Privacy and Data Processing Notice

The purpose of this Privacy and Data Processing Notice is to ensure that, prior to the commencement of data processing by CASSEE Zrt., you (as a client, prospective client or other data subject) are informed of why and for what purposes CASSEE Zrt. processes your data, and which rights you have in this context and how you may exercise them.

CASSEE Zrt. (registered office: 2600 Vác, Vám utca 13; hereinafter: Service Provider, Data Controller) recognises the contents of this legal notice as binding upon itself. The Data Controller undertakes to ensure that all of its data processing activities comply with this Notice, with applicable national legislation and with the legal acts of the European Union.

The data protection principles applied by CASSEE Zrt. in relation to its data processing activities are continuously available at:
https://cassandraprogram.com/en/privacy-policy/

CASSEE Zrt. reserves the right to modify this Notice at any time.

In accordance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, CASSEE Zrt. provides the following information to data subjects in relation to the processing of personal data.

1. Data Controller’s Details and Contact Information

Name of the Data Controller: CASSEE Zrt.
Address of the Data Controller: 2600 Vác, Vám u. 13
Registered office of the Data Controller: 2600 Vác, Vám u. 13
Telephone number: +36 30 225 4000
E-mail address: info@cassandraprogram.com

2. Legal Basis of Data Processing

• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.)
• Act CLV of 1997 on Consumer Protection (Fgytv.)

3. Definitions

3.1. Definition of Personal Data

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter: Data Subject).

3.2. Definition of Client and Data Subject

Individual Client (hereinafter: Client): any natural person who, in the course of their economic or professional activity, uses the services of CASSEE Zrt. and enters into an individual contract.

For the purposes of this Notice, a Client is also any natural person (hereinafter: Data Subject) whose personal data are provided to the Data Controller by their employer or principal (hereinafter: Employer / Principal) within the framework, and on the basis, of an existing legal relationship between the Employer / Principal as Customer and CASSEE Zrt. as Contractor.

3.3. Technical Data

CASSEE Zrt. selects and operates the IT tools used in the course of providing its services in such a way that the processed data:

• remain accessible to those authorised to access them (availability);
• retain their authenticity and can be authenticated (integrity of processing);
• remain verifiably unchanged (data integrity);
• are protected against unauthorised access (confidentiality).

CASSEE Zrt. protects data by appropriate measures against unauthorised access, alteration, transfer, disclosure, erasure or destruction, as well as accidental destruction or loss.

CASSEE Zrt. applies technical and organisational measures to ensure a level of security appropriate to the risks associated with data processing. In the course of processing, CASSEE Zrt. guarantees:

• confidentiality: information is protected so that only authorised persons may access it;
• integrity: the accuracy and completeness of information and of processing methods are safeguarded;
• availability: authorised users can access the required information and the related tools when needed.

4. Personal Data Processed

4.1. Personal Data Processed in the Case of Natural Persons

• Client’s name and gender
• Client’s year of birth
• Client’s level of education
• Client’s job title
• Client’s e-mail address

4.2. Purpose, Legal Basis and Duration of Data Processing

5. Persons with Access to the Data

The Client’s personal data may be accessed by the employees of the Data Controller solely for the purpose of performing the Service Provider contract (data processing, filing, case management).

The Data Controller applies appropriate information security measures to protect the Client’s personal data through technical and organisational safeguards (physical security, protection of electronic systems, logging of activities, ensuring accountability).

6. Automated Decision-Making and Profiling

We inform you that no profiling or automated decision-making is carried out in the context of the data processing activities described in this Notice.

​7. Data Transfers, Data Controllers, Data Processing, Persons with Access to the Data

Our current and potential clients and partners provide us, in the course of cooperation, with business contact information (e.g. names, business contact details, positions and addresses of their employees, agents, contractors and authorised users) for the purposes of contract management, performance, product delivery, service support, invoicing and relationship management.

Contact information and personal data processed in the course of providing services may be transferred to the following entities:

The technological background of the questionnaires used by CASSEE Zrt. is provided by
Alchemer LLC, 168 Centennial Parkway, Unit 250, Louisville, CO 80027, United States,
which performs data collection and storage on servers located in the EU.

Further information on Alchemer’s Privacy Policy and GDPR compliance is available at:

https://www.alchemer.com/privacy/

https://www.alchemer.com/privacy/gdpr/

https://www.alchemer.com/terms/

https://www.alchemer.com/security/

The operator of the cassandraprogram.com website is:
DigitalOcean, LLC, 101 Avenue of the Americas, 10th Floor, New York, NY 10013, United States.

DigitalOcean’s data protection documentation is available at:

https://www.digitalocean.com/legal/privacy-policy/

https://www.digitalocean.com/legal/gdpr-faq/

https://www.digitalocean.com/legal/data-processing-agreement/

7.1. Transfer of Data and Information to Authorities or Other Bodies

Data and information may be transferred to authorities or other bodies as follows:

• To investigating authorities, the public prosecutor’s office, courts and national security services entitled to request data under specific legislation, upon their request for the fulfilment of their statutory tasks.
• Where the data subject is unable to give consent due to an unavoidable reason, data may be transferred to bodies authorised by law to access such data in order to protect the vital interests of the data subject or another person, or to prevent or avert threats to life, physical integrity or property (GDPR Article 49).

8. Integrity and Confidentiality

We inform you that your personal data are processed confidentially.
We do not disclose them to third parties without your knowledge and consent, unless there is a statutory authorisation.

To comply with data security requirements, the Company ensures fair and transparent data processing by appropriate organisational and technical measures, and protects your personal data in particular against:

• unauthorised access and use
• alteration, transfer, disclosure
• erasure or destruction
• accidental loss or damage.

9. Your Rights

You may request information at any time about the processing of your personal data and may request rectification, correction, erasure or restriction of processing, as well as exercise all other rights granted by applicable law.

These rights include:

9.1. Right of Access

You are entitled to obtain confirmation from the Data Controller as to whether your personal data are being processed and, if so, access to the following:

• whether processing is taking place;
• the purposes of processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the data may be disclosed;
• the envisaged period of storage or the criteria used to determine that period;
• the rights available to the Data Subject and means of legal remedy;
• the source of the data if not obtained from the Data Subject;
• the existence of automated decision-making, including profiling;
• information on any transfer of data to third countries or international organisations, where relevant.

The Data Controller shall provide a copy of the personal data undergoing processing free of charge on the first occasion.

9.2. Right to Rectification

Upon request, the Data Controller shall rectify inaccurate personal data concerning the Client without undue delay.
Taking into account the purposes of processing, the Client has the right to have incomplete personal data completed, including by means of a supplementary statement.

9.3. Right to Erasure (“Right to be Forgotten”)

The Client has the right to obtain the erasure of personal data concerning them. The Data Controller shall erase such data without undue delay, except where:

• the personal data are no longer needed for the purposes for which they were collected;
• the Client withdraws consent and there is no other legal basis for processing;
• the Client objects to processing carried out in the public interest, in the exercise of official authority, or for the legitimate interests of the Data Controller or a third party, and there are no overriding legitimate grounds;
• the personal data have been unlawfully processed;
• the personal data must be erased for compliance with a legal obligation;
• the data were collected in relation to the offer of information society services.

The Client’s right to erasure may be restricted only under the exceptions laid down in the GDPR, in particular where further retention is necessary:

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation;
• for the performance of a task carried out in the public interest or in the exercise of official authority;
• for reasons of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
• for the establishment, exercise or defence of legal claims.

9.4. Right to Restriction of Processing

The Client has the right to obtain restriction of processing where:

• the accuracy of the personal data is contested by the Client, for a period enabling the Data Controller to verify the accuracy of the personal data;
• the processing is unlawful and the Client opposes the erasure of the personal data and requests the restriction of their use instead;
• the Data Controller no longer needs the personal data for the purposes of processing, but the Client requires them for the establishment, exercise or defence of legal claims;
• the Client has objected to processing carried out in the public interest, in the exercise of official authority or for the legitimate interests of the Data Controller or a third party, pending the verification of whether the legitimate grounds of the Data Controller override those of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Client’s consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important reasons of public interest of the European Union or of a Member State.

9.5. Right to Object

The Client has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them based on public interest, the exercise of official authority or the legitimate interests of the Data Controller or a third party, including profiling based on those provisions.

In such a case, the Data Controller shall no longer process the personal data, unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject, or which relate to the establishment, exercise or defence of legal claims.

9.6. Right to Data Portability

The Client has the right to receive the personal data concerning them, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another Data Controller without hindrance, where:

• the processing is based on the Client’s consent or on the performance of a contract with the Client’s employer or principal; and
• the processing is carried out by automated means.

In exercising the right to data portability, the Client has the right to request that the personal data be transmitted directly from one Data Controller to another, where technically feasible.

9.7. Right to Withdraw Consent

The Client has the right to withdraw consent at any time.
Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

10. Complaints and Legal Remedies

You may seek legal remedy in relation to data processing.
You may:

• contact the Data Protection Officer;
• lodge a complaint with the supervisory authority if you consider that the processing of your personal data infringes applicable data protection law;
• bring a claim before the courts.