privacy
policy

see beyond
compliance

Personal Data Processing Notice for Customers and Other Data Subjects

Effective: From August 15, 2024

Vantage Point Ltd. (registered office: 1139 Budapest, Lomb utca 31/B.; company registration number: 01-09-433261; tax number: 32609189-2-41; hereinafter: the Company), as the data controller, processes the personal data of its customers and other data subjects in accordance with applicable data protection regulations, specifically the Regulation (EU) 2016/679 of the European Parliament and the Council (hereinafter: GDPR), and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: the Info Act), in the manner outlined below.

I. Definitions

Data Subject: any identified or identifiable natural person based on personal data; a natural person who can be identified, directly or indirectly, particularly by means of an identifier such as a name, number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Personal Data any information relating to an identified or identifiable natural person; a natural person who can be identified, directly or indirectly, through an identifier such as a name, number, location data, online identifier, or any other characteristic specific to the identity of that person, including physical, physiological, genetic, mental, economic, cultural, or social factors.
Data Processing: any operation or set of operations performed on personal data or data sets, whether or not by automated means, such as collection, recording, organization, structuring, storage, alteration or retrieval, use, disclosure, dissemination, or otherwise making available, aligning or combining, blocking, erasure, or destruction, including the recording of photographs, audio, or video recordings, or the capture of physical characteristics (e.g., fingerprints, palm prints, DNA samples, iris scans) for identification purposes.
Data Controller: the natural or legal person, public authority, agency, or any other body who or which alone or jointly with others determines the purposes and means of processing personal data and makes decisions regarding the data processing (including the tools used), or has them carried out by a data processor.
Data Processor: the natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the data controller.
Recipient: the natural or legal person, public authority, agency, or any other body to whom or with whom personal data is disclosed, regardless of whether they are a third party. Public authorities who may be granted access to personal data in the context of an investigation in accordance with Union or Member State law are not considered recipients; the processing of the data by such authorities must be in compliance with applicable data protection laws and the purposes of the data processing.
Third Party: any natural or legal person, public authority, agency, or any other body that is not the data subject, the data controller, the data processor, or those authorized to process personal data under the direct authority of the data controller or processor.
Consent of the Data Subject: the voluntary, specific, informed, and unambiguous indication of the data subject's wishes by a statement or a clear affirmative action, signifying agreement to the processing of personal data concerning them.
Supervisory Authority: the National Authority for Data Protection and Freedom of Information.

II. Applicable Laws for Data Processing by the Company

Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);
Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Info Act);
Act V of 2013 on the Civil Code (hereinafter: Civil Code).

III. Principles of Data Processing

The Company processes personal data solely for specific purposes in a manner that is suitable, appropriate, relevant, and necessary to achieve those purposes for the duration and extent necessary to fulfill the purpose. The purposes include the performance of contracts, the exercise of rights, and compliance with legal obligations, as well as the protection of vital interests of the data subject or another natural person, or the legitimate interests of the Company or a third party, or based on consent. This is carried out in accordance with the principle of data minimization, meaning that personal data will only be processed to the extent necessary for the realization of the processing purpose. At every stage of data processing, it must align with the intended purpose of the processing, which must be clearly defined and lawful. The collection and processing of personal data must be carried out fairly and lawfully, and in every case, it must be transparent to the data subject. III. Principles of Data Processing

IV. Purpose of Data Processing

The purpose of the Company’s data processing includes the execution of contracts between the Company and its customers, as well as the direct assessment of the customer’s or individuals involved in certain challenges' needs in order to satisfy those needs with higher-level services (e.g., for statistical purposes). The data processing also serves to fulfill the Company’s legal and contractual obligations andexercise its legitimate interests, such as the exercise of rights arising from the contract, performance of obligations, and addressing potential complaints.

V. Legal Grounds for Data Processing

According to the GDPR, the Company processes personal data based on one of the following legal grounds:

The data subject has given consent to the processing of their personal data for one or more specific purposes;
The processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into a contract;
The processing is necessary for compliance with a legal obligation to which the Company is subject;
The processing is necessary for the protection of the vital interests of the data subject or another natural person;

The processing is necessary for the legitimate interests pursued by the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, particularly if the data subject is a child.

If the Company processes data based on the consent of the data subject, the processing is always preceded by the voluntary, clear, and explicit consent given by the data subject, which is based on proper information. The consent remains valid until revoked, and the data subject may withdraw their consent at any time by sending an electronic message to info@vantagepoint.hu or through the contact details provided on the Company’s website. In the case of data processing based on consent, the data subject will be informed immediately if the data processing relies on another legal basis, should the consent be withdrawn. The withdrawal of consent does not affect the lawfulness of the data processing that was carried out prior to the withdrawal based on consent.

Any personal data can only be processed under a single legal basis at any given time (i.e., the one on which the data subject was informed when the personal data was collected), but it is possible to apply multiple legal bases for the same personal data. However, a change in legal grounds is allowed only when, for example, the data subject withdraws consent, but the Company still needs to process the personal data based on another legal basis. In this case, the data subject must be adequately informed about the new legal basis.

VI. Types of Personal Data

Természetes személyazonosító adatok: ezen személyes adatok kezelésének célja az Érintett egyértelmű azonosítása és a kapcsolattartás. A Cég kezeli az Érintett következő személyes adatait: név, fénykép, email cím. Az adatkezelés jogalapja elsősorban a szerződés teljesítése. Ha az Érintett nem adja meg a jelen bekezdésben említett személyes adatokat, az a szolgáltatások igénybevételének részben vagy egészben történő meghiúsulását vonhatja maga után.
Contact Information (Phone numbers and other contact details): The purpose of processing these personal data is for communication, and the legal basis for processing is primarily the performance of the contract. If the data subject does not provide the personal data mentioned in this paragraph, it may result in the failure to provide some or all services.
Personal Data Collected During Contact with the Company: This category includes all personal data generated during communication with the Company. The processing of personal data, in this case, is closely related to the procedure initiated by the data subject, as well as to the contract and its performance. The legal basis for this data processing is primarily the performance of the contract.

VII. Authorized Parties to Access the Data

All employees of the Company involved in data management and data processing, as well as the Company's subcontractors, are authorized to access the personal data of the Data Subject.

VIII. Duration of Data Processing and Retention

The Company will delete the types of data it processes after the following time periods:

Customer personal identification data will be deleted after 6 (six) years following the termination of the business relationship.

IX. Az Érintett adatkezeléssel kapcsolatos jogai

A request to exercise the rights of the Data Subject may only be denied if the Data Subject cannot be identified. In this case, the Company is required to verify the identity of the Data Subject before processing any request related to the data subject's rights. If identification is unsuccessful, the Data Subject, their representative, or the person acting as the Data Subject will be informed that the request cannot be accepted due to the failure to identify them and for the protection of the Data Subject's personal data.

Upon successful identification, the Data Subject may request access to their personal data, correction of inaccuracies, deletion, restriction of processing, objection to the processing of such personal data, and may also exercise the right to data portability.

The request must be fulfilled without undue delay, but no later than one month from the receipt of the request. Due to unreasonable or excessive requests or repetitive requests, the Company may charge a reasonable fee for the administrative costs associated with providing the requested information or taking the requested action or may refuse to take action based on the request.

Right to Access

The Data Subject has the right to obtain confirmation as to whether their personal data is being processed, and if so, to access the personal data and the information specified by law. If personal data is transferred to a third country or an international organization, the Data Subject is entitled to be informed about the transfer and the appropriate safeguards ensuring the protection of their rights. The Company will provide a copy of the personal data being processed. For additional copies requested by the Data Subject, the data controller may charge a reasonable fee based on administrative costs. If the request is made electronically, the information will be provided in a commonly used electronic format unless the Data Subject requests otherwise. The right to request a copy shall not adversely affect the rights and freedoms of others.

Right to Rectification

The Data Subject has the right to request the correction of inaccurate personal data concerning them without undue delay. Taking into account the purpose of the processing, the Data Subject is entitled to request the completion of incomplete personal data, including by providing a supplementary statement.

Right to Erasure (Right to be Forgotten)

The Data Subject has the right to request the erasure of their personal data without undue delay, and the Company is obligated to erase the personal data concerning the Data Subject without undue delay if one of the following grounds applies:

the purpose of the data processing has ceased;
the Data Subject has withdrawn their consent, and there is no other legal basis for processing;
the Data Subject objects to the processing, and there is no overriding legitimate reason for the processing;
the data must be erased to comply with a legal obligation;
the personal data was collected in relation to the offering of information society services.

If the personal data has been made public by the Company and must be erased, reasonable steps should be taken, including technical measures, considering the available technology and the cost of implementation, to inform other data controllers who process the personal data, so that they can also delete any links to, or copies of, the personal data in question. This notification should consider the available technology and execution costs. If fulfilling this obligation is too costly or exceeds the available technology, the notification can be omitted with a properly documented justification.

The right to erasure does not apply if the processing is necessary for:

the exercise of the freedom of expression and the right to information;
compliance with a legal obligation;
public interest archiving, scientific and historical research, or statistical purposes, if the erasure would likely make it impossible or seriously jeopardize the achievement of those purposes;
the establishment, exercise, or defense of legal claims.

This right to erasure is particularly important when the Data Subject, as a child, consented to data processing but later wishes to remove the personal data because they were not fully aware of the risks associated with data processing at the time.

Right to Restrict Processing

The Data Subject has the right to request the Company to restrict processing if one of the following conditions is met:

the Data Subject disputes the accuracy of the personal data (in this case, the restriction applies for the period that allows the Company to verify the accuracy of the personal data);
the processing is unlawful, and the Data Subject opposes the erasure of the data and instead requests the restriction of its use;
the Company no longer needs the personal data for processing purposes, but the Data Subject requires it for the establishment, exercise, or defense of legal claims;
the Data Subject has objected to the processing (in this case, the restriction applies for the period until it is determined whether the Company’s legitimate grounds override the Data Subject's legitimate grounds).

If processing is restricted, such personal data may only be processed, except for storage, with the consent of the Data Subject, or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State.

The Data Subject whose processing has been restricted must be informed before the restriction is lifted.

Methods of restricting processing may include: (a) temporarily moving the relevant personal data to another data controller's system, (b) making the data inaccessible to users, or (c) temporarily removing the data from a website where it was published.

The restriction of processing in automated record-keeping systems must primarily be ensured through technical means so that no further processing operations are carried out on the personal data, and it cannot be modified. The fact that the processing of personal data is restricted must be clearly indicated in the system.

Right to Object

The Data Subject has the right to object at any time, for reasons related to their particular situation, to the processing of their personal data based on legitimate interests, including profiling based on these provisions. In this case, the Company may not continue processing the personal data unless it demonstrates compelling legitimate grounds for the processing which override the Data Subject's interests, rights, and freedoms or if the processing is necessary for the establishment, exercise, or defense of legal claims.

If personal data is processed for direct marketing purposes, the Data Subject has the right to object at any time to the processing of their personal data for such purposes, including profiling insofar as it is related to direct marketing.

Right to Data Portability

The Data Subject has the right to receive the personal data provided to the Company in a structured, commonly used, and machine-readable format, and the right to transmit those data to another data controller without hindrance from the Company, if:

the processing of personal data is based on consent or is necessary for the performance of a contract, and
the processing is carried out by automated means.

The Data Subject has the right, if technically feasible, to request the direct transmission of personal data between data controllers.

The exercise of this right shall not adversely affect the rights and freedoms of others.

Prior to ensuring data portability, careful attention must be given to verifying the Data Subject's identity and ensuring that the destination for data transfer is correctly specified.

The exercise of data subject rights is free of charge unless the Data Subject has made a request concerning the same data set in the same calendar year. In other cases – particularly with excessive or repeated requests – the Company may charge an administrative fee, which must be paid in order for the request to be processed.

X. Right to Lodge a Complaint with the Supervisory Authority

The Data Subject has the right to lodge a complaint regarding data processing with the Supervisory Authority at the following contact details:

National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, P.O. Box 5
Address: 1125 Budapest, Szilágyi Erzsébet Road 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
URL: http://naih.hu

XI. Cookie Management

This website uses cookies, which are small information packages made up of letters and numbers, to personalize content and enhance user experience. Through the use of cookies, we collect information about how visitors interact with the website and create analyses and metrics regarding user behavior. Some of the cookies appearing on our website are placed by third-party service providers.

In modern browsers, it is possible to set cookies, i.e., to accept or reject them. Most browsers accept cookies by default, but this can usually be changed. This prevents automatic acceptance, and the browser will ask the visitor each time whether they wish to allow cookies.

We may store cookies on the device only if they are strictly necessary for the operation of our website. For all other types of cookies, we require permission. Consent can be modified or withdrawn at any time on our website. If rejected, the data will not be tracked.

Depending on their validity and purpose, different types of cookies can be distinguished. Cookies can be either first-party (internal) or third-party (external). First-party cookies are set by the website operator, while third-party cookies are set by an external provider.

Strictly Necessary Cookies

The legal basis for the processing of strictly necessary cookies is the legitimate interest of the data controller. These essential cookies help make the website www.vantagepoint.hu usable by enabling basic functions, such as navigation on the page and access to secure areas of the website. Without these cookies, the website cannot function properly. The validity of these cookies lasts until the browsing session ends, and they are automatically deleted from the computer or other device once the browser is closed. www.vantagepoint.hu weboldalt azáltal, hogy engedélyeznek olyan alapvető funkciókat, mint az oldalon való navigáció és a weboldal biztonságos területeihez való hozzáférés. A weboldal ezen sütik nélkül nem tud megfelelően működni. Az ilyen típusú sütik érvényességi ideje a böngészés befejezéséig tart, a böngésző bezárásával a sütik e fajtája automatikusan törlődik a számítógépről, illetve a böngészésre használt más eszközről.

Functionality-enhancing Cookies

These cookies store the operational modes and settings chosen on the website (such as the website language, use of an accessible version, search settings) on the user's device. As a result, the visitor does not need to re-enter these settings during their next visit. Without these cookies, the website cannot function smoothly.

Statistical Cookies

Statistical cookies help us understand how visitors interact with the website by collecting and reporting data in an anonymous format. The legal basis for processing these cookies is the visitor's consent. The purpose and expiration of these cookies may vary depending on the cookie type. For more information: Google Analytics. Google Analytics.

Targeting Cookies

The purpose of these cookies is to display advertisements that are more likely to interest or be relevant to the visitor. In such cases, we share certain content of the cookies with a third party. These cookies collect information about which pages the visitor has viewed, which parts of the website they clicked on, and how many pages they visited, but without consent, they are not capable of identifying the visitor personally.

Budapest, 2024.08.15.

Vantage Point Consulting Ltd.

privacypolicy