Privacy Policy

Data Controller

Name: Protenic Kft.
Address: 1149 Budapest, Pósa Lajos u. 13.
Representative of the Data Controller: Attila Reményi, Chief Scientific Officer
Contact details regarding data protection: info@protenic.hu

Our company is not obliged to appoint a Data Protection Officer pursuant to Article 37 of the GDPR.
Data Protection Representative: Attila Reményi

This Notice constitutes the unilateral undertaking of the Data Controller in accordance with Regulation (EU) 2016/679 (GDPR) and the relevant national legislation. This Policy may be unilaterally amended and/or withdrawn by the Data Controller at any time, with simultaneous notification of the Data Subjects. Notification is made by publication on the website and, depending on the nature of the change, by direct notification of the Data Subjects.

Purpose of Data Processing

  1. Provision of services to natural persons, including:
    • Identification of the customer and differentiation from other clients, users, or inquirers
    • Maintaining contact, managing and recording contact details
    • Quotation, contract conclusion
    • Contact data verification and updating
    • Processing of personal data necessary for the execution of sales
  2. Legal basis for processing: Contract, agency agreement
    Providing data is a prerequisite for concluding the contract. Based on your prior informed and voluntary consent, we process, collect, record, organize, use, and store your personal data only to the extent necessary and always for a specific purpose. Failure to provide data will result in the Data Controller being unable to fulfil the ordered service. In some cases, the processing of your data is based on statutory provisions and is mandatory. In such cases, we will specifically draw your attention to this fact. Furthermore, in certain cases, our Company or a third party has a legitimate interest in processing your personal data, for example, in the operation, development, and security of our website.
    Scope of data processed:

    • Name, personal data
    • Address
    • Email address
    • Telephone number
    • Other personal data necessary for contract performance
  3. Possible consequence of not providing data: failure of contract conclusion.
  4. Provision of services to legal persons, including:
    • Identification of the User and differentiation from other clients, users, or inquirers
    • Maintaining contact, managing and recording contact details
    • Personal contact and related documentation
    • Quotation, contract conclusion
    • Contact data verification and updating
    • Communication during project management
    • Project implementation
  5. Legal basis for processing: Legitimate interest – The Data Controller has a legitimate interest in recording contact details for contract performance.
    Scope of data processed:

    • Name
    • Email address
    • Telephone number
    • Other personal data necessary for contract performance
  6. Planned duration of processing: Until fulfilment of the contract, as well as in compliance with statutory retention requirements for documents.
  7. Issuance of invoices and mandatory documentation related to service performance.
    Legal basis for processing: Statutory compliance (VAT Act, Accounting Act, Personal Income Tax Act). Providing data is a prerequisite for concluding the contract. Failure to provide data will result in the Data Controller being unable to fulfil the ordered service.
    Scope of data processed:

    • Name
    • Permanent address
    • Email address (in case of remote invoice printing or e-invoice authorization)
  8. Possible consequence of not providing data: failure of contract conclusion.
    Planned duration of processing: Until expiry of the contract and in compliance with statutory retention requirements for documents.
  9. Management and registration of contracts.
    Handling of contracts related to the Data Controller’s activities, management, recording, processing of the contracting party’s contact details at contract conclusion, maintaining them up to date, processing the contracting party’s authorized representatives’ data and keeping them up to date.Legal basis for processing: Legitimate interest – The Data Controller has a legitimate interest in recording the contact person’s data.Source of data: Based on prior disclosure by the contracted legal person or disclosure by the Data Subject during contract performance.Scope of data processed:

    • Name
    • Telephone number
    • Email
    • Position
    • Signature
  10. Planned duration of processing: Until objection, but no later than the statutory retention period following contract fulfilment.
  11. Data processing related to GDPR compliance.
    Handling of data, data transfer records, data protection incidents, data subject requests and inquiries.Legal basis for processing: statutory obligationScope of data processed:

    • Name
    • Data protection identifier
    • Data subject request: date, type, content, description of the event
    • Outcome and consequence of the data subject’s request
    • Incident date, documentation, outcome
    • Names of participants

Advertising of Services and Information for Data Subjects

Information regarding services, locations, ongoing projects, as well as presentation of plans and applications.

Legal basis for processing: Legitimate interest – The Data Controller has a legitimate interest in direct marketing.

Scope of data processed: email address, name.

By using a service, the Data Subject provided the following data to the Data Controller. In this Notice, the Data Controller informs the Data Subject of the data processed within the defined activities, reclassifies the processing purpose to legitimate interest, and uses it for direct marketing purposes.

Source of data: The Data Controller lawfully processed the Data Subject’s data for other purposes of data processing.

Planned duration of processing: Until objection or withdrawal.

Scope of Data Subjects

Natural persons using the services of the Data Controller, natural persons acting on behalf of legal persons using the services, and the contact persons of partners contracted with the Data Controller.

Information on the Use of Data Processors

During data processing, the Data Controller transfers data to the contracted data processor(s) for the purpose of fulfilling the contract.

Categories of recipients: accounting service providers, financial institutions, law firms.

Persons Entitled to Access Data

Except for the data processor(s) specified above, the Data Controller does not transfer data to third parties. The recorded data may only be accessed by employees of the Data Controller and designated employees of the data processor(s).

Processing of Data Received from Third Parties

If the Partner provides the Data Controller with data not belonging to themselves but of another natural person, the User/Partner is solely responsible for ensuring that such data is provided with the knowledge, consent, and appropriate information of the data subject. The Data Controller is not obliged to verify this. The Data Controller draws the Partner’s attention to the fact that failure to fulfil this obligation may result in the Data Subject asserting a claim against the Data Controller, in which case the Data Controller may pass on the claim and any related damages to the Partner.

Rights of Data Subjects

At the contact details specified in Section 1, the Data Subject may:

  1. request information about the processing of their personal data,
  2. request rectification, modification, or supplementation of their data,
  3. object to data processing and request the erasure or restriction of their data (except for mandatory processing),
  4. seek legal remedy before a court,
  5. lodge a complaint with or initiate proceedings at the supervisory authority.

The Data Subject may exercise the above-mentioned rights at any time.

The Data Subject may also submit requests to the Controller at any of the contact addresses specified in Section 1.

Transfer of data to third countries or international organizations

The Controller does NOT transfer the personal data or recordings of the Data Subject to third countries outside the European Economic Area or to international organizations.

  1. The Data Subject may request the transfer of their data to another controller, provided that the processing is based on consent or a contract and is carried out by automated means.
  2. The Data Subject may withdraw their previously given consent to data processing.

The Controller shall process or reject (with justification) the request no later than within 1 month following its submission – in exceptional cases, within a longer period permitted by law. The Data Subject shall be informed in writing of the outcome of the examination.

  1. Costs of information
    The Company shall provide measures and the necessary information free of charge for the first request. If the Data Subject requests the same information again within one month, and the data have not changed in the meantime, the Controller may charge an administrative fee.
    • The administrative fee shall be based on the prevailing minimum wage calculated per hour, as an hourly rate.
    • The number of working hours used for preparing the response shall be charged accordingly.
    • In addition, in the case of paper-based requests, the printing cost at cost price and postal charges shall also be borne by the Data Subject.
  3. Refusal of information
    If the request of the Data Subject is manifestly unfounded, the Data Subject is not entitled to the information, or the Controller can prove that the Data Subject already has the requested information, the Controller shall refuse the request.If the request is excessive – especially due to its repetitive nature – the Company may refuse to act on the request if

    • the Data Subject submits the same request for exercising their rights under Articles 15–22 for the third time within one month.
  4. Right to object
    The Data Subject has the right to object at any time to the processing of their personal data based on legitimate interest or the exercise of official authority.In this case, the Organization shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or the processing relates to the establishment, exercise, or defense of legal claims.If the objection is found to be justified, the Controller shall terminate processing of the personal data as soon as possible – including transmission and further collection. The Controller shall notify all parties to whom the Data Subject’s data were previously transmitted.The handling of requests is free of charge, except for manifestly unfounded or excessive requests, for which the Controller may charge a reasonable fee corresponding to administrative costs. If the Data Subject does not agree with the decision of the Controller, they may seek judicial remedy. Data protection lawsuits fall under the jurisdiction of the competent regional court. The lawsuit may also be initiated, at the choice of the Data Subject, before the court at their place of residence or stay. Foreign citizens may also submit a complaint to the supervisory authority competent at their place of residence.

Transfer of data to third countries or international organizations

The Controller does NOT transfer the personal data or recordings of the Data Subject to third countries outside the European Economic Area or to international organizations.

Information on data security measures

The Controller manages data in a closed system in accordance with its Information Security Policy.

The Controller ensures default and built-in data protection. To this end, the Controller applies appropriate technical and organizational measures to:

  1. regulate access to data precisely;
  2. grant access only to persons who need the data for the performance of their tasks, and even then only to the extent necessary;
  3. carefully select processors and ensure data security through appropriate data processing agreements;
  4. guarantee the integrity, authenticity, and protection of the data processed.

The Controller applies reasonable physical, technical, and organizational security measures to protect Data Subject’s data, in particular against accidental, unauthorized, or unlawful destruction, loss, alteration, transmission, use, access, or processing.

In the event of unauthorized access to or use of personal data that poses a high risk to the Data Subject, the Controller shall notify the Data Subject without undue delay.

If the transmission of Data Subject’s data is required, the Controller ensures appropriate protection, such as encryption. The Controller is fully responsible for data processing activities performed by third parties.

The Controller also ensures, through regular and adequate backups, that the Data Subject’s data are protected against destruction or loss.

Data Security

The Data Controller ensures the security of data processing by implementing technical, organisational, and administrative measures that provide a level of protection appropriate to the risks. These include:

– preventing unauthorised access to personal data,
– protecting against alteration, disclosure, destruction, or accidental loss of personal data,
– ensuring data integrity, availability, and confidentiality,
– logging and monitoring data access.

The Data Controller regularly reviews the applied technical and organisational measures and, if necessary, updates them in order to ensure continued protection.

Applicable Legislation

The data processing activities of the Controller are governed by the following laws:

  1. Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”),
  2. Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Infotv.”), as amended by Act XXXVIII of 2018,
  3. Act C of 2000 on Accounting,
  4. Act V of 2013 on the Civil Code,
  5. Act CLV of 1997 on Consumer Protection,
  6. Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation,
  7. Act CVIII of 2001 on Electronic Commerce and on Information Society Services,
  8. Act C of 2003 on Electronic Communications,
  9. Act CLXV of 2013 on Complaints and Whistleblowing,
  10. Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activities.

Legal remedies

The Data Subject may:

  1. request information about the processing of their data;
  2. request the rectification, modification, or completion of their personal data;
  3. object to processing and request the erasure or restriction of their data (except for mandatory processing);
  4. seek judicial remedy;
  5. lodge a complaint with or initiate proceedings before the supervisory authority (https://naih.hu/panaszugyintezes-rendje.html).

Supervisory Authority

National Authority for Data Protection and Freedom of Information (NAIH)
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C
Postal address: 1530 Budapest, P.O. Box 5
Phone: +36 (1) 391-1400
E-mail: ugyfelszolgalat@naih.hu