Used by Google AdSense to experiment with advertising efficiency on websites that use their services.

Legal ground of processing

• Session cookies
  The use of session cookies is in the legitimate interest of the controller and the legal basis for the processing is according to Article 6 (1) (f) of the GDPR. Session cookies are necessary for browsing the website, and using its functions, including the possibility to record the actions performed by the visitor on a given page, function or service. Without the use of “session cookies”, the smooth use of the website cannot be guaranteed. They are valid for the duration of the visit and are automatically deleted at the end of the session or when the browser is closed.

Testing legitimate interest for session cookies:

The purpose of data processing:	Ensuring the operation of the website
Legal ground:	The legal basis for processing under Article 6 (1) (f) of the GDPR is the legitimate interest of the Controller to operate the website in such a way that visitors can obtain information and interact with the Controller.
Scope of the personal data concerned:	data collected through session cookies
Source of personal data:	The data subject
Period of data processing:	Term of session
Defining the legitimate interest for the Controller:	Operation of the website
Review of the necessity of data processing:	If session cookies cannot be used, the website cannot be operated properly.
Violation of the rights and freedoms of data subjects:	The data subject provides data to the Controller on a temporary basis.
Results of testing legitimate interest:	Given that the operation of the website is in the interest not only of the Controller but also of the data subject, processing for a limited period of time without allowing identification is proportionate to the restriction of the data subject’s rights

• Preferences cookies supporting functions
  The possibility to use such function cookies is based on the decision or consent of the data subject, the legal basis for processing is Article 6 (1) (a) of the GDPR
  These cookies allow our website to remember which mode of operation you have chosen (e.g.: that you have the cookie notice and the ordering of the displayed search results), so that you do not need to accept the cookie notice every time or choose the ordering of the content of the site on your next visits. Without the information contained in the cookies that store your preferences, our website will function, though less smoothly.
  We do not record any personal data in the preferences cookies, we only store an identification number which informs the site that the cookie policy has been previously accepted. The preferences cookie is stored on the client computer’s browser with an expiry date of 1 month.

b) Google analytics service
Data disclosed by Google (Google analytics service):
the data processing is carried out for statistical purposes only, in order to enhance the user experience by using the website traffic data; the Controller stores the data as statistical data, they do not know any personal data. In transferring the data collected, Google applies the General Terms and Conditions for the transfer of personal data relating to online advertising and measurement outside Europe.

To find out more about Google Analytics, please visit the following website:
https://support.google.com/analytics#topic=3544906

On the following page, you have the option to restrict access of the Google Analytics service by downloading the application from the following page: https://tools.google.com/dlpage/gaoptout?hl=en

More detailed information on cookie settings for the following browsers
• Chrome
• Firefox
• Internet Explorer
• Microsoft Edge

V. PROCESSING OF DATA IN CONNECTION WITH CERTAIN SERVICES

Given that the applications we develop may differ both in terms of functionality and the type of data processed, we provide information on the specific processing of data in connection with each service or application, with the understanding that the general rules, i.e., the processing of contact cookies, will also apply in these cases. The legal basis for data processing is Article 6 (1) (b) of the GDPR; data processing is carried out for the performance of a contract between the parties, for the provision of services. The data processed and the documents containing the data that are considered accounting documents from the point of view of the Controller are kept for 8 years after the termination of the contractual relationship, and the other documents provided in the course of providing the service will be deleted upon the termination of the service.

VI. ACCESS TO DATA AND DATA SECURITY MEASURES

Access to data and data transfer
The personal data provided by the data subject may only be disclosed to the Controller’s senior manager and designated staff and, where necessary, to a data processor.

The Controller uses data processors for the following data processing tasks:
a) for IT issues also affecting personal data it is Professional Information Technology Kft. (Registered office: 1107 Budapest, Fogadó utca 4. C. ép. fszt.; Co. reg. no.: 01-09-353262),
b) for server-hosting issues it is Websupport Magyarország Kft. (Registered office: 1132 Budapest, Victor Hugo utca 18-22., Co. reg. no.: 01-09-381419)
c) during the development of the programme necessary for the provision of the service, the employees of the company entrusted with the development may have access to the data for the sole purpose of carrying out the programming tasks;
d) for liaising and the preparation of proposals and contracts it is RSM Hungary Zrt. (1139 Budapest, Váci út 99-105. Balance Hall. ép. IV. em. co. reg. no.: 01-10-045727 tax no.: 14020867-2-41).
e) for cases involving legal consultancy it is Szűcs & Partners Law Firm (registered office: 5000 Szolnok, Madách utca 35.);

Other than the above, the Controller only discloses personal data to other persons or public bodies and authorities in cases specified by law.

VII. DATA SECURITY MEASURES

The Controller stores the personal data provided by the data subject on servers located at the Controller’s headquarters (1139 Budapest, Váci út 99-105. Balance Hall épület 4. emelet), guarded by 24/7 security. To prevent unauthorised access to systems, the Controller regularly reviews its data collection, storage and processing practices.

Also, the Controller uses Google (Analytics) to process personal data. Unless otherwise stated in the service-specific privacy notice, the Controller responsible for the processing of data depends on the place of residence of the data subject, for users of Google services in the European Economic Area or Switzerland, Google Ireland Limited, whose registered office is at Gordon House, Barrow Street, Dublin 4, Ireland. Where the data transferred in the course of the services are stored abroad, the Controller will grant access to the user’s data on the basis of the “Principle of least privilege”.

VIII. RIGHTS RELATED TO DATA PROCESSING

1. Right to information
The data subject may, at any time, request information in writing from the Controller via the contact details provided in section 1, in order to be informed by the Controller:

what personal data,
what is the legal basis,
what is the purpose of data processing,
what is the source of data,
for how long are the data kept,
to whom, when, under what legal provisions,
and to which personal data the Controller granted access or transferred the personal data.

The Controller shall comply with the data subject’s request within a maximum of 30 days by letter sent to the contact details provided.

2. Right to rectification
The data subject may, at any time, request in writing, through the contact details provided in section 1, that the Controller modify any of their personal data (e.g. the e-mail address may be changed any time). Before granting the request, the Controller may request appropriate proof of the change in the personal data (e.g. change of address, change of name). The Controller shall grant the request within a maximum of 30 days and shall notify the data subject thereof by letter sent to the contact details provided by the data subject.

3. Right to erasure
The data subject may request the erasure of their personal data in writing from the Controller via the contact details provided in section 1. The Controller shall reject the erasure request if the law or an internal regulation obliges the Controller to continue to store the personal data. However, in the absence of such an obligation, the Controller shall comply with the data subject’s request within a maximum of 30 days and shall notify the data subject thereof by sending a letter to the contact details provided by the data subject.

4. Right to blocking
The data subject may request the blocking of their personal data in writing from the Controller via the contact details provided in section 1. The blocking lasts for as long as the reason indicated by the data subject makes it necessary to store the data. For example, the data subject may request the blocking of data if they believe that the data have been unlawfully processed by the controller, but the Controller is required not to delete the data in order to comply with an administrative or judicial procedure initiated by the data subject. In this case, the Controller will continue to store the personal data until the authority or court requests it, after which the data will be deleted.

5. Right to data portability
The data subject shall have the right to receive personal data concerning them which they have provided to a Controller in a structured, commonly used, machine-readable format and the right to transmit such data to another Controller, i.e., at the request of the data subject, the controller shall deliver the data to the data subject on a medium.

6. Right to objection
The data subject may object in writing to the processing of personal data using the contact details provided in section 1 if the Controller would transfer or use the personal data for direct marketing, public opinion polls or scientific research. For example, the data subject may object to the use of their personal data for scientific research purposes without their consent. The data subject may object to the data processing even if it is believed that the processing is only used to comply with a legal obligation, or to enforce a given right, except for data processing based on regulatory authorization. For example, the data subject may not object to the Controller’s disclosure of their personal data to the authority in the course of an ongoing authority procedure.

IX. ENFORCEMENT OF RIGHTS RELATED TO DATA PROCESSING

Above all, we believe that personal contact can often help resolve conflicts, so please feel free to contact us using one of the contact details above.
In other cases, disputes can be handled in the forums below:

1. Initiation of court proceedings
In case of unlawful processing detected by the data subject, they may initiate civil action against the Controller. The proceedings shall be the competence of the court. For a list of courts and their contact details, please click on the link below:
https://birosag.hu/torvenyszekek

2. Complaint to the Supervisory Authority
By lodging a complaint, the data subject may initiate an investigation on the grounds that the processing of their personal data is an infringement of their rights or the imminent threat of such infringement:

National Authority for Data Protection and Freedom of Information:

1363 Budapest, Pf.: 9.
1055 Budapest, Falk Miksa utca 9-11.
+36 1 391 1400
+36 1 391 1410 (fax)
ugyfelszolgalat@naih.hu
www.naih.hu