Effective Date: 1 February 2024
1. GENERAL INFORMATION
The Controller is the Entity or affiliated Entities defined under Annex 1. who participates in the Contract as a contractual party (the “Company”) and which process(es) information in connection with its agreements on goods or services entered into, or to be entered into, with its contracting parties (the “Business Partner”) so especially their conclusion, performance, amendment and termination which information qualifies as ”personal data” as defined in point 1 of article 4 of the General Data Protection Regulation No 2016/679 of the EU (“GDPR”) applicable starting 25 May 2018.
During its contracting procedure the Company enters into a contract with your company as a Business Partner. The Company is considered data controller with regard to the processing of the personal data of the natural persons who are nominated as contact persons in the contract concluded between the Business Partner and the Company. The nominated contact persons are entitled to represent the parties and take part in performance (hereinafter each a “Data Subject”).
The purpose of this Data Protection Notice (“Notice”) is to provide information regarding the processing of personal data and the rights and remedies of the individuals in relation to Data Subjects.
In addition to this bulletin, provisions of other policies of the Company may also be applicable to certain data processing operations, as long as not contradicting to this bulletin.
Legislation relating to data processing:
GDPR – Source: EUR-Lex - 32016R0679 - EN - EUR-Lex (europa.eu)
Act CXII of 2011 on Informational Self-determination and Freedom of Information (the Information Act) – Source: https://njt.hu/jogszabaly/2011-112-00-00
1/A. Contact details of the Company:
The Contact details stated under the Annex 1. according to which Company is the contractual party.
According to this Notice, the Company being contractual party or cooperating with potential business partners or processing any data necessary for maintaining business contacts shall be considered data controller.
Company and related parties shall not be considered joint data controllers under this Notice, they are all independent data controllers and carry out independent data processing.
2. DEFINITIONS:
“personal data” means any information relating to an identified or identifiable natural person (hereinafter as: “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with EU or Member State law shall not be regarded as recipients; the processing of such data by those public authorities must be in compliance with the applicable data protection rules in line with the purposes of the processing;
“third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
3. UPDATES AND AVAILABILITY
The Company reserves the right to unilaterally, in its reasonable discretion, modify or revoke this Notice unilaterally with effect subsequent to such modification, subject to the limitations provided for in the laws and with advance notification to the individuals in due time, if necessary, by making updates available. The Company may modify this Notice especially when it is required upon changes in the laws, the practice of the data protection authority, business needs or any new activity involving personal data processing or any newly revealed security exposures.
4. SPECIFIC DATA PROTECTION TERMS
By proving the affected data, the subject confirms having understood the version hereof as applicable at the time of submitting the affected data or information. In certain cases, specific privacy-related terms and conditions may also be applicable of which the individuals who are affected by them will be duly notified.
5. SCOPE OF THE DATA AND THE PURPOSE OF THEIR PROCESSING
. If you or the Business Partner share(s) other personal data with Company in connection with the contract, it is assumed that you have the right to do so and you have the Business Partner to process and forward the shared data in accordance with this Notice. The data subject warrants holding an appropriate and informed consent or a suitable legal basis for submitting personal data. The Company shall not be liable for any damages, loss or harm out of a non-compliance of the data subject with the above commitments or statements.
The table below describes the scope of the processed personal data, the purposes, the legal basis, the duration of the processing and the scope of the persons authorized to have access to the data are described. In general, personal data listed below is shared by the Data Subject’s own free will. If the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, the Data Subject is obliged to provide the personal data listed in the table below. The legal consequences of failure to provide such data:
Where this Notice indicates the relevant limitation period as the duration of data storage, then an event which interrupts the limitation period shall extend the term of the data processing until the new date when the underlying claim may lapse.
Contact data are not subject to any automated individual decision-making and profiling.
A) Data processing in relation to drafting or performing contracts
The purpose of personal data processing
Data subject
Legal basis for processing
Categories of personal data processed
Retention period
Access granted to within / beyond the Company organization:
Possibility for communication with potential Business Partners
The possible future a natural person acting as a contact person for a Business Partner
Processing personal data on the basis of execution of the legitimate interests of the controller of personal data
Article 6 paragraph (1) letter f) of the GDPR
Contact person’s name, position, phone number and email address
The Controller retains records for 1 year, not later than contract is concluded.
Company’s management, business line managers, business partner contact person, sales representative, sales department
Drafting, finalizing and performing the contract
Non-signatory natural persons designated as contact persons (contact persons).
processing personal data on the basis of execution of the legitimate interests of the controller for proper contract content
Article 6 paragraph (1) letter f) of the GDPR
Personal data (name, phone number and e-mail address) of the Business Partner individual(s) acting on behalf of the Business Partner (if differs from the legal representative)
The Controller retains records until the termination of the contract.
Management, business line managers, business partner contact person, sales representative, account manager, project manager, finance and controlling department, accountant, auditor, legal service provider.
Drafting, finalizing and performing the contract
Representatives (representatives) of the Business Partner with signing right
Processing personal data on the basis of execution of the legitimate interests of the controller for proper contract content
Article 6 paragraph (1) letter f) of the GDPR
Personal data (name, phone number and e-mail address) of the individual(s) acting on behalf of the Business Partner by law
The Controller retains records until the termination of the contract.
Management, business line managers, business partner contact person, sales representative, account manager, project manager, finance and controlling department, accountant, auditor, legal service provider.
Drafting, finalizing and performing the contract
The employees or other individuals contributing to the performance of the contract.
The data controller's legitimate interest in proper contractual communication and administration.
Article 6 paragraph (1) letter f) of the GDPR
Personal data being necessary to fulfill the contract: name, phone number and e-mail address of the individual(s) acting on behalf of the Business Partner (e.g. project managers)
The Controller retains records until the termination of the contract.
Management, business line managers, business partner contact person, sales representative, account manager, project manager, finance and controlling department, accountant, auditor, legal service provider.
Drafting, finalizing and performing the contract
Natural person as contract party
Data required for identification and communication
Article 6 paragraph (1) letter b) of the GDPR
Name, mother's name, place and time of birth and signature.
The Controller retains records until the termination of the contract.
Management, business line managers, business partner contact person, sales representative, account manager, project manager, finance and controlling department, accountant, auditor, legal service provider.
Processing personal data on the basis of fulfilling legal (statutory) obligations pursuant to 159 paragraph of the Act on VAT
Legal basis article 6 paragraph 1 letter c GDPR
Legal basis article 6 paragraph 1 letter c GDPR
Tax identification number, bank account number
B) Data processing after the termination of the contract
The purpose of personal data processing
Data subject
Legal basis for processing
Categories of personal data processed
Retention period
Access granted to within / beyond the Company organization:
Proper settlement of fees and closing of the contract
Contacts, representatives, contributors, natural person contract parties.
The Data Controller's legitimate interest in presenting, asserting and protecting its legal claims arising from the contractual relationship.
Article 6 paragraph (1) letter f) of the GDPR
The data specified in point 5/A.
The Controller retains records 5 years counted from the termination date of the contract
Act V of 2013 on the Civil Code.(Section 6:22 (1))
Management, finance and controlling department, accountant, auditor, legal service provider.
Fulfilling accounting and taxation obligations
Contacts, representatives, contributors, natural person contracting parties.
Processing personal data on the basis of fulfilling legal (statutory) obligations pursuant to 159 paragraph of the Act on VAT
Article 6 paragraph (1) letter c) of the GDPR
Personal data (contact data) indicated on a document considered as an accounting document.
The Controller retains records for 8 years
169 paragraph of the Act on Accounting
Management, finance and controlling department, accountant, auditor.
The results of the interest assessment carried out by the Data Controllers:
The Data Controllers assess that the legal basis for data processing concerning contacts/contributors meets the expectations of GDPR set out in Article 6 paragraph 1 letter (f). The legitimate interest of the Data Controllers provides a solid legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
The legitimate interest exists
The legitimate interest of the Data Controllers is to ensure contact and communication in relation the contracts entered intowith a Business Partner, and contribute to fulfilling its obligations under the contract.The Data Controllers have a legitimate interest in storing the personal data of the contacts of potential Business Partners for contacting future partners, offering services which is consistent with the activities and business goals of the Data Controllers.
Data processing is necessary
Data processing is necessary to contact the Business Partners and necessary for the purpose of communication with Business Partners. Lack of data processing would jeopardize the due performance of the contract and may result in breach of contract.In order to fulfill the business goals of the Data Controllers and for the purpose of cost-efficiency it is also necessary to manage the contact information considered personal data of potential Business Partners. Without the personal data of the contact person linking to the (possible) Business Partner’s company, such company and the Data Controllers cannot establish business relationship with each other.
Data processing is proportionate to the legitimate interest aim
The Data Controllers process the personal data of the data subject only for business purpose and to the extent that is appropriate.The processed data is not qualified special data.Data processing does not adversely affect the rights of the data subject and result in proportionate limitation as Data Controllers grant them the right of erasure of personal data upon request or objection.The Data Controller limits and restricts access to personal data for its own employees and data processors. In addition, in order to protect the data, it ensures the appropriate firewall and virus protection, thus guaranteeing the risk-proportionate protection of data processing.
The personal data processed shall be deleted immediately if data is not processed for the purpose specified in the legislation, or the purpose of data processing has ceased (e.g. the contact person's representation right terminated).
The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (f) of Article 6(1).
In case of objection, the Data Controller shall no longer process the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests,
6. DATA PROCESSSORS
The contracting partners engaged by the Company for carrying out technical tasks related to data processing operations are listed below. The particular tasks and liabilities of the data processor are, under the GDPR and the laws, stipulated by the Company, also holding a liability for the compliance of its instructions so given. The data processor shall not have the rights of substantial decisions regarding the processing, may process obtained data in line with the Company’s instructions, may not perform data processing on its own behalf and shall store and keep personal data as instructed by the Company.
Data processor
Personal data it has access to and is entitled to use as (i.e. by performing for the Company the activity of):
Is entitled to store data until:
legal services
gbk Legal LLP at 1011 Budapest, Szilágyi Dezső tér 1 (including Brassnyó Law Firm and Kovács & Kálmán Law Firm)
full name, (mobile)phone number, email address, signature
the term set out in the service agreement (as per Section 4)
accounting services
H1 Könyvelőiroda és Tanácsadó Kft.1038 Budapest, Temes utca 11, F/3
full name, (mobile)phone number, email address, signature
the term set out in the service agreement (as per Section 4)
auditor
B. Kovács és Társa Kft.1041 Budapest, Závodszky Zoltán u. 3. 6/30
full name, (mobile)phone number, email address, signature
the term set out in the service agreement (as per Section 4)
By forwarding data to the data processor the Company is not forwarding affected data to any third country beyond the EU.
7. DATA FORWARDING TO OTHER PROCESSSORS
The Company forwards personal data to the below entities, acting as data handlers, which may set out the purpose of, resolve regarding the (technical) means of, or have a data handler retained regarding the performance of, data procession individually or in cooperation with others (incl. the Company).
Addressee of data forwarding
Legal basis of data forwarding:
Is entitled to process data by (performing the task of) and until:
-
-
-
8. TECHNICAL AND ORGANISATIONAL DATA SECURITY MEASURES
Two-factor authentication for all document management system, deploying policies, defining data access levels, password protected accounts, installing firewall, encryptions.
9. DATA PROTECTION RIGHTS AND REMEDIES
9.1 Data protection rights and remedies
The detailed rights and remedies of the individuals are set forth in the applicable provisions of the GDPR (especially in articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80, and 82 of the GDPR). The summary set out below describes the most important provisions and the Company provides information for the individuals in accordance with the above articles about their rights and remedies related to the processing of personal data.
The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the individual, information may also be provided orally, provided that the identity of the individual is proven by other means.
The Company will respond without unreasonable delay and by no means later than within one month of receipt to the request of an individual whereby such person exercises his/her rights about the measures taken upon such request (see articles 15-22 of the GDPR). This period may be, if needed, extended by further two months in the light of the complexity of the request and the number of requests to be processed. The Company notifies the individual about the extension also indicating its grounds within one months of the receipt of the request.
9.2 The individual’s right of access
(1) The individual has the right to obtain confirmation from the Company whether or not personal data concerning him/her are being processed. Where the case is such, then he/she is entitled to have access to the personal data concerned and to the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed including especially recipients in third countries and/or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the right of the individual to request from the Company rectification or erasure of personal data or restriction of processing of personal data concerning the individual or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the individual, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.
(2) Where personal data are forwarded to a third country, the individual is entitled to obtain information concerning the adequate guarantees of the data transfer.
(3) The Company provides a copy of the personal data undergoing processing to the individual. The Company may charge a reasonable fee based on administrative costs for requested further copies. Where the individual submitted his/her request in electronic form, the response will be provided to him/her by widely used electronic means unless otherwise requested by the individual.
9.3 Right to rectification
The individual has the right to request that the Company rectify inaccurate personal data which concern him/her without undue delay. In addition, the individual is also entitled to have incomplete personal data completed e.g. by a supplementary statement or otherwise.
9.4 Right to erasure (’right to be forgotten’)
(1) The individual has the right that when he/she so requests, the Company erase the personal data concerning him/her without delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Company;
(b) the individual withdraws consent on which the processing is based, and is no other legal ground subsists for the processing;
(c) the individual objects to the processing and there are no overriding legitimate grounds for the processing;
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject;
(f) the collection of the personal data occurred in connection with offering services regarding the information society.
(2) In case the Company has made the personal data public and then it becomes obliged to delete it as aforesaid, then it will, taking into account the available technology and the costs of implementation, take reasonable steps including technical steps in order to inform processors who carry out processing that the individual has initiated that the links leading to the personal data concerned or the copies or reproductions of these be deleted.
(3) Paragraphs (1) and (2) shall not apply to the extent that processing is necessary, among other things, for:
a) exercising the right of freedom of expression and information;
b) compliance with a legal obligation which requires processing by Union or Member State law to which the Company is subject;
c) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
d) the establishment, exercise or defence of legal claims.
9.5 Right to restriction of processing
(1) The individual has the right to obtain a restriction of processing from the Company where one of the following applies:
a) the accuracy of the data is contested by the individual, for a period enabling the Company to verify the accuracy of the personal data;
b) the processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Company no longer needs the personal data for the purposes of the processing, but the individual requires them for the establishment, exercise or defence of legal claims;
d) the individual has objected to processing based on the legitimate interest of the Company pending the verification whether the legitimate grounds of the Company override those of the individual.
(2) Where processing has been restricted under paragraph (1), such personal data shall, with the exception of storage, only be processed with consent of the individual or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
(3) The Company informs the individual whose request has served as grounds for the restriction based on the aforesaid, before the restriction of processing is lifted.
9.6 Notification obligation regarding rectification or erasure of personal data or restriction of processing
The Company will communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Company informs the individual about those recipients if he/she so requests.
9.7 Right to data portability
(1) The individual has the right to receive the personal data concerning him/her, which he/she has provided to the Company in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company, where:
a) the processing is based on consent or on a contract; and
b) the processing is carried out by automated means.
(2) In exercising the right to data portability pursuant to paragraph 1, the individual shall have the right to have the personal data transmitted directly from one controller to another (e.g. the Company and other data processors), where technically feasible.
(3) Exercising the aforesaid right shall not contravene to provisions concerning the right to erasure (‘right to be forgotten’) and, further, this right shall not harm the rights and freedoms of others.
9.8 Right to object
(1) The individual has the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her (including profiling) for the purposes of legitimate interests. The Company will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims.
(2) Where personal data are processed for direct marketing purposes, the individual has the right to object at any time to processing of personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the individual objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
(3) Where personal data are processed for scientific or historical research purposes or statistical purposes, the individual, on grounds relating to his/her particular situation, has the right to object to processing of personal data concerning him/her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
9.9 Right to lodge a complaint with a supervisory authority
The individual has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his/her habitual residence, place of work or place of the alleged infringement if he/she considers that the processing of personal data relating to him/her infringes the GDPR.In Hungary, the competent supervisory authority is the Hungarian Authority for Data Protection and Freedom of Information (http://naih.hu/;1055 Budapest, Falk Miksa utca 9-11.; 1363 Budapest, Pf.: 9; telephone: +36-1-391-1400; 06 (30)683-5969, 06 (30) 549 6838, fax: +36-1-391-1410; email: ugyfelszolgalat@naih.hu).
In Germany, the competent supervisory authority is the Berlin Commissioner for Data Protection and Freedom (https://www.datenschutz-berlin.de/, Tel.: +49 30 13889-0, Fax: +49 30 2155050).
In Singapore, the competent supervisory authority is the Personal Data Protection Commission (https://www.pdpc.gov.sg/Contact-Us; 10 Pasir Panjang Road, #03-01 Mapletree Business City Singapore 117438; Main Line: +65 6377 3131; Fax: +65 6577 3888).
9.10 Right to an effective judicial remedy against a supervisory authority
(1) The individual has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him/her.
(2) The individual has the right to an effective judicial remedy where the supervisory authority which is competent does not handle a complaint or does not inform him/her within three months on the progress or outcome of the complaint lodged.
(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
9.11 Right to an effective judicial remedy against the Company or the processor
(1) The individual, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, has the right to an effective judicial remedy where he/she considers that his/her rights under the GDPR have been infringed as a result of the processing of his/her personal data in non-compliance with the GDPR.
(2) Proceedings against the Company or a processor shall be brought before the courts of the Member State where the Company or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the individual has habitual residence.
If you consider that the Data Controller is not acting lawfully in processing your personal data, please first communicate your observations or requests to the Data Controller using one of the contact details listed above, in order to enable us to process and handle your observation as quickly and efficiently as possible.
If you have any questions about the Policy, please write to us at the following e-mail address: privacy@aliz.ai
ANNEX 1.
The website of the controller is available at https://www.aliz.ai/.
Name of data Controller: Aliz Tech GmbH
Registered office: Friedrichstr. 68, 10117 Berlin, Germany
Registration number: HRB 246792
Registered with the commercial register of the Local court in Berlin (Amtsgerichts Berlin)
Represented by Mr. Boscha István CEO, independently
E-mail: privacy@aliz.ai
The Controller is not obliged to appoint a data protection officer
Name of data Controller: Aliz Technologies Pte. Ltd.
Registered office: 9 RAFFLES PLACE, #26-01, REPUBLIC PLAZA, SINGAPORE 048619
Registration number: 201626576G
Represented by Mr. Balázs Molnár CEO, independently
E-mail: privacy@aliz.ai
The Controller is not obliged to appoint a data protection officer
Name of data Controller: Aliz Technologies Korlátolt Felelősségű Társaság
Registered office: 1143 Budapest, 42-44 Gizella út, Hungary
Registration number: 01-09-924920
Registered with the Court of Registration of the Metropolitan Tribunal (Fővárosi Törvényszék Cégbírósága)
Represented by by Mr. Tamás Szatmári director, independently
E-mail: privacy@aliz.ai
The Controller is not obliged to appoint a data protection officer
Name of data Controller: PT Aliz Technologies Indonesia
Registered office: GD. Revenue Tower, Lt. 27 No. 106, District 8, LOT 13 SCBD, JL. JEND. Sudirman kav. 52-53, Indonesia
Registration number: 1330989
Registered with the Companies House of Indonesia
Represented by Tamás Szatmári President Director
E-mail: privacy@aliz.ai
The Controller is not obliged to appoint a data protection officer