Data protection policy

Hungarian Innovation and Efficiency Nonprofit Ltd.  (translated as: Magyar Innováció és Hatékonyság Nonprofit Kft. - hereinafter referred to as "Company") as a data controller based on the impact study and the deviation analysis carried out, developed and implemented the following action plan:

The plan is created for the data protection of all natural persons in compliance with the "General Data Protection Regulation", (hereinafter "GDPR Regulation") regulated under the (EU) 2016/679 regulation of the European Parliament.


The Company, as a data controller, has the right to request and process the necessary documents and statements regarding the personal data of a natural person client and a natural person representing the client in order to provide the contracted service and to fulfill its obligations under the GDPR Regulation, and other applicable laws and also under the provisions of the contracts with the customer.

The purpose of the Code is to define the Company's system for managing, processing and enforcing data subjects' personal data and their liability.

The provisions of the Code shall apply to all persons who carry out data processing or joint data management activities for the company.

The general purposes of the processing of personal data are:

  • identification of the Customer or its representative,

  • Exercise of contractual rights and obligations

  • (including the execution of transactions) and proof of their fulfilment,

  • information and marketing related to the transactions or activities of the Company,

  • pursuing the legitimate interests of the Enterprise,

  • settlement in accordance with the contractual relationship,

  • correspondence,

  • the fulfilment of any tax obligations that the Company may incur in respect of Customer.

The processing time for each data varies, however it can be checked at table 1.0 data inventory at the end of this document.

The Company's Privacy Policy is in compliance with applicable data protection laws, in particular:

  • CXII of 2011 Act - on the Right of Information Self-Determination and Freedom of Information (Infotv.);

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 - on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 (General Data Protection Regulation, GDPR);

  • Act V of 2013 - on the Civil Code (Hungarian Civil Code);

  • Act C of 2000 on Accounting (Hungarian TV Act);

2.) Scope

The provisions of the Code shall apply to the management of the Company's personal data, to the regulation of its processes and to the rights of the data subjects. 


The data protection policy is valid from 25th  of May 2018 and shall remain in effect until revoked or further provision.


The Code is based on the results of a stocktaking and analysis of the situation in the light of Article 35 of the GDPR Regulation.


The following key terms in these Rules are the same as those listed in Article 4 of the GDPR:

  • Data owners

  • Data inventory

  • Data protection incident

  • Privacy Impact Assessment

  • Privacy Organisation

  • Profiling

  • Registration System

Activity Center: The seat (s) of the Enterprise, even if the Enterprise processes personal data in the framework of its cross-border activities!

Supervisory Authority (Data Protection): National Data Protection and Freedom of Information Authority (address: 1125 Budapest, Szilágyi Erzsébet fasor 22c, mail address: 1530 Budapest, Pf..5; c; contact: Phone: +36 1 391 1400, fax: +36 (1) 391-1410; Email: customer; URL

Acquisition: Acknowledgment is when the controller has a reasonable degree of certainty that a security incident has occurred that could lead to unlawful processing of personal data. 


The Company will handle the processing of personal data in accordance with Article 5 of the GDPR. The following provisions are added and implemented in the following ways.

- Legality, due process and transparency

The provisions of the GDPR Decree, Hungarian Legislation and all necessary blyaws must be fully complied with when processing and processing the Enterprise Data. It is the responsibility of each manager and employee of the Company to establish processes and procedures, forms and data management approvals with statements that fully comply with these fundamental principles.

The Company determines that the processing of personal data is necessary for the performance of contracts and the Company's legal obligation. In the absence of these, personal data processing is only possible by informing and taking consent of the data subject.

In the case of consented data processing, the Company obtains the consent of the data subject in a verifiable manner: in writing or by recorded telephone. In the case of consented data-collection the data subject's voluntary consent may be withdrawn at any time without giving any reason, in which case the data subject shall be informed in all cases.

For handling children’s data, a consent must be asked for at the legal guardian of parental authority or the parent of such children directly.

In all forms of data processing, the data subject must be informed of the personal data being processed by the Company, and for what purpose, to whom the data are transferred for the purpose of processing.

The Company may treat special categories of personal data if it has the express consent of the data subject or is required to comply with legal requirements governing the data subject's employment. Occupational examination required to conclude and maintain employment contract for the company’s employees.

The Company does not process personal data for the purposes of criminal liability. This prohibition is without prejudice to any governmental decision triggering a Service need for the Business.

- purpose limitation

The Company will process personal data only for the purposes necessary for its operation and performance of its services. In doing so, it will not buy, sell, transfer or make available to third parties databases containing personal data 

- data saving

The Company will only process personal data that is necessary for its lawful operation and the management of its contracts.

- accuracy

The Company shall take all reasonable and necessary measures to ensure the accuracy and updating of personal data. Personal information is passed through the system based on legal requirements (accuracy) and notifications by those concerned.

- limited storage

The Company shall immediately terminate the processing of personal data covered by the GDPR Regulation for which the purpose can no longer be determined and the law allows the termination of such data.

- integrity and confidentiality

The Company will take advanced technical and organizational security measures of the expected size and activity to ensure the security of the process itself and processing of personal data as required (orderly desk). To this end, it imposes a system of requirements on all data processors or joint controllers who process the Company's personal data within the scope of the GDPR Regulation or participate in any phase of the data processing.

- accountability

The Company shall establish its organizational and data management system in such a way that the processing of personal data is traceable and able to determine who and what data operation it has performed during each data management operation and data processing.

All other manners are directly a regulated by GDPR regulation and do not need further specification here.

7.) Rights of the stakeholders

a.) Transparency measurements

The Company will take organizational and technical measures to provide the data subject with information regarding the processing of his or her personal data within the time limits specified in the GDPR Regulation, in writing or orally (30 days).

Information may only be withheld in cases prescribed by law. 

Verbal information on the rights of data subjects is conditional on the identification of the data subject and the conditions for the right to information. The controller of the data subject shall be responsible for informing the data subject at his / her request.

b.) Information to be made available if personal data are obtained from the data subject

The privacy notice given to the data subject must necessarily include the following basic information:

  • the identity and contact details of the Company as a data controller;

  • the identity and contact details of the data protection officer;

  • the purpose of the processing of personal data and the legal basis for the processing (data processing based on consent, performance of contract or fulfilment of the legal obligation of the Company);

  • the categories of personal data concerned.

  • in order to ensure fair and transparent processing of personal data at the time the personal data are obtained, the data subject shall be provided with the following additional information:

  • the length of time for which personal data will be stored or, where this is not possible, the criteria for determining this period;

  • if a legitimate interest of the Company or a third party can be established;

  • where the legal basis for the data processing is the consent of the data subject, the consequences of the right of access, rectification, erasure, restriction of processing, the right to object and the storage of personal data, and the consequences of the withdrawal of consent;

  • the right to lodge a complaint to the supervisory authority.

c.) Right of access of the data subject

The Company shall provide continuous access to the personal data of the data subject and the information processed by the data as follows.

  • general information on data management on the website;

  • personal data relating to the performance of the contract in the terms of the contract or in the privacy statement issued to it;

  • Operations of individual personal data relating to individual data subjects upon written or oral request

d.) Right to rectification

The data subject may request the rectification of his / her data and the completion of incomplete data. In order to comply with the request of the data subject, the Company may request a document from the data subject on the basis of which the rectification or supplement shall be made promptly, but not later than within 3 business days.

e.) The right to delete personal data

The Company will delete the personal data of the data subject immediately, but no later than within 3 business days, for the reasons set forth in the Privacy Regulation.

The right of deletion shall not apply to the data subject if the fulfilment of his / her personal data is necessary for the fulfilment of the Company's contractual or statutory obligations or the legitimate interest of the Company.

f.) Right to restrict data management

Restrictions on data management may be made at the request of the data subject. The data subject shall seek the opinion of the data protection officer (if any) on the request. Where such a statement indicates that there are grounds for limiting the processing of data, the data subject shall be required to indicate the personal data of the data subject on all data carriers and records. This may be done by stating the data subject's identification number in the register or, in the case of paper documents, by placing a note on the first page of the file.

g.) Notification obligation to correct or delete personal data or to restrict data management

The data owner shall inform the data subject about the rectification, deletion or restriction of the data in written forms. (E-mail, letter, etc).

h.) The right to data portability

The data subject shall have the right to request the transmission of his / her personal data in a widely used machine-readable format. Contrary to the GDPR regulation, the data subject is entitled to exercise this right even if the Company does not manage the processing of its data on the basis of the data subject's consent, provided that the data processing is automated.

i.) Right to protest and automated decision-making in individual cases

The data subject may at any time object to the processing of his or her personal data for reasons related to his or her personal situation if the legal basis for such processing is solely to assert the legitimate interests of the Enterprise or a third party, unless those interests need to be protected, especially if a child is concerned.

The Company employs automated decision-making in individual cases, including profiling, with the express consent of the data subject. The consent must be obtained from the data subject before the measure is applied and noted in the scheme. In such a case, the data subject has the right to request human intervention from the Company, to express his / her views and to object to the decision. Automated decision making, including profiling, may not be based on specific categories of personal information. 


The Company shall take appropriate technical and organizational measures to ensure and demonstrate that personal data is being processed in accordance with this Regulation, based on the situation analysis data and ongoing risk assessment of these policies. These measures shall be reviewed and, where necessary, updated by the controller.

The Company shall take appropriate technical and organizational measures to ensure that the privacy and privacy by design, as set out in the Regulation, are properly implemented when processing personal data.

The Enterprise has assessed the manner in which it receives data, its path within the Enterprise.

9.) Joint data processing

The Company may implement joint data management by defining the purposes and means of data management with another data controller. Such data management shall be recorded in writing with the other controller and shall designate a contact point for those concerned.

10.) DATA processing

The Company may use a data processor to process its data, subject to the following conditions:

  • the data processor provides appropriate guarantees that the data processing complies with the requirements of this Regulation and that the rights of the data subjects are safeguarded in order to implement appropriate technical and organizational measures;

  • no further data processor may be employed by the data processor without the prior written or specific authorization of the Company. In the case of a general written authorization, the data controller shall inform the Company of any intended change concerning the use or replacement of further data processors, thereby enabling the data controller to object to these changes;

  • the data controller undertakes a written contract to comply with the conditions set out in Article 28 (3) to (5) of the Regulation,

  • in addition, promptly report privacy incidents to the Company.

Recourse to a data processing activity may only be made if the data processor agrees to the above terms and conditions and the Company is satisfied that the data processor is able to comply with the contractual terms of the contract and that the rights of the data subjects are not violated.

11.) Privacy Incidents

A person who is aware of a privacy incident, including the data processor, shall immediately report it to the controller responsible for the management of that personal data. The data host reports the incident. The report shall also include the details specified in Article 33 (3) of the Regulation

The Data Protection Officer carries out a risk assessment based on the incident report. If the data protection incident is likely to endanger the rights and freedoms of natural persons, the data protection officer shall report to the competent authority no later than 72 hours after the incident and shall keep a record of its effects and of the measures taken to deal with it.

If the notification is not made within 72 hours, the reasons for the delay shall be included.

The administrator shall keep records of all privacy incidents.


If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the controller shall, without undue delay, inform the data subject of the incident with the Assigned Content.


The Company does not employ a Data Protection Officer.


Transfer of personal data to a third country or to an international organization is possible on the basis of a compliance decision or the provision of appropriate guarantees and remedies, or in the cases provided for in the Regulation for specific situations.

15.) Rights

All data subjects are entitled to complain to a supervisory authority or to a court, in particular in the Member State of their habitual residence, place of work or suspected infringement, if the data subject considers that the processing of their personal data is in breach of the Regulation.

16.) contact through phone

The Company is entitled to record telephone conversations with the Customer, which shall be notified in advance to the Customer. By initiating or continuing a telephone conversation, Customer agrees to record the telephone conversation.

The Company's special privacy policy elements


The Company is required to carry out a privacy impact assessment whenever it employs new technology that is likely to pose a high risk to the rights and freedoms of natural persons because of its nature, scope, circumstance and objectives. 


- ensure that the data sets and the purposes for which they are managed are defined. When mapping data sets, the data previously or currently managed, the legal basis for their processing, the content of the information provided to the data subjects during the course of the data collection and processing shall be specified;

- ensure that data are recorded and information provided to stakeholders on the basis of uniform standards. To this end, each form on which personal data are collected shall include a privacy notice in accordance with the requirements of the Regulation and shall also ensure that the text of the notice is also posted on the Company's website;

- develop a common set of procedures for the management and processing of data from external partners and enforce them in the contracts with the partners;

- determine the data circuits that the Enterprise will issue for data processing. This involves mapping the individual data processing operations and the data to be processed per data processor,


The administrator shall establish an incident reporting process. The person who discovers the occurrence of a privacy incident is required to report it to the data controller, who will conduct an investigation based on the report and forward the report to the DPO.

The DPO may decide to report to the supervisory authority and inform the data subjects following the investigation pursuant to Article 33 of the Regulation. If it is necessary to inform stakeholders about clients and employees, the administrator is responsible for ensuring this.

Reporting of privacy incidents must be done via the electronic interface developed by NAIH for this purpose.


The information requirement of the data subjects shall be met primarily by the organizational unit handling the personal data of the data subject with the assistance of data controllers. Complaints relating to the processing of personal data shall be investigated by the Executive Director.


Personal data collected:

  • Name

  • Title

  • E-mail address

  • Photo

  • Company Name

  • Company contact details

Privacy Notice

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR):

Name of the controller: Hungarian Innovation and Efficiency Nonprofit Ltd.

Headquarters: 8000 Székesfehérvár, Bregyó köz 5.

Company Registration Number: 07-09-020026

Tax ID: 23184059-2-07


Phone contact: +36 30 896 5651

WEB page: (not accessible for blind and partially sighted)

The Company manages the personal data specified in the scope of data processing, the purpose and duration of data processing.

Profiling: The Company does not apply profiling data management

I. Legal basis for data management

Data management is required for the performance of the contract or as required by law.

The provision of data is voluntary and the data subject is not obliged to give consent to the data management, but acknowledges that, in the absence of such data, the Company will not be able to enter into or continue the business relationship with it.

II. The persons involved in the data processing, the purpose and duration of the data processing

Data management covers the data of all partners / buyers / principals (stakeholders).

The Company processes personal data (purpose of data) solely for the purpose of providing the persons concerned with the services and payments specified in the commission contract.

The Company manages the following information: