Privacy Policy

For the purposes of this Privacy Policy, the definitions set out in the Infotv. and in Article 4 of the GDPR shall apply.

“personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“controller”: the natural or legal person, public authority, agency or other body which processes personal data.

Under this Privacy Policy, the following entities act as controllers:

Safis EVO Inc.
(registered office: 677 N Washington blvd #57, Sarasota, Florida 34236, USA;
tax number: 61-1865663;
company registration number: P18000005419;
postal address: 1105 Budapest, Mádi utca 17. B. building)

Trend-Inovest Magyarország Kft
(registered office: 1105 Budapest, Mádi utca 17. B. building;
tax number: 26320896-2-42;
company registration number: 01-09-323971)

“data subject”: you, as the individual who is the subject of the personal data. During data processing, you are the identified or identifiable natural person whose data are processed. Even if you are not acting as a private individual but as the official representative of a legal entity (with individual or joint signing rights), the Companies will process your personal data in accordance with this Privacy Policy.

“data subject’s consent”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her;

“processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The use of a processor does not require the prior consent of the data subject, but the data subject must be informed.

Accordingly, we provide the following information:

The Companies’ IT service provider (hosting, application development, etc.):
BlazeArts Kft.
6090 Kunszentmiklós, Damjanich u. 36. 1/8

Newsletter services:

Listamester online newsletter service
Bithuszárok Számítástechnikai és Szolgáltató Betéti Társaság
Address: 2051 Biatorbágy, Damjanich utca 8.
E-mail: info@listamester.hu

Webgalamb online newsletter service
CREON HEROES Zrt. – creon.io
Address: 5561 Békésszentandrás, Dr. Dunay Alajos u. 1.

Postal services, delivery, parcel services:

Magyar Posta (Hungarian Post);

GLS General Logistics Systems Hungary Kft.
Registered office: 2351 Alsónémedi, GLS Európa u. 2.

“personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“recipient”: a natural or legal person, public authority, agency or another body, to which or to whom the personal data are disclosed, whether or not it is a third party. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

“third party”: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

1. Contact as an investor and/or inventor
2. Applications for job offers of the Companies
3. Subscription to newsletters
4. Application to startup programmes as an investor and/or inventor
5. Conclusion of contracts as an investor and/or inventor
6. Data of natural person representatives of legal entity clients, customers and suppliers
7. Visitor data processing on the Companies’ websites

1. Contact as an investor and/or inventor

When contacting the Companies, it is necessary to provide personal data in order to enable a reply. The Companies use personal data solely for the purpose of responding to the enquiry.

a) Purpose of processing: providing information and clarification relating to the Companies’ services;

b) Scope of personal data processed: name (surname, first name), e-mail address, telephone number of the natural person;

c) Legal basis for processing: the processing is based on the data subject’s prior, explicit consent in accordance with Section 5 (1) (b) of the Infotv. and Article 6 (1) (a) of the GDPR;

d) Duration of processing: in the case of a one-off exchange of information, the Companies shall delete the data without delay after having provided the reply; in the case of a consumer complaint, the duration of processing is 5 years.

2. Applications for job offers of the Companies

The personal data provided by the applicant/interested person in the application documents and application form are processed for the purpose of conducting the recruitment procedure and retained so that the Companies may contact the applicant regarding new job opportunities.

a) Purpose of processing: conducting the recruitment procedure, notification about job opportunities;

b) Scope of personal data processed: name (surname, first name), e-mail address, telephone number of the natural person;

c) Legal basis for processing: the processing is based on the data subject’s prior, explicit consent in accordance with Section 5 (1) (b) of the Infotv. and Article 6 (1) (a) of the GDPR;

d) Recipients or categories of recipients of personal data: employees of the Companies performing HR-related tasks, and the IT service provider of the Companies as processor;

Duration of storage: until withdrawal of the data subject’s consent (request for erasure).

3. Subscription to newsletters

On the Companies’ websites, natural persons may give their consent to the processing of their personal data for the newsletter service by ticking the relevant checkbox. Access to the Privacy Policy must be ensured via a link at the time of subscription. The data subject may unsubscribe from the newsletter at any time by using the “Unsubscribe” function in the newsletter or by making a written or e-mail statement. Unsubscribing constitutes withdrawal of consent. In such cases, all data of the unsubscribing person must be deleted without delay.

a) Purpose of processing: sending newsletters about the Companies’ products and services; sending advertising materials;

b) Scope of personal data processed: name (surname, first name), e-mail address, telephone number of the natural person;

c) Legal basis for processing: the processing is based on the data subject’s prior, explicit consent in accordance with Section 5 (1) (b) of the Infotv. and Article 6 (1) (a) of the GDPR;

d) Recipients or categories of recipients of personal data: employees of the Companies performing customer service and marketing activities, and the IT service provider of the Companies as processor;

e) Duration of storage: for as long as the newsletter service exists, or until the data subject withdraws consent (requests erasure).

4. Application to startup programmes as an investor and/or inventor

The service portfolio of the Companies includes startup programmes.

Purpose of processing: providing information to applicants interested in the startup programmes about the programmes;

Scope of personal data processed: name (surname, first name), e-mail address, telephone number, mailing address of the natural person;

Legal basis for processing: the processing is based on the data subject’s prior, explicit consent in accordance with Section 5 (1) (b) of the Infotv. and Article 6 (1) (a) of the GDPR.

Duration of storage: for the duration of the relationship with the Companies or until the data subject withdraws consent (requests erasure).

5. Conclusion of contracts as an investor and/or inventor

a) Purpose of processing: the Companies process the data of natural persons, sole traders, private individuals with a tax number, sole proprietorships and primary agricultural producers who enter into a legal relationship with them, for the purpose of preparing and concluding contracts with investors and/or inventors, monitoring the performance of such contracts, invoicing and settlement.

b) Scope of personal data processed:
i. name,
ii. birth name,
iii. place and date of birth,
iv. mother’s maiden name,
v. address, mailing address,
vi. bank account number,
vii. identity card number,
viii. tax identification number,
ix. tax number,
x. telephone number,
xi. e-mail address and other electronic contact details,
xii. sole trader registration number or primary producer’s licence number,
xiii. registered office,
xiv. place of business.

c) Legal basis for processing:
i. processing is necessary for the performance of a contract to which the data subject is party [Article 6 (1) (b) GDPR];
ii. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [Article 6 (1) (f) GDPR].

d) Duration of processing: 5 years following the termination of the contract; in the absence of contract conclusion, the period specified in the relevant consent, or, failing that, 5 years, or 5 years following the end of the person’s representative status.

e) Data transfers: personal data may be accessed by employees and processors of the Companies performing accounting and tax tasks, as well as by employees and contracted processors with responsibilities in trade and service provision. Data are transferred to these persons.

6. Data of natural person representatives of legal entity clients, customers and suppliers

a) Purpose of processing: the Companies process the data of natural persons representing legal entities that enter into a legal relationship with them as customers or suppliers, for the purpose of preparing and concluding contracts, monitoring performance and maintaining business contacts.

b) Scope of personal data processed:
i. name (surname and first name),
ii. birth name,
iii. position,
iv. telephone number,
v. e-mail address and other electronic contact details.

c) Legal basis for processing: the processing is based on the data subject’s prior, explicit consent in accordance with Section 5 (1) (b) of the Infotv. and Article 6 (1) (a) of the GDPR.

d) Duration of processing: 5 years following the termination of the contract; in the absence of contract conclusion, the period specified in the relevant consent, or, failing that, 5 years, or 5 years following the end of the person’s representative status. If no contract is concluded, the data obtained during the preparatory phase shall be deleted by the Companies or processed only with the data subject’s consent.

e) Data transfers: the above personal data may be accessed by employees and processors of the Companies performing accounting, tax, contract management and customer service tasks, as well as employees and processors with responsibilities in trade and service provision, and data are transferred to these persons.

7. Visitor data processing on the Companies’ websites – Information on the use of cookies

General information about cookies

a) In line with the generally accepted practice on the internet, our Companies also use cookies on their websites. A cookie is a small package of information consisting of letters and numbers which the visited website sends to the visitor’s browser in order to store certain settings, make the use of our websites easier, and assist in collecting some statistical information about visitors to our websites.

b) In general, cookies help websites serve as effective sources of information for users and enable the operator of the website to monitor the proper functioning of the site, prevent misuse, and ensure the smooth and appropriate provision of the services offered on the website.

c) The cookies used on the websites, by themselves, are not suitable to identify the user.

d) Accepting and enabling the use of cookies is not mandatory.

e) The user can delete cookies from their own computer and can also configure their browser to block the use of cookies. By blocking cookies, the user acknowledges that, without cookies, the functioning of the given site may not be fully complete.

Information about the cookies used on the Companies’ websites

Our Companies’ websites, during their use, record and process the following data concerning the visitor and the device used for browsing:

• IP address of the visitor;

• type of browser;

• characteristics of the operating system of the device used for browsing (language setting);

• time of the visit;

• visited (sub)page, function or service;

• clicks.

b) Technically essential session cookies

Purpose of processing: ensuring the proper functioning of the website.
These cookies are necessary for visitors to browse the website, use its functions smoothly and in full, and to access the services available through the website. The duration of processing for these cookies relates only to the current visit of the user; these cookies are automatically deleted from the user’s computer when the session ends or the browser is closed.

Data processed: AVChatUserId, JSESSIONID, portal_referer.

The legal basis for this processing is Section 13/A (3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (Elkertv.), which allows the service provider to process personal data that are technically essential for the provision of the service. Given identical conditions, the service provider must choose and operate the tools used for providing information society services in such a way that personal data are processed only if this is essential for the provision of the service and for the fulfilment of the purposes defined in this Act, and even then only to the extent and for the time necessary.

c) Cookies requiring consent

Purpose of processing: allowing the Companies to remember the user’s choices relating to the website. The user may prohibit this processing at any time before or during the use of the service. These data cannot be linked to the user’s identifying data, and may not be disclosed to third parties without the user’s consent.

The legal basis for this processing is the user’s consent.

d) Performance-enhancing cookies

These are typically third-party applications (e.g. Google Analytics, AdWords).

Purpose of processing: website analytics, sending advertising offers.

Google Analytics cookies – information is available here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Google AdWords cookies – information is available here:
https://support.google.com/adwords/answer/2407785?hl=en

Google AdWords cookie
When someone visits our website, the visitor’s cookie ID is added to the remarketing list. Google uses cookies such as the NID and SID cookies in Google products – for example, to customise ads in Google Search. These cookies are, for instance, used to remember your recent searches, your previous interactions with the advertisements or search results of individual advertisers, and your visits to advertisers’ websites. The AdWords conversion tracking function uses cookies. To track sales and other conversions resulting from ads, cookies are stored on the user’s computer when they click on an ad. Common purposes of such cookies include selecting ads based on what is relevant to the user, improving reports on campaign performance, and avoiding showing ads that the user has already seen.

Google Analytics cookie
Google Analytics is Google’s analytics tool that helps website and application owners get a more accurate picture of their visitors’ activities. The service may use cookies to collect information and compile reports on website usage statistics without individually identifying visitors to Google. The main cookie used by Google Analytics is the “__ga” cookie. In addition to website usage statistics, Google Analytics may also be used – together with some of the advertising cookies mentioned above – to display more relevant ads in Google products (such as Google Search) and across the internet.

Facebook pixel (Facebook cookie)
The Facebook pixel is a piece of code that helps generate reports on conversions on the website, build target audiences, and provides detailed analytics on how visitors use the website. With the Facebook pixel, personalised offers and ads can be displayed to visitors of the website on the Facebook platform. Facebook’s data policy can be found here:
https://www.facebook.com/privacy/explanation

Information on cookie settings in the most popular browsers is available at:

• Google Chrome: https://support.google.com/accounts/answer/61416

• Firefox: https://support.mozilla.org

• Microsoft Internet Explorer 11: http://windows.microsoft.com

• Microsoft Edge: http://windows.microsoft.com

• Safari: https://support.apple.com

8. Responsibility for the accuracy of the personal data provided

The Companies do not verify the personal data provided to them. Responsibility for the accuracy of the data lies solely with the person who provides them.

The Companies draw users’ attention to the following:

a) Please ensure that your data are kept up to date. For example, if the user fails to notify the change of a delivery/mailing address previously provided and the next consignment is delivered to the wrong address, the user shall be liable for any damage arising from such erroneous delivery;

b) The Companies may request appropriate proof of authorisation.

1. Organisational and technical measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:

a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
e) storing processed data in such a way that unauthorised persons cannot access them: for paper-based data carriers, this is ensured by the rules on physical storage and archiving; for electronically processed data, by applying a central access control system;
f) choosing the method of electronic storage of data in such a way that data can be deleted – also taking into account different erasure deadlines – at the end of the retention period or if deletion is otherwise required. Deletion must be irreversible;
g) paper-based data carriers shall be deprived of personal data using a shredder or by employing an external company specialised in document destruction. In the case of electronic data carriers, physical destruction must be carried out in accordance with the rules on the disposal of electronic media, and the secure and irreversible erasure of data must be ensured beforehand where necessary.

2. IT protection

a) The computers and mobile devices (and other data carriers) used in the course of data processing are the property of the Service Provider.
b) The computer system used by the Service Provider for processing personal data is protected by virus protection.
c) To ensure the security of digitally stored data, the Service Provider carries out data backups and archiving.
d) Only persons with appropriate access rights designated by the Service Provider may access the central server.
e) Access to the data stored on computers is possible only with a username and password.

1. Processing based on the data subject’s consent

Where the Companies intend to carry out processing based on consent, they must obtain the data subject’s consent to the processing of their personal data.

Consent shall also be deemed to have been given if the data subject, when visiting the Companies’ websites, ticks a relevant checkbox, makes the appropriate technical settings when using information society services, or makes any other statement or conducts any other act indicating, in the given context, their agreement to the intended processing of their personal data. Pre-ticked boxes do not constitute consent.

Consent shall cover all processing activities carried out for the same purpose or purposes. Where processing has multiple purposes, consent shall be given for all of them.

If the data subject gives consent in the context of a written statement that also concerns other matters – for example, entering into a sales or service contract – the request for consent must be clearly distinguishable from the other matters, in an intelligible and easily accessible form.

The Companies may not make the conclusion or performance of a contract conditional on consent to the processing of personal data that are not necessary for the performance of the contract.

Withdrawal of consent shall be made as easy as giving consent.

2. Processing based on a legal obligation

In the case of processing based on a legal obligation, the scope of data that may be processed, the purpose of the processing, the duration of storage and the recipients shall be determined by the applicable law forming the basis of the processing.

Processing based on a legal obligation is independent of the data subject’s consent, as the processing is determined by law. Before such processing begins, the data subject must be informed that the processing is compulsory. The data subject must be clearly and thoroughly informed, prior to processing, of all facts relating to the processing of their data, in particular the purpose and legal basis of processing, the person of the controller and any processor, the duration of processing, whether the controller processes the data subject’s personal data on the basis of a legal obligation applicable to it, as well as who may have access to the data.

The information shall also cover the data subject’s rights and legal remedies relating to the processing. In the case of compulsory processing, the information may also be provided by referencing and publishing the relevant provisions of the law containing these details.

1. Transparent information, communication and facilitation of the exercise of the data subject’s rights; complaint handling

a) The controller must provide any information and any communication relating to the processing of personal data to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

b) The controller must facilitate the exercise of the data subject’s rights.

c) The controller shall provide information on action taken on a request under the data subject’s rights without undue delay and in any event within one month of receipt of the request. This period may, under the conditions laid down in the GDPR, be extended by a further two months, of which the data subject must be informed.

d) Where the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

In Hungary the competent supervisory authority is:

National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf.: 9.
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

2. Right to prior information where personal data are collected from the data subject

The data subject has the right to be informed of the facts and information relating to the processing before the processing of personal data begins. The data subject must be informed of:

a) the identity and contact details of the controller and, where applicable, of the controller’s representative;
b) where applicable, the contact details of the data protection officer;
c) the purposes of the processing for which the personal data are intended, as well as the legal basis for processing;
d) where processing is based on a legitimate interest, the legitimate interests pursued by the controller or by a third party;
e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation.

The detailed rules of the right to prior information are set out in Article 13 of the GDPR.

3. Information to be provided where personal data have not been obtained from the data subject

a) Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the information listed in points 2 a–f above, as well as information on the categories of personal data concerned and the source of the data, and, where applicable, whether the data came from publicly accessible sources, within the following timeframes: at the latest within one month after obtaining the personal data; if the data are used for communication with the data subject, at the latest at the time of the first communication; or if disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

The further relevant rules are set out in point 2 above and in Article 14 of the GDPR.

4. Right of access

a) The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information listed in points 2–3 above.

The detailed rules on the right of access are set out in Article 15 of the GDPR.

5. Right to rectification

a) The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

b) Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

These rules are set out in Article 16 of the GDPR.

6. Right to erasure (“right to be forgotten”)

a) The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

b) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
c) the data subject withdraws consent on which the processing is based and there is no other legal basis for the processing;
d) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
e) the personal data have been unlawfully processed;
f) the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
g) the personal data have been collected in relation to the offer of information society services directly to a child.

The right to erasure does not apply to the extent that processing is necessary:

a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority;
c) for reasons of public interest in the area of public health;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.

The detailed rules on the right to erasure are set out in Article 17 of the GDPR.

7. Right to restriction of processing

The data subject has the right to obtain from the controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to processing; in this case, restriction applies for the period until it is verified whether the legitimate grounds of the controller override those of the data subject.

The data subject must be informed in advance of the lifting of the restriction of processing.
The relevant rules are contained in Article 18 of the GDPR.

8. Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

These rules are set out in Article 19 of the GDPR.

9. Right to data portability

a) Under the conditions set out in the GDPR, the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
– the processing is based on consent or on a contract; and
– the processing is carried out by automated means.

b) The data subject may request direct transmission of personal data from one controller to another, where technically feasible.

c) The exercise of the right to data portability shall be without prejudice to Article 17 of the GDPR (right to erasure). This right shall not apply to processing necessary for the performance of a task carried out in the public interest or the exercise of official authority. It shall not adversely affect the rights and freedoms of others.

The detailed rules are set out in Article 20 of the GDPR.

10. Right to object

a) The data subject has the right to object at any time to processing of personal data concerning him or her which is based on the public interest, the exercise of official authority [Article 6 (1) (e) GDPR] or legitimate interests [Article 6 (1) (f) GDPR], including profiling based on those provisions. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

b) Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to such processing, including profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

c) This right must be explicitly brought to the attention of the data subject no later than at the time of the first communication with the data subject and must be presented clearly and separately from any other information.

d) The data subject may exercise the right to object by automated means using technical specifications.

The relevant rules are set out in Article 21 of the GDPR.

11. Automated individual decision-making, including profiling

a) The data subject has the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning him or her or similarly significantly affects him or her.

b) This right shall not apply if the decision:
i. is necessary for entering into, or performance of, a contract between the data subject and a controller;
ii. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
iii. is based on the data subject’s explicit consent.

The detailed rules are set out in Article 22 of the GDPR.

12. Communication of a personal data breach to the data subject

Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the personal data breach to the data subject without undue delay. The communication shall describe in clear and plain language the nature of the personal data breach and shall at least:

a) provide the name and contact details of the data protection officer or other contact point where more information can be obtained;
b) describe the likely consequences of the personal data breach;
c) describe the measures taken or proposed to be taken by the controller to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Communication to the data subject shall not be required if any of the following conditions is met:

a) the controller has implemented appropriate technical and organisational protection measures and those measures were applied to the personal data affected by the breach, in particular those that render the personal data unintelligible to any person who is not authorised to access them, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
c) it would involve disproportionate effort. In such a case, a public communication or similar measure shall be used whereby data subjects are informed in an equally effective manner.

The detailed rules are set out in Article 34 of the GDPR.

13. Right to lodge a complaint with a supervisory authority

a) The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. The supervisory authority with which the complaint has been lodged must inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy.

These rules are set out in Article 77 of the GDPR.

b) Right to an effective judicial remedy against a supervisory authority

Without prejudice to any other administrative or non-judicial remedy, every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

Without prejudice to any other administrative or non-judicial remedy, each data subject has the right to an effective judicial remedy where the supervisory authority which is competent fails to handle a complaint or does not inform the data subject within three months of the progress or outcome of the complaint.

Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

These rules are set out in Article 78 of the GDPR.

14. Right to an effective judicial remedy against a controller or processor

a) Without prejudice to any available administrative or non-judicial remedy – including the right to lodge a complaint with a supervisory authority – each data subject has the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR.

b) Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment.

These rules are set out in Article 79 of the GDPR.

1. Concept of personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed (Article 4 (12) GDPR).

Typical reported incidents include, for example: loss of a laptop or mobile phone; insecure storage of personal data (e.g. payslips thrown into a waste bin); insecure transmission of data; unauthorised copying or transfer of customer and partner lists; attacks against servers; website hacking.

2. Management and remedy of personal data breaches

The prevention and management of personal data breaches, as well as compliance with related legal obligations, are the responsibility of the management of the Company.

Accesses and attempted accesses to IT systems must be logged and continuously analysed.

If employees of the Companies authorised to carry out inspections become aware of a personal data breach in the course of their duties, they must immediately inform the management of the Company.

Personal data breaches can be reported via the Companies’ central e-mail address and telephone number, through which employees, contractors and data subjects can report the underlying events and security weaknesses.

In the case of a personal data breach report, the management of the Company – involving the IT, financial and operations managers – shall immediately investigate the report. During this investigation, the incident must be identified and a decision must be made as to whether it is a real incident or a false alarm. The following must be examined and established:

a) the time and place of the incident;
b) description, circumstances and effects of the incident;
c) scope and quantity of data compromised by the incident;
d) the group of persons affected by the compromised data;
e) description of the measures taken to remedy the incident;
f) description of the measures taken to prevent, eliminate or reduce damage.

In the event of a personal data breach, the affected systems, persons and data must be isolated and delimited, and evidence supporting the occurrence of the incident must be collected and preserved. Only then may the restoration of damage and the re-establishment of lawful operation begin.

3. Register of personal data breaches

A register must be kept of personal data breaches, which shall include:

a) the scope of personal data concerned;
b) the circle and number of data subjects affected by the personal data breach;
c) the time of the personal data breach;
d) the circumstances and effects of the personal data breach;
e) the measures taken to remedy the personal data breach;
f) other data specified in the law prescribing the processing.

Data relating to personal data breaches recorded in the register must be kept for 5 years.

Entry into force and amendment of the Privacy Policy

For any (ad hoc) data processing activities not listed in this Privacy Policy, the Companies will provide information at the time of data collection.

The Companies reserve the right to amend this Privacy Policy at any time at their sole discretion. Following the amendment of the Privacy Policy, all data subjects must be duly informed. Continued use of the Companies’ services after the amendment constitutes acknowledgment and acceptance of the modified data processing rules.