Ecconstech Kft. Privacy Notice

Ecconstech Kft. (hereinafter: "Data Controller") pays particular attention to the protection of personal data in the course of its activities, to the compliance with mandatory legal provisions, and to secure and fair data processing. The Data Controller considers it important to respect and enforce the rights related to data processing of natural persons who come into contact with it in any way (hereinafter: "Data Subject"). The Data Controller therefore undertakes that the data processing related to its activities and services complies with the requirements set forth in this Notice and in the applicable legislation.

In view of the above, the Data Controller establishes the following privacy notice (hereinafter: "Privacy Notice", "Notice") for the purpose of ensuring the lawfulness of its internal data processing procedures, record-keeping thereof, and safeguarding the rights of data subjects.

Name of Data Controller: Ecconstech Informatikai Korlátolt Felelősségű Társaság

Company registration number of Data Controller: 13-09-209758

Tax number of Data Controller: 28980771-2-13

Registered seat of Data Controller: 2030 Érd, Kossuth Lajos utca 150.

Name of representative of Data Controller: Szemesy Péter István, Managing Director

Contact of representative: peter.szemesy@eccons.tech

PART I: GENERAL PRINCIPLES

Purpose of the Notice

By establishing and making available this Notice, the Data Controller intends to ensure the realisation of the right to information of data subjects as defined in Articles 13–14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR" or "Regulation"). The purpose of the Notice is to enable the Data Controller to comply with the provisions of the GDPR and Hungarian legislation on the processing of personal data, in particular the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: "Infotv.").

The Privacy Notice lays down the legal framework for data processing operations carried out by the Data Controller, ensures the enforcement of the constitutional principles of data protection and the right to informational self-determination, promotes compliance with the requirements of data security, prevents unauthorised data processing, and establishes data protection tasks and responsibilities relevant to data security. The Notice also aims to build and operate a data protection system for personal data processed and handled by the Data Controller in its capacity as data controller or data processor.

Furthermore, the purpose of this Notice is to ensure that data subjects receive adequate information about the data processed by the Data Controller, or processed by data processors potentially engaged by the Data Controller, as well as about their source, the purpose, legal basis, and duration of data processing, the name and address of any data processor involved in data processing and their activities related to data processing, and – in the event of transfer of the data subject's personal data – the legal basis and recipient of the data transfer, as well as the rights of the data subject.

Personal data processed and handled by the Data Controller must be protected in particular against unauthorised access, alteration, transfer, disclosure, deletion or destruction, accidental destruction and damage, as well as against becoming inaccessible as a result of changes in the technology applied. In order to protect electronically processed data sets, appropriate technical solutions must be used to ensure that data processed in records cannot – except where permitted by law – be directly linked and attributed to the data subject.

The current version of the Privacy Notice is available at the registered seat of the Data Controller.

This Notice is effective from 15 May 2024.

Governing Legal Provisions

This Notice shall be applied in accordance with the following legal provisions:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR");
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: "Infotv.");
Act V of 2013 on the Civil Code (hereinafter: "Civil Code").

Definitions

Data Subject: any identified or – directly or indirectly – identifiable natural person determined on the basis of personal data.
Personal Data: any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Data: all data falling within the special categories of personal data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person's sex life or sexual orientation.
Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the termination of data processing or the deletion of data processed.
Data Controller: the natural or legal person, or organisation without legal personality, who or which, alone or jointly with others, determines the purposes and means of the processing of data (including the equipment used), makes and implements decisions relating to data processing, or has them implemented by a data processor.
Data Processing: any operation or set of operations which is performed on data, irrespective of the procedure applied, in particular collection, recording, registration, organisation, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, restriction, deletion and destruction, as well as preventing further use of the data, taking of photographs, audio or video recordings, and recording of physical characteristics suitable for identifying a person (e.g. fingerprints, palm prints, DNA samples, iris images).
Data Transfer: making data accessible to a specified third party; disclosure: making data accessible to anyone.
Data Processing (as technical activity): the performance of technical tasks related to data processing operations, irrespective of the method and tool used to perform the operations and of the place of application, provided that the technical task is performed on the data.
Data Processor: the natural or legal person, or organisation without legal personality, who or which processes data on the basis of a contract – including a contract concluded pursuant to a provision of law – concluded with the data controller.
Third Party: a natural or legal person, or organisation without legal personality, other than the data subject, the Data Controller, or the data processor.
Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles and Rules of Data Processing by the Data Controller

With regard to the principle of lawfulness, fairness and transparency, the Data Controller processes personal data in a lawful and fair manner, and in a transparent way for the data subject, for the purpose of exercising rights or fulfilling obligations. The Data Controller strictly prohibits the use of personal data processed by it for private purposes.
With regard to the principle of purpose limitation, the Data Controller collects and processes personal data only for specified, explicit and legitimate purposes, to the minimum extent and for the minimum duration necessary to achieve those purposes, and does not process them in a manner incompatible with those purposes. Accordingly, the Data Controller uses personal data of data subjects exclusively for the purposes communicated at the time of collection or for other appropriate purposes in accordance with the law.

The Data Controller pays particular attention to ensuring that its data processing always complies with the principle of purpose limitation, and that data are deleted when the purpose of data processing has ceased, or if the processing of data is otherwise unlawful. Where personal data are no longer needed, they shall be destroyed in a secure and documented manner.

With regard to the principle of data quality (data minimisation and accuracy), the Data Controller processes and collects only personal data that are adequate, relevant and limited to what is necessary in relation to the purposes of the processing. The Data Controller also takes reasonable steps to ensure that personal data are accurate, complete and up to date, and that personal data unnecessary for the purpose of data processing are deleted.
In accordance with the principle of storage limitation, the Data Controller processes personal data enabling the identification of data subjects only for as long as necessary to achieve the purposes of data processing. Following the change or cessation of the data processing purpose, the Data Controller ensures the deletion of the data. The Data Controller stores personal data for a longer period only if the processing of personal data is carried out for archiving purposes in the public interest, for scientific and historical research purposes, or for statistical purposes. Particular care shall be taken when disposing of data carriers containing personal data.
With regard to the principle of integrity and confidentiality, the Data Controller ensures the closed, comprehensive, continuous and risk-proportionate protection of personal data, and takes organisational and technical measures, in particular to establish protection against unauthorised or unlawful processing, accidental loss, destruction or damage of data. To protect data against unauthorised use or disclosure, the Data Controller applies data security controls in the course of its own activities.

The information security measures designed and implemented by the Data Controller ensure the confidentiality, integrity and availability of personal data.

With regard to the principle of accountability, the Data Controller plans and executes its data processing procedures and establishes its data processing system in such a way that it is able to demonstrate compliance with the principles set out in this section at any point during data processing, including in particular when and in what form personal data were collected and what information was provided to the data subject at the time of collection.

Data Security Rules

Throughout data processing, the Data Controller shall ensure the highest reasonably expected level of security for the personal data processed. The Data Controller performs its data processing operations in such a manner that, through the application of appropriate technical and organisational measures, adequate security of personal data is ensured, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (integrity and confidentiality). The Data Controller also protects personal data by appropriate measures, in particular against unauthorised access, alteration, transfer, disclosure, deletion or destruction, as well as against accidental destruction and damage, and against becoming inaccessible as a result of changes in technology applied.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, the Data Controller implements appropriate technical and organisational measures in order to guarantee a level of security appropriate to the risk. The Data Controller ensures the security of data and takes those technical and organisational measures and establishes those procedural rules that are necessary for the enforcement of the GDPR and other personal data protection rules.

The Data Controller takes the necessary measures during the period of data processing to securely store the data, and upon expiry of that period, to permanently and irreversibly delete the data set and physically destroy the data.

The Data Controller takes the following measures to ensure data security:

1. Personal Data Processed on Paper

In order to ensure the security of personal data processed on paper, the Data Controller applies the following measures:

Only authorised persons may access the data; no other person may access them. The Data Controller maintains a register of persons who have access to the data.
Paper-based documents containing personal data are stored by the Data Controller in a well-lockable, dry room, in a cabinet, or in a separately lockable archive, to which only authorised persons may enter.
If personal data processed on paper are digitised, the Data Controller applies the security rules applicable to digitally stored documents.
Paper-based data carriers must be deprived of personal data using a document shredder or by using an external contractor specialising in document destruction.

2. Personal Data Stored on Computer

In order to ensure the security of personal data stored on computers or on the network, the Data Controller applies the following measures and guarantees:

The Data Controller selects the method of IT storage of data in such a way that their deletion – taking into account any different deletion deadlines – can be carried out upon expiry of the data deletion deadline or, if necessary for other reasons.
When the purpose of data processing has been fulfilled or the data processing deadline has expired, the file containing the data is irreversibly deleted and the data cannot be recovered.
Computers used during data processing are owned by the Data Controller or the Data Controller holds rights equivalent to ownership over them.
Documents containing personal data stored on computers can only be accessed by authorised persons with valid, personal, identifiable authorisation – at least a username and password.
The Data Controller maintains a register of the authorisations granted to persons having access to various personal data, as well as of the level of authorisation.
The destruction of electronic data carriers is monitored and documented, and retained in a retrievable manner.
The Data Controller continuously ensures virus protection for IT systems processing personal data.
The Data Controller prevents unauthorised network access by persons through the use of passwords applied to available computing devices.

The Data Controller also makes security backups of personal data processed electronically.

The Data Controller maintains a data transfer register in which the lawfulness of any data transfer that may occur can be verified. The register records the scope of personal data transferred, the time and legal basis of data transfer, the recipient of data transfer, and other data specified by law.

The Data Controller prints electronically processed personal data only when this is expressly necessary for the exercise of a right or the fulfilment of an obligation.

Procedure for Handling Personal Data Breaches

In the event of a breach of data security, or in the event of accidental or unlawful destruction, loss, alteration, unauthorised transfer or disclosure of personal data processed by the Data Controller, or unauthorised access to such data (hereinafter: "personal data breach"), or in the event of a suspicion thereof, the Data Controller and any person who has access to personal data processed by the Data Controller under any legal relationship shall be obliged to act in accordance with the provisions of this section.

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons, such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or identity fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, or other significant economic or social disadvantage to the natural persons concerned.

The Data Controller therefore handles personal data breaches brought to its attention in accordance with the following provisions:

1. Detection and Reporting of a Personal Data Breach

Personal data breaches and potential threats may be encountered or detected by employees of the Data Controller, contracted partners, persons using its services, or commissioned agents, subcontractors developing, operating and running its IT systems.

Upon detection of an incident, the characteristics of the incident and all relevant details thereof shall be noted and documented, photographs shall be taken if necessary, and a screenshot of the IT device's screen shall be made.

The Data Controller does not apply a template or mandatory form for reporting personal data breaches; however, as a general rule, the report must be made to the Managing Director in a durable form (in writing on paper or electronically). In the case of an oral report, the Managing Director is obliged to draw up a record of the report, which must contain all available information relating to the incident.

Generally, prior to or during the occurrence of incidents, unusual human behaviour and/or incorrect, unusual operation of the IT system may arise. It is important that a person detecting an incident should not interfere with the process due to lack of professional competence, and should not start investigating or remedying the incident on their own authority. Exceptions include measures taken to prevent material damage or to protect human life.

An employee, subcontractor, or any contracted partner of the Data Controller must report every incident that can be linked to information security and/or data protection to the Managing Director of the Data Controller immediately upon becoming aware of it, but no later than four working hours after becoming aware of it.

The report shall contain the name of the Data Controller, the name and position of the reporting person, as well as the subject and brief description of the incident, and whether the incident affects any IT system used by the Data Controller, or whether there is a possibility of leakage of personal data of a wider range of data subjects or unauthorised access by unauthorised persons.

The report must also expressly draw the Managing Director's attention to any detected personal data breach that may pose a threat or cause damage not only to the IT system of the Data Controller but may also adversely affect the IT systems of the Data Controller's contracted partners, or may cause (material or non-material) damages to those clients.

Following the report, the Managing Director shall immediately commence the investigation and assessment of the personal data breach and shall take all necessary primary steps capable of reducing the extent of damage caused by the personal data breach or preventing further personal data breaches.

The Managing Director is obliged to immediately notify all contracted partners of the Data Controller for whom it performs data processing, if the incident affects the contracted party's information system and there is a risk of further sequential incidents if notification is omitted.

In the event of an incident affecting the IT system of the Data Controller, the Managing Director is obliged to notify the person responsible for operating the system, who is obliged to assist the Managing Director in the investigation of the incident.

2. Investigation and Assessment of a Personal Data Breach

The Managing Director of the Data Controller – in the case of an incident affecting the IT system, in cooperation with the person responsible for operating the system – shall examine the report and, if necessary, request further data from the reporting person regarding the incident.

The Managing Director examines the report and, if necessary, requests further data from the reporting person regarding the incident. The Managing Director may also involve the heads and employees of the organisational units (areas) affected by the personal data breach, who are obliged to cooperate with the Managing Director.

The Managing Director shall, to the extent possible, ascertain the following information (insofar as it does not emerge from the report):

the time and place of the occurrence of the personal data breach,
the scope of data affected by the personal data breach,
the scope and number of persons affected by the personal data breach.

Upon request, the reporting person is obliged to provide the time and place of the occurrence of the personal data breach, the other circumstances of the personal data breach, the scope and quantity of data affected by the personal data breach, the scope and number of persons affected by the personal data breach, the likely effects of the personal data breach, and a list of measures taken to prevent the personal data breach and to mitigate its consequences.

The reporting person shall provide the data requested immediately, but no later than within 4 working hours.

On the basis of this data, the Managing Director prepares a summary of the likely effects of the personal data breach and prepares an action plan to mitigate its consequences. The investigation shall be completed no later than three working days from receipt by the Managing Director.

The investigation must include whether the personal data breach is likely to result in a high risk to the rights and obligations of data subjects, what type of risk it involves, and whether it is necessary to notify data subjects of the incident. If notification of data subjects is not necessary, the investigation must also include the reasons therefor.

The Data Controller assesses the personal data breach according to the following criteria:

type of incident (confidentiality, integrity or availability breach),
nature of personal data (personal data / special category),
number of personal data,
number of persons affected,
categories of natural persons affected,
identifiability of natural persons affected,
probability and severity of consequences for the natural person concerned,
legal basis of the data processing concerned.

A personal data breach may be classified as risky if any of the following conditions are met:

the data involved in the incident include data falling within the special categories of personal data;
the number of personal data involved in the incident exceeds 100;
among the natural persons involved in the incident there are natural persons who have not reached the age of 16;
the number of natural persons involved in the incident exceeds 100;
the personal data involved in the incident are suitable for direct contact with the data subject;
the personal data are suitable for stealing the identity of the data subject or for misusing their identity;
the personal data involved in the incident are capable of causing financial loss to the data subjects.

The personal data breach is likely not to result in a risk if none of the conditions listed above are met, or if at least one is met but the Data Controller is able to demonstrate that it provided the personal data concerned with physical and/or IT protection that has not been compromised since the occurrence of the incident.

The Data Controller classifies the personal data breach as likely to be of high risk if at least two of the conditions listed above are met, or if at least one is met and the Data Controller is unable to demonstrate that it provided the personal data concerned with physical and/or IT protection that has not been compromised since the occurrence of the incident.

As a result of the investigation, the Managing Director of the Data Controller – consulting the opinion of the person responsible for operating the IT infrastructure if necessary – takes action regarding the necessary steps.

3. Register of Personal Data Breaches

The Managing Director of the Data Controller maintains a register of personal data breaches. The register contains:

the scope of personal data affected,
the scope and number of persons affected by the personal data breach,
the time of the personal data breach,
the circumstances of the personal data breach,
its effects,
the measures taken to remedy it, and
other data prescribed by law.

A model register for recording personal data breaches is contained in Annex 8 to this Notice.

4. Reporting the Personal Data Breach to the Authority

The Data Controller shall report the personal data breach to the Authority without undue delay, and where feasible, no later than 72 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the report is not made within the deadline, the Managing Director of the Data Controller is obliged to demonstrate the reasons thereof to the Authority.

The notification to the Authority must contain:

the scope and approximate number of data affected by the personal data breach,
the scope and approximate number of persons affected by the personal data breach,
the nature, circumstances of the personal data breach,
the likely consequences of the personal data breach, and
the measures taken or proposed to be taken to address and mitigate the personal data breach.

The Managing Director is responsible for reporting personal data breaches to the Authority.

5. Notification of Data Subjects Regarding a Personal Data Breach

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons and it is necessary to notify the data subjects, the Managing Director of the Data Controller shall immediately notify the data subjects. The notification of data subjects is independent of the obligation to notify the Authority.

Data subjects do not need to be notified:

if the Data Controller has implemented technical, organisational and protective measures with regard to the data affected that prevent unauthorised persons from accessing the data or prevent the data from being intelligible;
if, following the occurrence of the personal data breach, the Data Controller has taken measures that ensure that the identified data processing risk is unlikely to materialise;
if notification would require disproportionate effort. In such a case, data subjects shall be notified by means of publicly disclosed information, which may also be done electronically.

The Managing Director is obliged to notify the data subjects.

Enforcement of the Rights of Data Subjects

The Data Controller pays particular attention to ensuring that the enforcement of the rights of data subjects as defined in Articles 12–23 of the GDPR complies with the legal requirements and the expectations of data subjects.

The data subject may request information regarding the processing of their personal data and is entitled to access the information defined in Article 15 of the GDPR, and may also request the rectification of their personal data, or – except for data processing ordered by law – the erasure or restriction of their processing, or, where the conditions set out in Article 21 of the GDPR are met, may object to the processing of personal data, or may exercise the right to data portability or the right to withdraw consent, by sending a letter to the registered seat of the Data Controller or in person, and is also entitled to contact the Managing Director of the Data Controller at the e-mail address peter.szemesy@eccons.tech, in relation to the processing of their personal data.

1. Deadline for Fulfilling the Request

The Data Controller is obliged to respond in writing, in a comprehensible form, to a request of the data subject concerning the processing of their personal data (in the case of exercising any right), within at most one month of receipt. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Data Controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request.

2. Manner of Fulfilling the Request

The Data Controller strives to ensure that the information provided to the data subject is, to the extent possible while also complying with the rules defined by the GDPR, concise, transparent, intelligible, easily accessible, clear and understandable. In the case of a request to exercise data subject rights, the Managing Director handles and fulfils the requests or arranges for the fulfilment of the requests. As a general rule, the Data Controller provides all information to the data subject in writing. If the data subject has submitted the request electronically, the information shall, wherever possible, be provided electronically, unless the data subject requests otherwise.

3. Possibilities for Rejection of the Request

Taking into account the rules set out in Article 12(4) and Article 32 (data security) of the GDPR, the exercise of the rights of the data subject – with the exception of the right to prior general information regarding data processing – is only possible upon appropriate identification of the applicant and fulfilment of the requirements ensuring the authentication of the content of the request.

The exercise of rights cannot be ensured in the case of requests submitted in a manner that allows only limited identification of the applicant's identity, in particular:

not complying with the provisions of other legislation relating to private documents with full probative force, or
not authenticated by an electronic signature, or
submitted by electronic mail, by telephone, or by fax.

If identity verification does not take place, the Data Controller is entitled to reject the data subject's request and is obliged to inform the data subject of the manner of exercising their rights.

The Data Controller does not accept any form of telephone identification; therefore, the data subject may not initiate the enforcement of their rights by telephone.

4. Information and Access

In accordance with the obligation set out in Article 13 of the GDPR, the Data Controller is obliged – where personal data relating to a data subject are collected from the data subject, at the time when personal data are obtained – to provide the data subject with the following information relating to data processing:

a) the identity and contact details of the Data Controller and its representative;

b) the contact details of the Managing Director, if any;

c) the purposes and the legal basis of the processing;

d) where applicable, the recipients or categories of recipients of the personal data;

e) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

f) information on the data subject's right to request access to personal data relating to them from the Data Controller, their rectification, erasure or restriction of processing, and to object to the processing of such personal data, and on the data subject's right to data portability;

g) in the case of processing based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

h) the right to lodge a complaint with a supervisory authority;

i) whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data, and the possible consequences of failure to provide such data.

Where personal data have not been obtained from the data subject, the Data Controller shall provide the data subject with the above information and, pursuant to Article 14 of the GDPR, additionally with the following information:

a) the categories of personal data concerned;

b) the recipients or categories of recipients of the personal data;

c) the source of personal data and, where applicable, whether it came from publicly accessible sources.

Where personal data have not been obtained from the data subject, the Data Controller shall provide the notification:

a) within a reasonable period of obtaining the personal data, but at the latest within one month;

b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication with that data subject; or

c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

The above information obligation does not need to be fulfilled if:

the data subject already has the information contained in these points,
the provision of such information proves impossible or would involve a disproportionate effort,
obtaining or disclosure is expressly laid down by Union or applicable Hungarian law to which the Data Controller is subject and which provides appropriate measures to protect the legitimate interests of the data subject, or
the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or applicable Hungarian law.

The right of access of the data subject – in accordance with Article 15 of the GDPR – extends to the provision of the following information:

purposes of data processing;
categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been or will be disclosed;
the envisaged period for which the personal data will be stored;
the rights of the data subject in relation to the processing of personal data;
the source of the data, where they were not collected from the data subject;
information on automated decision-making.

5. Rectification

Data that does not correspond to reality shall be rectified by the Data Controller – if the necessary data and supporting public documents are available – without undue delay, and shall at the same time inform the data subject in writing of the fact and date of rectification.

For the period during which the Data Controller verifies the accuracy of personal data, the personal data in question shall be restricted in accordance with point 17.8 of this Notice.

If the data subject requests rectification of their personal data and the personal data to which the data already processed is to be rectified is not available, the Data Controller shall invite the data subject to supply the missing data.

The Data Controller shall notify every recipient to whom the personal data has been disclosed of the rectification, unless this proves impossible or involves disproportionate effort. The Data Controller shall, upon request, inform the data subject of such recipients.

6. Erasure

The Data Controller shall, at the request of the data subject, erase personal data without undue delay, where data processing was based on consent, the data subject requests erasure (withdraws their consent) and there is no other legal basis for data processing.

The Data Controller shall also erase personal data where:

the personal data are no longer necessary in relation to the purposes for which they were processed;
the data subject objects to the processing of their personal data in accordance with Article 21 of the GDPR;
the processing of the personal data is unlawful;
the personal data must be erased for compliance with a legal obligation.

The right to erasure of the data subject may only be restricted in the following cases provided for in the GDPR, i.e. where any of the above grounds apply, the further retention of the personal data shall be considered lawful:

a) for exercising the right of freedom of expression and information, or

b) for compliance with a legal obligation (i.e. in the case of an activity recorded in the Data Processing Register with the legal basis of legal obligation, for the period appropriate to the purpose of data processing), or

c) for archiving purposes in the public interest, or

d) for scientific and historical research purposes or for statistical purposes, or

e) for the establishment, exercise or defence of legal claims.

The Data Controller shall erase personal data in such a manner that its restoration is no longer possible.

The Data Controller shall notify every recipient to whom the personal data has been disclosed of the erasure, unless this proves impossible or involves disproportionate effort. The Data Controller shall, upon request, inform the data subject of such recipients.

7. Restriction of Processing

The data subject may request the Data Controller to mark personal data stored about them for the purpose of restricting their future processing.

Restriction of processing may take place if:

the data subject contests the accuracy of the data, for a period enabling the Data Controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pursuant to Article 21 of the GDPR, pending the verification whether the legitimate grounds of the Data Controller override those of the data subject.

For the duration of the assessment of the data subject's objection to the processing of their personal data – but for a maximum of 5 days – the Data Controller shall suspend the processing, examine the merits of the objection and make a decision thereon, of which the applicant shall be informed.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Where the Data Controller lifts the restriction of processing, it shall inform in writing the data subject at whose request the restriction was imposed prior to lifting the restriction, unless this proves impossible or involves disproportionate effort.

The Data Controller shall notify every recipient to whom the personal data has been disclosed of the restriction of processing, unless this proves impossible or involves disproportionate effort. The Data Controller shall, upon request, inform the data subject of such recipients.

Where restriction of processing was requested by the data subject, the Data Controller shall inform the data subject in advance before lifting the restriction.

8. Objection

The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on the legal basis of the execution of a task carried out in the public interest or on legitimate interest. That is, the data subject may object to the processing of their personal data if the legal basis of the processing is:

public interest pursuant to Article 6(1)(e) of the GDPR, or
legitimate interest pursuant to Article 6(1)(f) of the GDPR.

Where the data subject exercises the right to object, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. The Managing Director of the Data Controller shall decide on the question of whether the processing is justified by compelling legitimate grounds. The Data Controller shall inform the data subject of its position in this regard.

For the period until a determination is made, the personal data shall be restricted in accordance with point 17.8.

9. Data Portability

The data subject shall have the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the Data Controller to which the personal data have been provided, where:

the legal basis of processing is the consent of the data subject or processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [Article 6(1)(a) or (b) of the GDPR, or Article 9(2)(a) of the GDPR], and
the processing is carried out by automated means.

The data subject may also request the Data Controller to transmit the personal data processed by it to another Data Controller clearly designated by the data subject.

The data subject shall not be entitled to the right set out in this section if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, and if this right adversely affects the rights and freedoms of others.

10. Right to Withdraw Consent

Where the legal basis of the processing of the data subject's personal data by the Data Controller is the data subject's consent, the data subject may withdraw their consent to data processing at any time. The data subject shall be informed of this right and the manner of withdrawal in the consent declaration or in the privacy notice provided at the same time. The withdrawal of consent shall be as easy as giving it. The Data Controller may process the personal data of the data subject even after the withdrawal of the consent given by the data subject for the purpose of fulfilling its legal obligations or enforcing its legitimate interests, if the enforcement of the interest is proportionate to the restriction of the right to the protection of personal data.

11. Exercise of Rights of Data Subjects Following the Death of the Data Subject

Within five years following the death of the data subject, the rights that the deceased was entitled to during their lifetime may be exercised by a close relative of the data subject, or a person authorised by the data subject by an administrative disposition or by a declaration made to the Data Controller in a public deed or in a private document with full probative force – if the data subject made several declarations to a Data Controller, the declaration made at a later point in time.

Liability, Legal Remedy, Enforcement

The Data Controller is liable for the lawfulness of the processing of the personal data of data subjects.

The Data Controller, acting as a data processor, shall only be liable to data subjects for damage caused by data processing if it has not complied with the obligations set out in the contract concluded with the data controller or in applicable legislation that are specifically imposed on data processors, or if it has disregarded or acted contrary to the lawful instructions of the data controller; in all other respects, the data processor shall be liable for the data processing activities performed by the Data Controller as if it had acted itself.

A data subject who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the Data Controller or the data processor for the damage suffered.

In order to enforce their right to judicial remedy, the data subject may bring proceedings against the Data Controller or – in relation to data processing operations within the scope of the data processor's activities – against the data processor before a court, if in their opinion the data controller, or the data processor acting on the basis of the mandate or instructions of the data controller, processes their personal data in breach of the provisions of applicable law or the mandatory legal acts of the European Union on the processing of personal data.

Every controller involved in data processing shall be liable for any damage caused by processing which infringes the GDPR. A data processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to data processors or where it has acted outside or contrary to the lawful instructions of the Data Controller.

If the Data Controller violates the personality rights of the data subject by processing their data unlawfully or by breaching the requirements of data security, the data subject may demand damages for personality rights infringement.

The Data Controller shall be liable to the data subject for the damage caused by a data processor engaged by it, and the Data Controller shall also pay the damages for the infringement of personality rights caused by the data processor to the data subject. The Data Controller shall be exempt from liability for the damage caused and from the obligation to pay damages for personality rights infringement if it proves that the damage or infringement of the personality rights of the data subject was caused by an unavoidable reason outside the scope of data processing.

The Data Controller or the data processor shall be exempt from liability if it proves that it is in no way responsible for the event that caused the damage.

If the data subject considers that the data processing infringes the provisions of the GDPR or the Infotv., or considers the manner in which the Data Controller processes their personal data to be objectionable, they may lodge a complaint with the Data Controller at the contact details provided.

The data subject is entitled to lodge a complaint directly with the authority regarding the data processing procedure of the Data Controller, and may file a report with the Hungarian National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9., telephone: +36 (1) 391-1400, e-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu).

The data subject has the possibility to bring court proceedings to protect their data, in which case the court acts on a priority basis. In this case, the data subject may freely choose to bring proceedings before the court having jurisdiction over the place of their domicile (permanent address) or habitual residence (temporary address) (http://birosag.hu/torvenyszekek). The court having jurisdiction over the place of domicile or habitual residence may be found at http://birosag.hu/ugyfelkapcsolati-portal/birosag-kereso.

PART II: DATA PROCESSING OPERATIONS CARRIED OUT BY THE DATA CONTROLLER

Data Processing Operations Carried Out by the Data Controller

1. Contact

The Data Controller provides the possibility for visitors to its website (https://eccons.tech/) to contact the Data Controller via any of its contact details.

Purpose of data processing	Enabling contact with the Data Controller.
Scope of data processed	Name, e-mail address of the data subject, content of the message sent.
Scope of data subjects	Persons contacting the Data Controller.
Legal basis of data processing	Explicit consent of the data subject pursuant to Article 6(1)(a) of the GDPR.
Data storage deadline	Until withdrawal of consent and until the request has been investigated and answered.
Manner of data processing	Electronically
Source of data	Data collected from the data subject.
Possible consequences of failure to provide data	If the data subject does not provide the data to the Data Controller, the data subject will not be able to contact the Data Controller. Failure to provide data does not result in any adverse consequences for the data subject.
Automated decision-making and profiling	The Data Controller does not apply automated decision-making and does not carry out profiling.
Who may access the personal data?	Competent employees of the Data Controller and, where applicable, employees of its data processors. The current list of data processors of the Data Controller is contained in this Privacy Notice.
Data transfer	No data transfer to a third country or international organisation takes place.

2. Processing of Contact Person Data

Among the contractual partners and contracted clients of the Data Controller, there are also legal entities, whose data are generally not considered personal data, and which the Data Controller stores for the purpose of performing the contract. However, the data of certain contact persons designated in the contract, as well as the data of contact persons of various authorities, who are not in a contractual relationship with the Data Controller but are merely employees, workers, or subcontractors of the Data Controller's contracted partners, are subject to different assessment. The Data Controller stores and keeps records of the contact details and data of such persons for the facilitation of the Data Controller's activities and business operations, on the basis of the Data Controller's legitimate interest.

The legitimate interest assessment test relating to the keeping of contact person records is contained in the annex to this Privacy Notice.

Purpose of data processing	The purpose of data processing is to maintain a register of the Data Controller's contractual partners and their contact persons, as well as the contact persons of authorities.
Scope of data processed	Name, registered seat, tax number, registration number, e-mail address, telephone number of the contractual partner, contact details of the contact person (name, e-mail, telephone number).
Scope of data subjects	Contractual partners and contact persons of the Data Controller.
Legal basis of data processing	In respect of the contracting party: performance of a contract or steps prior to entering into a contract pursuant to Article 6(1)(b) of the GDPR; in respect of the contact persons of the contracting party: the legitimate interest of the Data Controller pursuant to Article 6(1)(f) of the GDPR.
Data storage deadline	For 5 years following the performance of the contract.
Manner of data processing	On paper and/or electronically
Source of data	Data collected from the data subject.
Possible consequences of failure to provide data	The provision of personal data is necessary for the performance of the contract; if the data subject does not provide the data to the Data Controller, the Data Controller will not be able to perform the contract or maintain contact with the contractual partner.
Automated decision-making and profiling	The Data Controller does not apply automated decision-making and does not carry out profiling.
Who may access the personal data?	The Data Controller and its competent employees.
Data transfer to a third country or international organisation	No data transfer to a third country or international organisation takes place.

3. Data Processing in Connection with the Maintenance of Records Relating to the Exercise of Rights of Data Subjects Under the GDPR

Purpose of data processing	Data processing in connection with the maintenance of records relating to the exercise of rights of data subjects as defined in the GDPR.
Scope of data processed	Name, place and date of birth, mother's name, address, correspondence address, request for the exercise of rights of data subjects under the GDPR.
Scope of data subjects	Person exercising rights of data subjects under the GDPR.
Legal basis of data processing	The legal basis of data processing is compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR and legitimate interest pursuant to point (f).
Data storage deadline	5 years from the adjudication of the request.
Manner of data processing	On paper and/or electronically
Source of data	Data collected from the data subject.
Possible consequences of failure to provide data	The processing of data is necessary for the Data Controller to comply with the provisions of the GDPR.
Automated decision-making and profiling	The Data Controller does not apply automated decision-making and does not carry out profiling.
Who may access the personal data?	The Data Controller, the competent employee of the Data Controller.
Data transfer to a third country or international organisation	No data transfer to a third country or international organisation takes place.

4. Data Processors

Data processors do not make independent decisions; they are only entitled to act in accordance with the contract concluded with the Data Controller and the instructions received. Data processors record, process, and handle the personal data forwarded to them by the Data Controller and processed by them in accordance with the provisions prescribed by the GDPR. Data processors carry out data processing operations on the personal data provided by data subjects within the period of use available in accordance with the individual data processing purposes specified in this Privacy Notice. In connection with the data processing operations indicated in this Privacy Notice, the Data Controller uses the following data processors. The current list of data processors is available at the Data Controller.

Category of Data Processor	Purpose of Data Processing	Name	Registered Seat Company Reg. No. / Registration No.
Hosting provider	Hosting service	ININET Kft.	1063 Budapest, Szinyei Merse utca 10. 01 09 970252
System administrator	System administration service	HardIT Solutions Kft.	2363 Felsőpakony, Zrínyi Miklós utca 11. 13 09 222014

PART III: ANNEXES

Annex 1 – Notice to be Included in Contracts

By signing this contract, the Client/Principal acknowledges that the Contractor/Agent, in relation to the contractual relationship established between it and the Client/Principal, shall process the personal data provided by the Client/Principal during the conclusion of the contract and during the performance of the contract, pursuant to Article 6(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR" or "Regulation"), for a period of 5 years from the termination of the contract.

The Contractor/Agent maintains a record of any contact person data contained in the contract on the basis of Article 6(1)(f) of the GDPR, i.e. its legitimate interest. The legitimate interest assessment test of the Contractor/Agent in this regard is contained in the Privacy Notice.

The Parties agree that in connection with the conclusion and performance of this Contract, the personal data of their natural person representatives, employees and agents (hereinafter collectively: "Cooperating Persons") shall be disclosed as set out in the Contact section. In respect of its own Cooperating Persons, each Party acts as data controller; in respect of the Cooperating Persons of the data controller Party, the other Party acts as recipient.

The Agent/Principal informs the Principal/Agent that the personal data of Cooperating Persons that became known to the Agent/Principal as recipient in connection with this Contract shall be processed by the Agent/Principal during the management and performance of the Contract, for the purposes of document record-keeping, invoice management, and the organisational unit-level registration of the contact details of business partners, pursuant to Article 6(1)(f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR" or "Regulation"), i.e. on the basis of its legitimate interest.

The Principal/Agent informs the Agent/Principal that the personal data of Cooperating Persons that became known to the Principal/Agent as recipient in connection with this Contract shall be processed by the Principal/Agent during the management and performance of the Contract, for the purposes of document record-keeping, invoice management, and the organisational unit-level registration of the contact details of business partners, pursuant to Article 6(1)(f) of the GDPR, i.e. on the basis of its legitimate interest.

Annex 2 – Legitimate Interest Assessment Test for the Processing of Contact Person Data

Reason for Carrying Out the Legitimate Interest Assessment, Purpose of Data Processing

The Data Controller maintains a register of its contractual partners. Regarding the maintenance of the register, it is important to note that, as a general rule, the Data Controller may only process personal data contained in contracts concluded in the course of its activities on the basis of the legal ground under Article 6(1)(b) of the GDPR, i.e. until the performance of the contract. However, the Data Controller has a legitimate interest in processing client data in a register, following the performance of the contract, for the purpose of enforcing its potential legal claims.

Article 6(1)(f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR") provides the legal basis for data processing where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Given that the data of individual contact persons are recorded by the Data Controller, and these persons are not directly in a contractual relationship with the Data Controller, the storage and record-keeping of their data raises the issue of restricting the interests, fundamental rights and freedoms of the data subjects.

In order to determine whether the legitimate interest of the Data Controller justifying data processing exists, and thus whether data processing for the purpose of maintaining a register of contractual partners and their contact persons may be carried out, it is necessary to perform this legitimate interest assessment test.

In the course of the legitimate interest assessment test, the following steps shall be taken and examined with regard to the provisions of Annex 1 to Opinion WP217 of the Article 29 Working Party:

examination of the lawfulness of the controller's interest;
necessity test;
fundamental rights or interests of the data subjects;
safeguards, and
result of the legitimate interest assessment test.

Legitimate Interest of the Data Controller

The Data Controller may enter into contracts with natural persons acting in the course of their profession, independent occupation or business activity, with legal entities, or with organisations without legal personality. As a general rule, the data of legal entities and organisations without legal personality are not considered personal data; the Data Controller stores these for the purpose of performing the contract.

However, the data of certain contact persons designated in the contract, as well as the data of contact persons of various authorities, who are not in a contractual relationship with the Data Controller but are merely employees, authorised representatives, beneficial owners, persons entitled to give instructions, or representatives of the Data Controller's contracted partners, are subject to different assessment. The Data Controller stores and keeps records of the contact details (e-mail, telephone number) and data (name) of such persons in order to facilitate its activities.

The purpose of data processing is in particular to enable effective communication between the Data Controller and its contracting parties and partners, to conduct negotiations related to the contract, which form an indispensable part of the performance of the contract and are absolutely necessary therefor.

The personal data constituting the subject of this legitimate interest assessment test must necessarily be available during the term of the contract, due to the need for organised, single-channel management of contractual communication, which is an equally legitimate need not only of the Data Controller but also of its contractual partners and clients.

Necessity Test

Why is the processing of personal data necessary to achieve the purpose?

The Data Controller has a fundamental and essential interest in maintaining communication with its contractual partners for the aforementioned purpose. The processing of personal data necessary for the conclusion, performance, modification and termination of the contract is required, without which the Data Controller would not be able to perform the contract or maintain contact with the contractual partner.

Is an alternative solution available to achieve the purpose?

No alternative solution is available that could replace the record-keeping of personal data.

Can the data be processed on another legal basis?

The consent of the data subject [Article 6(1)(a) of the GDPR] as a legal basis is not applicable, because the contact person is in an employment relationship with the partner of the Data Controller, in which case the voluntariness of consent cannot be assumed due to the hierarchical relationship.

Nor can data processing be based on the performance of a contract [Article 6(1)(b) of the GDPR], because no direct contractual relationship is established between the data subject and the Data Controller in the course of the Service.

The Data Controller has examined the possibility of basing its data processing on compliance with a legal obligation. Currently, there is no statutory provision that would oblige the Data Controller to process the data of the contact persons of its contractual partners.

Data processing cannot be based on the protection of the vital interests of the data subject or another natural person [Article 6(1)(d) of the GDPR] based on available information.

The Data Controller is not a body performing a task in the public interest or exercising official authority; therefore, data processing based on Article 6(1)(e) of the GDPR would also not be appropriate.

What disadvantages does the Data Controller suffer if data processing does not take place?

If the data subject does not provide the data to the Data Controller, the Data Controller will not be able to perform the contract or maintain contact with the contractual partner. This would prevent the unhindered performance of the contract between the parties; therefore, not only the Data Controller but also the contractual partner has an equally legitimate interest in the processing of the data.

Interests of the Data Subject to be Protected

The scope of persons affected by personal data processing includes the contractual partners, clients of the Data Controller and persons designated as contact persons.

Under the Fundamental Law, everyone has the right to the protection of their personal data. The Fundamental Law also declares that human dignity is inviolable. The data subject therefore has an interest in protection in order to be able to exercise their right to informational self-determination; to have control over the processing of their personal data and to have their private sphere respected by the data controller.

The Data Controller also took into account when preparing the legitimate interest assessment test that data subjects may freely decide on their occupation, and freely choose with which employer and under what terms they wish to enter into a contract.

To protect the above, the Data Controller applies the safeguards and guarantees detailed in the following section.

Balancing of Interests, Safeguards

In accordance with the above, the Data Controller has legitimate economic interests justifying the keeping of records of its partners' contact person data and their storage, while the interest of the data subject is that their personal data are processed in an appropriate manner, only to the extent necessary and linked to the purpose of data processing, until its realisation.

The Data Controller keeps in mind that only the data necessary for achieving the purpose is processed; accordingly, it ensures that the contact person data of the data subject are processed and used only to the extent necessary for the conclusion or performance of the contract, and that the private sphere and right to private life of the data subject is not violated beyond this purpose.

The necessity of performance of the contract between the data subject and the contractual partner of the Data Controller as the employer of the data subject also gives rise to the legitimate interest of the employee (which, however, does not necessarily coincide with the legitimate interest of the Data Controller and the contractual partners). It follows from the employment relationship that the data subject maintains contact with the contractual partners of their employer; therefore, the data subject may also expect the Data Controller to process their personal data used in the course of their work within the above scope.

The Data Controller complies with the fundamental principles of the GDPR in the course of its data processing, places particular emphasis on appropriate and comprehensive notification of data subjects, strives to comply with and promote the highest level of security of data processing. The processing of personal data of data subjects takes place in a transparent manner in all cases. The Data Controller carries out data processing operations on data solely for the purposes consistent with the data processing purposes and only on data absolutely necessary for the achievement of the given purpose.

In order to ensure the lawfulness of data processing, the Data Controller has carefully examined the legal bases of data processing, precisely indicated the scope of data to be processed and their retention periods, and has ensured the exercise of the rights of data subjects.

In order to ensure that the restriction is proportionate to the interests of the data subject, the Data Controller applies the following safeguards:

The Data Controller has ensured that data subjects are appropriately, comprehensively and in advance informed about the planned data processing and the manner of exercising their rights under the GDPR, their rights as data subjects, and the contact details of the Data Controller and its Managing Director, through the privacy notice related to the data processing, which is available at all times at the registered seat of the Data Controller. The Data Controller also informs contact persons regarding the processing of contact person data in the contract concluded with the contracting partner.

The scope of data processed is limited to the minimum necessary data; the personal data processed are necessary for the realisation of the data processing purposes as set out above. The Data Controller does not process data not relevant to the realisation of the data processing purposes. The personal data processed are the following:

Name, telephone number, e-mail address of the contractual partner, client, and contact details of the contact person (name, e-mail, telephone number).

The Data Controller processes data for 5 years following the termination of the contract or until a new contact person is notified; upon expiry of this data storage deadline, the Data Controller shall immediately take measures to delete the personal data.

The processing of personal data of data subjects takes place solely for the purpose set out in this legitimate interest assessment test, which purpose is specified, clear and lawful.

The secure storage of data is ensured, and access thereto is restricted to the necessary extent and to the justified circle of persons.

Data subjects are informed in detail of the manner of exercising their rights under the GDPR, their rights as data subjects, and the contact details of the Data Controller and its Managing Director, through the privacy notice related to the data processing, which is available at all times at the registered seat of the Data Controller.

Data subjects may at any time:

exercise their right of access pursuant to Article 15 of the GDPR and request access to their personal data, as well as request data portability,
exercise their right to rectification or erasure,
exercise their right to restriction, and
object to data processing by addressing a request to the Managing Director of the Data Controller.

Data subjects may at any time contact the Managing Director of the Data Controller with their questions regarding data processing or to exercise their rights under the GDPR. Data subjects are informed of the contact details of the Managing Director of the Data Controller in the privacy notice related to the data processing.

In view of the above, the processing of personal data by the Data Controller does not cause any disadvantage to the data subject.

Result of the Legitimate Interest Assessment Test

On the basis of the legitimate interest assessment test, it has been established that the enforcement of the legitimate interest of the Data Controller is proportionate to the restriction of the interests of the data subject with the introduction and observance of appropriate safeguards, i.e. the use of the legal basis pursuant to Article 6(1)(f) of the GDPR is considered justified.

In summary:

As a result of the legitimate interest assessment test, it can be established that the legitimate interest of the Data Controller justifying the processing of data necessary for the performance of contracts is stronger and more pronounced than the interest of data subjects in the Data Controller not being able to access or process their data. The absence of such data processing would in certain cases prevent the performance of the contract and thereby the operation of the Data Controller.

The purpose of data processing cannot be achieved by other means.

The rights and interests of data subjects are protected by numerous safeguards and guarantees built into the data processing procedure.

The purpose of data processing is generally (according to common understanding) accepted, and the purpose of data processing cannot be achieved otherwise. No disadvantage accrues to the data subject as a result of data processing; on the contrary, the data subject can only fulfil their contractual obligations arising from their legal relationship by means of data processing, i.e. it is also in the interest of the data subject.