Purpose and scope of the Policy
The scope of the Policy covers the data processing of all personal and special data carried out by any units of the Controller.
–Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (general data protection regulation; hereinafter referred to as: „GDPR”)
–Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter referred to as: "Privacy Act")
–Act V of 2013 on the Hungarian Civil Code (hereinafter referred to as: „Civil Code”)
–Act CXXX of 2016 Code of Civil Procedure (hereinafter referred to as: „Civil Procedure”)
–Act XXIII of 2001 on electronic commerce and on information society services (hereinafter referred to as: „E-commerce Act”)
Data of the Controller
Applicable data of the Collector are the followings:
Name: Research Professionals Kft.
Seat: 1095 Budapest, Soroksari ut 44.
Company Reg. No.: 01-09-187701
Registering court: Budapest-Capital Regional Court
Scope, purpose, duration and title of the processed data
The data processing operation of Controller are based on the consent of the data subject or on legal provision. In case of voluntary consent, the data subject may request information about the scope of the processed data at any time and also about how they are used, and may withdraw the consent, except in certain cases where the data processing is continued on the basis of a legal obligation (in such cases, the Controller shall provide information to the data subject regarding the further processing of the data).
Data providers shall submit their data correctly.
If the informant does not provide his/her personal data, the information provider is obliged to obtain the consent of the data subject.
If the Controller transmits data to data processors or other third parties, the Controller keeps records of these. The data transfer note shall contain the addressee, the method, the date and the range of data transmitted.
Data processing of each activities of Controller are the followings:
Legal title of the data processing: consent of data subject (by liking the Facebook page of Controller)
Scope of processed data: data provided via messages; data used by Facebook cookies
Purpose of data processing: to provide more information about promotional products and other topicalities affecting the Controller
Data processor: Facebook Ireland Limited (in respect of the Facebook cookies)
Deadline of deletion of data: unilaterally by the Controller, if the message has a content that creates a legal obligation to the Controller, or if it considers that it may be necessary in the future to enforce or protect the rights of its own or third parties interest the data will be deleted after 5 years, otherwise within 30 days of receipt of the message; cookies are used and deleted in accordance with the current Facebook information page (https://www.facebook.com/policies/cookies/), the Data Processor does not have access to these data
Possible consequence of failure to deliver data: inability to access information
Google Analytics Cookies of the Website:
Legal title of the data processing: consent of data subject
Applied cookies: Google Analytics cookies – sends anonymous IP address to Google Inc. containing only the tracking ID of the visitor
Scope of processed data: Google Analytics cookies: IP address of the visitor
Purpose of data processing: Google Analytics cookies: Improving the operation of a data management website
Data processor: Google Inc. (Mountain View, California, USA)
Deadline of deletion of data and further information:
Possible consequence of failure to deliver data: endangering the proper working of the Website
Hotjar Cookies of the Website:
Legal title of the data processing: legitimate interest of Controller
Applied cookies: Hotjar cookies – allows the Controller to measure and observe behavior of the visitor of the Website
Scope of processed data: see detailed under https://help.hotjar.com/hc/en-us/articles/115009334567-What-is-Hotjar-
Purpose of data processing: Improving the operation of the Website
Data processor: Hotjar Limited (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta)
Deadline of deletion of data and further information: https://www.hotjar.com/legal/policies/privacy
Cookies set by Hotjar
_hjClosedSurveyInvites > This cookie is set once a visitor interacts with a Survey invitation modal popup. It is used to ensure that the same invite does not re-appear if it has already been shown.
_hjDonePolls > This cookie is set once a visitor completes a poll using the Feedback Poll widget. It is used to ensure that the same poll does not re-appear if it has already been filled in.
_hjMinimizedPolls > This cookie is set once a visitor minimizes a Feedback Poll widget. It is used to ensure that the widget stays minimizes when the visitor navigates through your site.
_hjDoneTestersWidgets > This cookie is set once a visitor submits their information in the Recruit User Testers widget. It is used to ensure that the same form does not re-appear if it has already been filled in.
_hjMinimizedTestersWidgets > This cookie is set once a visitor minimizes a Recruit User Testers widget. It is used to ensure that the widget stays minimizes when the visitor navigates through your site.
_hjIncludedInSample > This session cookie is set to let Hotjar know whether that visitor is included in the sample which is used to generate funnels.
_hjShownFeedbackMessage > This cookie is set when a visitor minimizes or completes Incoming Feedback. This is done so that the Incoming Feedback will load as minimized immediately if they navigate to another page where it is set to show.
_hjid > This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
Rights of data subject, remedies
Data subjects may request information from the Controller on the data handling at any time in writing, may indicate the need for modification or deletion and may withdraw previously given consent given in paragraph 3 at any time.
The data subject may not exercise the right of cancellation of the data subject in case of mandatory data processing required by law.
Content of the right to information: On the request of the data subject, the Controller shall provide the data subject to the information listed in Articles 13 and 14 of the GDPR on the processing of personal data as well as the information under Articles 15-22. and Article 34 shall be provided in a concise, comprehensible form.
Content of the right to access: At the request of the data subject, the Data Controller shall provide information on whether the data controller is in the process of processing the data. If the Data Controller is in the process of processing data on the applicant, the data subject is entitled to access:
–The personal data relating to the data subject;
–Purpose(s) of data the data processing;
–Categories of personal data involved;
–The persons with whom the data of the data subject have been or will be communicated;
–Duration of data storage;
–The right to rectify, erase and limit data processing;
–The right to apply to a court or a supervisory authority;
–The source of the processed data;
–Profiling and/or automated decision making, or details of its application, practical effects;
–Transfer of processed data to a third country or international organization.
In the case of a data request as described above, the Controller shall provide the data subject with a copy of the data he/she manages for the request. Upon request, it is possible to request delivery by electronic means from the Controller.
For each additional copy, the Controller requests an administration fee of HUF 500 per page.
The deadline for submitting the requested data is 30 days from receipt of the request.
Right to rectification: The data subject may request rectification of inaccurate data managed by the Controller.
Right to cancellation: If any of the following reasons apply, the Controller shall delete the data relating to the data subject as soon as possible, but not later than 5 working days:
–Data has been unlawfully processed (without legal authorization or personal consent);
–data management is unnecessary for the original purpose;
–the data subject withdraws his/her consent for data process and the Controller has no other legal basis for data processing;
–the subject data were collected in respect to the provision of information society services;
–personal data must be deleted in order to fulfill the legal obligations of the Controller.
The Controller may not delete the data if the data processing is required for any of the following:
–Additional data processing is required to comply with the legal requirements for the Controller;
–necessary for the exercise of the right of expression and information;
–for archiving, scientific, research or statistical purposes;
–to enforce or protect legal claims.
Right to restrict data processing: If any of the following reasons apply, Controller shall restrict the data processing at the request of the data subject:
–The data subject contests the accuracy of the data relating to him, in this case the restriction refers to the period of time during which the accuracy and correctness of the relevant data is reviewed with credibility;
–data processing is unlawful, but the data subject requests that the deletion shall be ignored and only the data processing shall be restricted;
–data is no longer required for data processing, but the data subject requests the data to be retained for the purpose of enforcing or protecting legal claims;
If the Controller introduces a restriction on any processed data, it shall only process the data concerned for the duration of the limitation, if:
–the person concerned agrees;
–it is necessary to enforce or defend legal claims;
–it is necessary to enforce or protect the rights of another person;
Right to withdrawal: The data subject has the right to withdraw the consent given to the Controller at any time in writing. In case of such request, the Controller shall immediately and permanently delete any data that has been processed in relation to the data subject and which is not required to be stored and processed any further based on legal obligations or to enforce or protect any rights. The withdrawal shall not affect the validity of the data processing before the date of the withdrawal.
Right to portability: The data subject is entitled to receive the personal data concerning him/her, which he/she provided to the Controller in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance. The request shall be executed by the Controller as soon as possible, but no later than 30 days.
Automated decision-making and profiling: The data subject has the right not to be subject to a decision based solely on automated data processing (e.g. profiling) that would have legal effect or otherwise could affect the data subject adversely. This is not applicable if:
–the data processing is essential for the conclusion or performance of a contract between the data subject and the Controller;
–the person concerned expressly agrees to use such procedure;
its use is authorized by law;
–it is necessary to enforce or protect legal claims.
The Controller stores the e-mail and its contents (especially the name and address of the sender, the date and attachments of the message) in the course of contacting the Controller for 5 years and then deletes it.
Means and security of data storage
Controller stores data solely electronically.
Controller shall store the electronically processed data at the company named below, which is responsible for the adequate physical and software protection of the data.
Headquarters: Mountain View, California, United States
seat: 1132 Budapest, Victor Hugo u. 18-22.
company reg. No.: 01-09-914549
telephone: +36 70 362 4785
The location of the data transferred to the data processor is located at the seat of the data processors.
Controller is using an IT system ensuring that the data:
–shall remain unchanged and this may be certified (data integrity);
–credibility shall be ensured (credibility of data processing);
–shall be accessible only for those who are entitled (availability);
–shall be protected against unauthorized access (confidentiality).
The protection of the data covers in particular the following unwanted acts:
–or becoming inaccessible due to change in applied technique.
In order to protect the electronically processed data, Controller shall use an appropriate level of security in accordance with the state of the art. When assessing compliance, particular emphasis is placed on the extent of risk arising from data processing carried out by the Controller. IT protection ensures that stored data is not directly attributable to or linked to data subjects (unless permitted by law).
Controller shall ensure the followings during the data processing:
–only those may have access to the information who are authorized to do so;
–any authorized person may access the data when needed;
–the accuracy of the information and processing method shall be protected.
Controller and the possible data processors shall provide protection against fraud, espionage, viruses, burglary, vandalism and natural disasters regarding their IT systems at all time. Controller (or the possible data processor) is using both server-level and application-level security measures.
Messages forwarded to the Controller over the Internet, in any form, are subject to network threats that lead to information modification, unauthorized access, or other illegal activities. However, to prevent such threats, the Controller shall apply all measures that are reasonably practicable, and which may be expected from the state of the art. To this end, the systems used are monitored to record security deviations in order to obtain evidence of a security incident and to investigate the effectiveness of precautionary measures.
If Controller receives a request under Article 15-22 of GDPR, Controller shall inform the data subject in writing about the applied measures within 30 days.
If the complexity of the application or other objective circumstances necessitate it, the time limit may be extended once up to a maximum of 60 days.
Controller shall provide the information free of charge, unless:
–the data subject files repeatedly the request for information/taking action with essentially unchanged content;
–the application is clearly unfounded;
–the request is excessive.
If the applicant requests the transfer of data on paper or on an electronic medium (SD card, pen drive, CD, DVD, etc.), the Controller shall provide a copy of the relevant data free of charge as requested (except if the chosen platform would be technically disproportionate). Controller may charge HUF 500, -/page/CD-DVD for each additional requested copy. Requests for data on a different medium are charged at a different price, but not more than HUF 5,000, -/media.
Controller shall notify any person with whom the subject data has been previously disclosed of any rectification, deletion or restriction that has been made, unless such information is impossible or requires a disproportionate effort.
On the request of data subject Controller shall provide information on whom the personal data of the data subject has been forwarded.
Controller shall make the response to the request in electronic form, unless:
–the data subject expressly requests a different way and this does not cause unreasonably high extra costs for the Data Controller;
–Controller is not in possession of the electronic contacts of the data subject.
If any data subject shall suffer material or non-pecuniary damage as a result of breach of data protection laws, the data subject is entitled to claim compensation from the Controller and/or the data processor. If the Controller and the data processor(s) are involved in committing the violation, they are jointly liable for the damage.
The data processor shall be liable for the damages if it has violated the provisions of the relevant data protection regulations on the data processors, or if the damage occurred due to non-compliance with the instructions of the Controller.
Controller or the possible data processors shall be liable only if they cannot prove that they are not responsible for the event or circumstance that caused the damage.
If, in the opinion of the data subject, his/her rights have been violated by the Controller and/or the data processor(s), he/she shall be entitled to apply to the court with jurisdiction and competence in accordance with the Code of Civil Procedure. The court acts in such cases promptly.
If the data subject wishes to file a complaint in respect of the data processing, he/she may turn to the Hungarian National Authority for Data Protection and Freedom of Information as follows: seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.; postal address: 1530 Budapest, Pf.: 5. telephone number: 06-1/391-1400; fax: 06-1/391-1410; e-mail address: email@example.com; website: www.naih.hu.
The Controller, when receiving a formal request from the respective authorities, shall provide the specified personal data on a mandatory basis.
The Controller shall only transmit data in the cases referred to in paragraph (1) which are strictly necessary for the purpose specified by the requesting authority.