Data Processing And Data Protection Policy

1. Purpose of the Policy

The purpose of this Policy is, in accordance with the applicable statutory provisions, in particular Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: the “Infotv.”), as well as Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: the “GDPR”), to inform data subjects about the scope of their personal data processed by the Controller specified in Section 2 below, the purpose and manner of the processing, and all other facts related to the processing of such data, including, but not limited to, their rights in connection with the data processing and the legal remedies available to them.

2. Name, Registered Seat and Representative of the Controller

Name: DevConsult Tanácsadó Zártkörűen Működő Részvénytársaság
 (DevConsult Consulting Private Company Limited by Shares)

Registered seat: H-1117 Budapest, Október huszonharmadika utca 8–10.

Statutory representative: Dr. Viktor Barabás, Chief Executive Officer

3. No Data Protection Officer Appointed at the Controller

4. Legislation Governing Data Processing

  • The Fundamental Law of Hungary, Article VI;
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: the “Infotv.”);
  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR).

5. Definitions Used in this Policy

Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller (Service Provider)
The undertaking, as well as any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Personal Data Breach
A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Biometric Data
Personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Recipient
A natural or legal person, public authority, agency or another body, to which personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Data Subject

A natural person whose personal data are processed.

Consent of the Data Subject
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Third Party
A natural or legal person, public authority, agency or body other than the subject of data, the Controller, the Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process personal data.

Infotv.

Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.

Employee

A person having an employment relationship or any other legal relationship aimed at performing work – in particular under a service contract or an agency contract – with the Service Provider, including contracted enterprises and their agents.

Profiling
Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Personal Data
Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special Categories of Personal Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

6. Data Protection Impact Assessment

The Controller is responsible for conducting a data protection impact assessment in order to assess the source, nature, particularity and severity of the risk to the rights and freedoms of natural persons. The findings of the impact assessment shall be taken into account when determining which measures are appropriate to demonstrate that the processing of personal data is carried out in compliance with the GDPR.
If, according to the data protection impact assessment, the data processing operations involve a high risk which the Controller is not able to mitigate by appropriate measures, taking into account available technology and implementation costs, the Controller must consult the National Authority for Data Protection and Freedom of Information (NAIH) prior to the processing.
If, in the future, in relation to high-risk processing activities it becomes necessary to carry out a data protection impact assessment, such assessment shall be performed with the help of the open-source software published by the French data protection authority (Commission Nationale de l'Informatique et des Libertés, hereinafter: CNIL), and also recommended by the NAIH (original name: “PIA software”, hereinafter: impact assessment software).
The Controller shall adopt a separate internal policy on data protection impact assessments.

7. Legitimate Interest Assessment – Processing Based on Legitimate Interest

In case of data processing based on legitimate interest (Article 6(1)(f) GDPR), the Legitimate Interest Assessment shall be carried out on the basis of NAIH Opinion No. NAIH/2015/3731/2/V. On this basis, the Legitimate Interest Assessment is a multi-step process during which the Controller’s legitimate interest, as well as the data subject’s interest and fundamental right that constitute the counterweight in the balancing exercise, must be identified, and finally, based on the balancing, it must be determined whether the personal data can be processed.
The steps of the Legitimate Interest Assessment are as follows:

  • Step 1 – Examination of whether data processing is necessary or whether the objective can be achieved in another way;
  • Step 2 – The most precise possible definition of the legitimate interest;
  • Step 3 - Determining the purpose of the processing and what personal data and for what duration the processing requires;
  • Step 4 – Determining the aspects and interests of the data subjects;
  • Step 5 – Carrying out the balancing.

The Controller shall adopt a separate policy on the Legitimate Interest Assessment.

8. Processing and Protection of Personal Data

8.1. Duties, Powers and Liability of the Controller

The Controller performing primary data processing shall be obliged to compensate any damage caused to another person through unlawful processing of the data subject’s data or by breaching the requirements of technical data protection. The Controller shall be liable to the data subject also for damage caused by the Processor.
The Controller shall be exempt from liability if it proves that the damage was caused by an unavoidable event beyond the scope of the processing. Compensation shall not be payable to the extent that the damage results from the intentional or grossly negligent conduct of the injured party.

8.2. Duties, Powers and Liability of the Processor

The Controller shall define the rights and obligations of the Processor relating to the processing of personal data within the framework of this Policy and the relevant legislation. Within the scope of its activities and the framework defined by the Controller, the Processor shall be responsible for the processing, alteration, erasure, transmission and disclosure of personal data.
The contract concluded with the Processor shall stipulate that, in the course of performing its activities, the Processor may engage another processor only in accordance with the Controller’s instructions, and that any breach of the rules on data processing may constitute grounds for immediate termination of the contract with immediate effect.

We apply appropriate technical and organizational measures to ensure the security of personal data and prevent unauthorized access, disclosure, or destruction.

9. Fundamental Principles and Basic Provisions

  • Principle of Lawfulness, Fairness and Transparency
    (The collection and processing of data must be fair and lawful and must be transparent to the data subject.)
  • Principle of Purpose Limitation
    (According to the Infotv., personal data may be processed only for specified and explicit purposes, to exercise a right or fulfil an obligation. The processing must comply with the purpose of the processing in all stages. Only such personal data may be processed which are essential for the fulfilment of the purpose of the processing and suitable for achieving that purpose. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.)
  • Principle of Data Minimization
    (On the basis of the principle of data minimization, the Controller may process only such personal data as are strictly necessary for the fulfilment of the purpose of the processing.)
  • Principle of Accuracy
    (Data processed by the Controller must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.)
  • Principle of Storage Limitation
    
(Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.)
  • Principle of Integrity and Confidentiality
    (Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.)
  • Principle of Accountability
    (The Controller shall be responsible for, and be able to demonstrate compliance with, the principles and rules of data processing.)
  • Principle of Data Security
    (The Controller shall design and implement data processing operations in such a way that the protection of the privacy of data subjects is ensured in the application of the Infotv. and other rules applicable to data processing. The Controller shall ensure the security of the data and shall take the technical and organizational measures and establish the procedural rules necessary to enforce the Infotv. and other data and secrecy protection rules. The Controller shall protect the data, in particular, against unauthorized access, alteration, transmission, disclosure, erasure or destruction, accidental destruction and damage, as well as against becoming inaccessible as a result of changes in the technology used.

In order to protect the data files processed electronically in different registers, the Controller shall use an appropriate technical solution to prevent the data stored in the registers from being directly linked and attributed to the data subject, unless permitted by law.

In order to maintain security and prevent data processing operations that infringe the GDPR, the Controller shall assess the risks arising from the nature of the processing and apply measures to reduce those risks, such as encryption. These measures should ensure a level of security appropriate to the risk, including confidentiality, taking into account the state of the art and the costs of implementation, as well as the nature of the personal data to be protected and the risks associated with processing.

In the course of assessing data security risks, the Controller shall consider risks arising from the processing of personal data – such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed – which may result in physical, material or non-material damage.)

10. Rights of Data Subjects

  • Right of Access
    (The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information relating to their processing. The Controller shall provide the data subject with information on the action taken on a request without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.)
  • Right to Rectification
    (The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her, and to have incomplete personal data completed.)
  • Right to Erasure
    (The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

    b) the data subject withdraws consent on which the processing is based in accordance with point (a) of Article 6(1) or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing;

    c) the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR;

    d) the personal data have been unlawfully processed by the Controller;

    e) the personal data have to be erased for compliance with a legal obligation;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR (conditions applicable to child’s consent).
    The data shall not be erased where processing is necessary for one of the following reasons:

    a) for exercising the right of freedom of expression and information;

    b) for compliance with a legal obligation requiring processing;

    c) for the establishment, exercise or defense of legal claims.)
  • Right to Restriction of Processing
    (The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
    a) the accuracy of the personal data is contested by the data subject, in which   case  restriction shall apply for a period enabling the Controller to verify the accuracy of the personal data;
    
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

    c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;

    d) the data subject has objected to processing; in this case, restriction shall apply for the period until it is verified whether the legitimate grounds of the Controller override those of the data subject.
    Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Controller shall inform the data subject in advance of the lifting of the restriction of processing.)
  • Right to Object
    (The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on points (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. In such a case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the data subject or which are related to the establishment, exercise or defense of legal claims.)
  • Right to Data Portability
    (The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data has been provided, where:
    a) the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR, or on a contract pursuant to point (b) of Article 6(1) GDPR; and

    b) the processing is carried out by automated means.)

11. Detailed Rules of Data Processing

11.1. Information on Data Processing

Data subjects shall have the right to receive information concerning the processing of their personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Where personal data are collected from the data subject, the data subject shall also be informed whether he or she is obliged to provide the personal data and of the possible consequences of failure to provide such data.
Information relating to the processing of personal data concerning the data subject shall be provided to the data subject at the time the data is obtained or, where the data is not obtained from the data subject but from another source, within a reasonable period, taking into account the circumstances of the case.
Where the personal data may lawfully be disclosed to another recipient, the data subject shall be informed at the time of the first disclosure to such recipient.
Where the Controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the Controller shall provide the data subject prior to that further processing with information on that other purpose and any other relevant further information.

The information shall cover in particular the following:

  • the identity and contact details of the Controller;
  • the contact details of the data protection officer (where applicable);
  • the purposes of the processing of personal data and the legal basis for the processing;
  • where processing is based on “legitimate interest”, information about such legitimate interests;
  • the recipients or categories of recipients of personal data;
  • the envisaged period for which the personal data will be stored;
  • the rights of the data subject;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and the possible consequences of failure to provide such data;
  • the existence of automated decision-making, including profiling, if any;
  • the legal remedies available to data subjects.

11.2. Lawfulness of Processing

Processing of personal data shall be lawful only if and to the extent that at least one of the following legal bases applies:

  • the data subject has given consent to the processing of his or her personal data;
  • processing is necessary for the performance of a contract to which the data subject is party;
  • processing is necessary for compliance with a legal obligation to which the Controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject;
  • processing is necessary for the performance of a task carried out in the public interest;
  • processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.

11.3. Scope, Purpose, Legal Basis and Duration of Processing

The scope of the personal data processed by the Controller, the purposes, legal bases and duration of processing are contained in the register of processing activities constituting Annex 1 to this Policy, which register is published on the Controller’s website.
The register of processing activities contains:

  • the purpose of the processing;
  • the types of data;
  • the legal basis of the processing;
  • the categories of data subjects;
  • the source of the data;
  • any possible transfers of the data, including their type, recipients and legal basis;
  • the time limit for erasure of each data category;
  • where data are processed by a Processor, the details of the Processor, the place of the processing, and the activities carried out by the Processor in connection with the processing.

Separate privacy notices have been prepared for the processing operations indicated in the register of processing activities, which constitute Annexes 1–12 to the register.

11.4. Duration of Processing

Data may only be stored for the shortest possible period. When determining such period, account must be taken of the reasons for which the Controller carries out processing and of any legal obligations requiring data to be retained for a specific period.

11.5. Internal Data Transfers

Within the Controller’s organization, personal data may only be transferred in accordance with the principle of purpose limitation, and access to the data may only be granted where a legitimate purpose exists.

11.6. Data Transfers to Third Parties

Personal data may be transferred to a third party only on the basis of a statutory provision or with the data subject’s consent, provided that all conditions of lawful data processing are fulfilled with respect to each item of personal data.
Prior to any data transfer, the Controller is obliged to ascertain whether the statutory conditions for such transfer are met and, following the transfer, whether the conditions of processing are fulfilled in respect of each personal data item.
Prior to any data transfer concerning the same data subjects and for the same purposes to the same Controllers, the data protection officer must be involved in the assessment of the lawfulness of the transfer. No separate assessment shall be required for subsequent transfers to the same Controller for the same purpose.
The data protection officer shall keep a register of data transfers and shall store it in accordance with the applicable rules. The register of data transfers shall be retained until the end of the fifth year following the year of the receipt or transfer of the data (twenty years in the case of special categories of data).
The register of data transfers shall contain:

  • the date of the transfer of the personal data processed by the transferring Controller;
  • the scope of the data transferred;
  • the legal basis and the recipient (name, address, registered seat) of the transfer;
  • the name and telephone number of the person responsible for the transfer.

11.7. Data Transfer Abroad or to a Third Country

Prior to any data transfer, with the involvement of the data protection officer, the Controller shall ascertain whether the statutory conditions for such transfer are met and whether, following the transfer, the conditions of processing will be fulfilled in respect of each personal data item.

11.8. No Processing of Special Categories of Data

The Controller does not process special categories of personal data, including biometric data.

12. Personal Data Breach

Under the GDPR, a personal data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

12.1. Notification of a Personal Data Breach

The Controller shall notify the competent supervisory authority (NAIH) of the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made within 72 hours, it shall be accompanied by the reasons for the delay.

12.2. Investigation and Management of a Personal Data Breach

The data protection officer shall examine the report and request data and information from the reporting person, which the reporting person shall provide without delay, but no later than within 2 working days.
The provision of information shall include:

  • the date and place of the incident;
  • the description, circumstances and effects of the incident;
  • the types and quantity of data affected by the incident;
  • the categories of persons whose data are affected;
  • the measures taken to remedy the incident;
  • the measures taken to prevent, remedy or mitigate the damage.

The data protection officer shall propose the necessary measures. The person responsible for the process in which the data are processed or handled shall inform the data protection officer, within 2 working days following the implementation of the relevant measures, of each measure implemented to remedy the personal data breach.

12.3. Register of Personal Data Breaches

The Controller shall keep a register of personal data breaches. Under the GDPR, the Controller is obliged to implement appropriate technical and organizational measures to enable it to detect and assess vulnerabilities and security incidents.
In addition to documenting personal data breaches, the Controller shall establish and apply appropriate processes and measures in order to detect and manage security incidents in a timely manner.

13. Scope and Amendment of this Policy

This Policy shall enter into force on 1 December 2025. The Controller shall be entitled to amend this Policy at any time, provided that such amendment does not conflict with applicable legislation. This Policy may be inspected at the registered seat of the Controller.

Budapest, 1 December 2025