Data Protection Notice
IncQuery Labs Research and Development Ltd. (registered office: H-1072 Budapest, Rákóczi út 36; company registration number: 01 09 996038; tax number: 24216182-2-42; hereinafter the “Company” or “Controller”), hereby informs its partners, employees as well as visitors to its website (hereinafter jointly referred to as the “Data Subject”) that it accepts these data protection and data processing principles (hereinafter the “Notice”) as binding. This Notice defines and regulates the processing of the personal data of the Data Subject pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter the “GDPR” or “Regulation”), Act V of 2013 on the Civil Code (hereinafter the “Civil Code”), Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter the “Privacy Act”) and all applicable legal regulations in effect from time to time. The Company reserves the right to amend this Notice to harmonise it with a underlying laws amended in the meantime and with other internal regulations.
Data of the Controller
Company name: IncQuery Labs Research and Development Ltd.
Registered office: H-1072 Budapest, Rákóczi út 36
Company registration number: 01 09 996038
Tax number: 24216182-2-42
Electronic contact details: email@example.com
Telephone: + 36 70 633 3973
Scope of this Notice
This Notice shall apply to the processing of the data of natural persons. The scope of this Notice shall not extend to processing relating to legal persons
Lawfulness of processing
Processing of personal data is lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of their personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Conditions for consent
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of their personal data.
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
The data subject is entitled to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of any processing that was conducted based on the consent prior to its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Data processing relating to persons in contractual relationship with the Company
The Company shall in all cases informs the natural persons in legal relationship with it about data processing pertaining to them. Where pursuant to Article 14(1) of the GDPR personal data have not been obtained from the data subject, the Company shall provide such natural persons with details of processing by publishing this Notice.
In the event of contracts concluded with partners and the performance of concluded contracts, processing extends to:
- personal identification data, the data of the representative of the legal person contracting party (name, position) as well as the data required for contact (telephone number, email address),
- data of the natural person partner (name, name at birth, mother’s maiden name, place and date of birth), as well as the data required for contact (telephone number, email address, address),
The purpose of processing as per this Section is the conclusion and performance of a contract, and communication. The duration of data processing depends on whether the data qualify as accounting documents. If yes, Section 169(2) of the Accounting Act shall prevail, and accordingly the data shall be retained by the Company for minimum 8 years, and for 5 years in all other cases with a view to the term of limitation as set out in the Civil Code.
The legal basis for the processing is Article 6(1) b) of the GDPR, that is performance or conclusion of a contract.
Processing related to calls for applications, applicants and resumes
In the case of the processing of personal data of persons applying for job vacancies, the purpose of data processing is for the employer to find an suitable employee for the position announced. Pursuant to Article 6(1) a) of the GDPR, the legal basis for processing is the consent granted by the data subject. The scope of the data processed varies depending on what data the data subject wishes to provide, but most frequently: name, name at birth, address, email address, telephone number, past workplace details, educational details, photograph. In line with Article 17(1) a) of the GDPR, the Company erases personal data when they are no longer necessary in relation to the purposes for which they were collected. The Company stores the personal data for a maximum of 1 year from consent granted, provided during this time the applicant is not hired as an employee or has not withdrawn consent in this period. In the case of applying to an unannounced position, the Company sends an email to the applicant or contacts them by other means, during which it provides information on the details of processing. If the data subject consents to processing, the Company stores the resume for a maximum of 6 months.
Processing the data of employees relating to employment
The purpose of data processing is the establishment, performance or termination of employment. Pursuant to Article 6(1) c) of the GDPR, the legal basis for processing is compliance with a legal obligation, and furthermore, pursuant to Article 6(1) b) of the GDPR, performance of a contract. During the processing of the personal data of employees, the Company applies the principles of purpose limitation and data minimisation, and acts in line with the compulsory legal provisions applicable to the various data types in respect of the erasure of data, and in the absence of such provisions, erases the personal data pertaining to the employee within 5 years after the termination of employment. The processing of the personal data of employees is regulated by Section 10(1) of the Labour Code. The aforementioned provision states that employees may only be requested to make statements or provide data where personal rights are not violated and such is essential for the purpose of establishing, performing or terminating employment. The employee may only be subjected to aptitude tests that are required by employment-related regulations or which are required in order to exercise a right or fulfil an obligation defined in employment-related regulations.
Processing of the data of website visitors and persons requesting information
The Company operates and maintains a website for the purpose of providing information to users. If the user requires additional information, they have to provide their name, email address or telephone number so that they can be contacted. Pursuant to Article 6(1) a) of the GDPR, the legal basis for processing is consent granted by the data subject. The Company processes such data for 1 month from the receipt of the letter requesting information.
The Company calls the attention of Website users to the fact that the use of the various services available on the Website and subscribing to newsletters is subject to registration, the condition of which is accepting this Notice as well as granting explicit consent pertaining to the processing of personal data provided during registration. The consent granted for the processing of personal data provided during registration or subscribing to the newsletter may be withdrawn by the data subject at any time in writing, without limitation and justification, by sending such request to the Company’s above email address provided for the purpose of communication, or by clicking on the “Unsubscribe” button in the email received.
Processing relating to book-keeping
Name of processor: Adószabászat Könyvelő, Bérszámfejtő és Adótanácsadó Kft
Registered office: 1033 Budapest, Laktanya utca 35.
Email address: firstname.lastname@example.org
Processing relating to storage services
Name of processor: Webonic Kft.
Registered office: 8000 Székesfehérvár, Budai út 9-11.
Company registration number: 07-09-025725
Tax number: 25138205-2-07
Registered office: 335 South 560 West Lindon, UT 84042
Working time tracking software
Harvest LLC d/b/a
Registered office: 16 W 22nd St, 8th Floor, New York, NY 10010 United States
Task management software
Registered office: 30 North Racine Avenue, Suite 200, Chicago, Illinois 60607 United States
Internal communication software
Slack Technologies Limited
Registered office: 4th Floor, One Park Place, Hatch Street, Upper Dublin 2, Ireland
Email client, document sharing and storage
Microsoft Office 365
Amazon Web Services EMEA SARL
Registered office: 38 Avenue John F. Kennedy, L-1855, Luxembourg
88 Colin P. Kelly Jr. Street San Francisco, CA 94107 United States
Personal data breach
Pursuant to Article 4 of the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In the case of a personal data breach, the Company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall communicate the personal data breach to the Data Subject without undue delay. As part of such communication, the Company describes the nature of the personal data breach using clear and plain language, communicates information as well as measures taken.
Rights of Data Subjects
1. Right to receive information:
The right to receive clear and transparent information is a fundamental right of the Data Subject. At the Data Subject’s request, the Company takes appropriate measures to provide the data subject with information on the processing of personal data, the circumstances of processing and the rights the Data Subject is entitled to, in a concise, easily accessible and easy to understand form and using clear and plain language.
2. Right of access by the Data Subject:
The Data Subject shall have the right to obtain from the Company confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of data processing,
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations,
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
- the existence of the right to request from the Company rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing,
- the right to lodge a complaint with a supervisory authority,
- where the personal data are not collected from the Data Subject, any available information as to their source,
- the existence of automated decision-making, including profiling, and, at least in those cases, comprehensible information about the logic applied, as well as the significance and the envisaged consequences of such processing for the Data Subject.
Moreover, based on the right of access, the Company ensures to the Data Subject the right of requesting copies. For any copies requested by the Data Subject, the Company may charge a reasonable fee based on administrative costs. Upon request by the Data Subject, the Company provides information electronically. At the Data Subject’s request, the Company may also provide information to the data subject verbally, after their identity has been credibly verified by the Company.
3. Right to rectification:
The Data Subject shall have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed.
4. Right to be forgotten:
Pursuant to the Regulation, the Data Subject shall have the right to obtain from the Company the erasure of personal data concerning them without undue delay and the Company shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
- the Data Subject withdraws the consent on which the processing is based, and there is no other legal ground for the processing,
- the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing,
- the personal data have been unlawfully processed,
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject,
- the personal data have been collected in relation to the offer of information society services.
The erasure of data may not be initiated if data processing is required in the cases set out in Article 17(3) of the Regulation.
The Company shall erase the data indispensable for the provision of the service if the contract is ultimately not concluded or is terminated. Exception to the above are cases where such erasure is excluded by a provision of another legal regulation.
5. Right to restriction of processing:
The Data Subject shall have the right to obtain from the Company restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the Data Subject, for a period enabling the Company to verify the accuracy of the personal data,
- the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead,
- the Company no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims, or
- the Data Subject has objected to processing, pending the verification whether the legitimate grounds of the Company override those of the Data Subject.
Where data processing is restricted, the data may only be stored, and all other data processing is subject to Data Subject consent and only for the purpose of the establishment of legal claims or for reasons of public interest.
6. Right to data portability:
The Data Subject shall have the right to receive the personal data concerning them, which they have provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company to which the personal data have been provided. Moreover, the Data Subject is entitled to request the personal data to be transmitted directly to another company. This can only be in relation to specific legal titles.
The Company shall establish and ensure the technological and technical conditions for data portability.
7. Right to object:
The Data Subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company, or for the purposes of the legitimate interests pursued by the Company or by a third party, including profiling based on the provisions referenced above.
In the event of such objection, the Company shall no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the Data Subject, or which are related to the establishment, exercising or defence of legal claims.
Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.
8. Automated decision-making, profiling:
The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
The above right shall not be applied where processing is necessary for entering into, or performance of, a contract between the Data Subject and the Company,
or is authorised by Union or Member State law to which the Company is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests; or is based on explicit consent by the Data Subject.
9. Right to withdraw consent:
The Data Subject is entitled to withdraw voluntary consent at any time.
The Company shall provide information on action taken on a request pursuant to Articles 15-22 of the Regulation aimed at the exercising of rights to the Data Subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
The Company shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic form means, the information shall be provided by electronic means, unless otherwise requested by the Data Subject.
If the Company does not take action on the request of the Data Subject, the Company shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The Company provides the information requested free of charge. Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.
The Company shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Company shall inform the Data Subject about such recipients at the request of the Data Subject.
The Company shall provide the Data Subject with a copy of the personal data undergoing processing. For any further copies requested by the Data Subject, the Company may charge a reasonable fee based on administrative costs. Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in electronic form.
Indemnification and compensation
Any person who has suffered material or non-material damage as a result of an infringement of the Regulation shall have the right to receive compensation from the Company or processor for the damage suffered. The Company or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
Right to turn to court
Where their rights are violated, the Data Subject may turn to the court against the Company. The court shall proceed in the action as a matter of urgency. The Company shall compensate any damage caused by any unlawful processing of the Data Subject’s data or a breach of the data security requirements. In the event of the violation of the Data Subject’s personal rights, the Data Subject may demand compensation. The Company shall be exempt from liability if the loss was the result of a cause that it could not have prevented. The Company shall not compensate for damage and no compensation for personal rights violation may be claimed if such damage was caused by the wilful misconduct or gross negligence of the Data Subject.
If you have comments relating to processing by the Company, please contact us using the email address specified for communication among the Company’s data.
Complaints relating to the Company’s potential data processing-related infringements may be lodged at the Hungarian National Authority for Data Protection and Freedom of Information:
Hungarian National Authority for Data Protection and Freedom of Information
H-1125 Budapest, Szilágyi Erzsébet fasor 22/C
Mailing address: 1530 Budapest, PO Box: 5.