English (UK) 
Magyar 
Deutsch The purpose of this notice is to make transparent the data processing procedures followed by our company as controller when contact is established with it, as well as the application of the principles and rules relating to the protection of natural persons in connection with the processing of their personal data. The controller’s fundamental objective is, in all cases, to respect the fundamental rights and freedoms of such natural persons, in particular their right to the protection of their personal data.
1. DEFINITIONS
processing: any operation or set of operations which is performed on personal data or on data files, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law
GDPR: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Civil Code: Act V of 2013 on the Civil Code
personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
2. CONTROLLER
Test Innovation Technology Zrt.
registered office and mailing address: 1119 Budapest, Fehérvári út 97-99.
company registration number: 01-10-141945
tax number: 32019715-2-43
e-mail: [email protected]; [email protected]
3. SPECIFIC PROCESSING OPERATIONS
3.1. Job applications
| Processed data | Purpose of processing | Legal basis for processing | Duration of processing | Persons authorised to process the data |
| name | Identification of the applicant and assessment of their suitability for the position applied for, maintaining contact with the applicant during the application process, evaluation of the job application and, in the event of compliance with the requirements, establishment of an employment relationship. | Article 6(1)(b) GDPR: taking steps at the request of the data subject prior to entering into an (employment) contract | The data will be deleted after the completion of the selection process, and at the latest within 1 year following receipt of the CV. | HR staff, as well as the head of the department concerned by the position to be filled. |
| e-mail address | ||||
| telephone number | ||||
| further personal data contained in the CV and any attachments thereto | ||||
| notes and evaluations made about the applicant during the selection process |
We record and maintain the personal data of applicants to active job advertisements on the HR platform. Applicants undertake to participate in a telephone pre-screening and, in the event of a positive assessment, generally in an online interview and, less frequently, in a face-to-face interview.
3.2. Contact person data
Our company processes the personal data of the contact persons of those legal entity business partners with whom it has a business relationship or with whom the establishment of such a relationship is in progress, as follows:
| Processed data | Purpose of processing | Legal basis for processing | Duration of processing | Persons authorised to process the data |
| name | Facilitating contact with the business partner, concluding and performing contracts, and enforcing claims and rights arising from the contract. | Article 6(1)(f) GDPR: the legitimate interest of our company and/or the business partner | 5 years following the termination of the contractual relationship with the business partner [general limitation period – Section 6:22(1) of the Civil Code] | Sales staff |
| e-mail address | ||||
| telephone number | ||||
| job title |
The personal data specified above are those of the employee of the legal entity business partner (as the natural person acting as contact person), therefore the personal data are transferred to our company by the business partner or by the data subject themselves to the extent necessary for contact. In such cases, the business partner, as the employer of the data subject, obtains and processes the personal data pursuant to Article 6(1)(b) GDPR and Section 10(1) of the Labour Code, while our company receives and processes them pursuant to Article 6(1)(f) GDPR in its own legitimate interest and that of the business partner, to the extent and for the period necessary for the purpose.
In connection with the processing of contact person data, our company and the given partner have a legitimate interest in ensuring that the designated contact person is directly reachable during the preparation and performance of contracts, since handling every contact through each other’s official central telephone number or e-mail address would impose a disproportionate capacity burden and cost on the parties, and furthermore during business negotiations it is essential that, where possible, the same contact person who knows the background handles the matters.
3.3. Marketing newsletters
On the website https://test-it.com/en/ , on the subpage https://test-it.com/en/career/ in connection with an application for an inactive job advertisement, and via the website https://test-it.com/en/ (homepage and subpages), the controller also uses the e-mail address provided by the data subject, in relation to the job application and in view of the specific legal relationship established in connection with the inquiry, for sending marketing newsletters about further programmes, offers, articles, professional materials and news related to the controller’s activities, within the framework of the following processing:
| Processed data | Purpose of processing | Legal basis for processing | Duration of processing | Persons authorised to process the data |
| e-mail address | Sending advertising content-based direct marketing and marketing communications about programmes, offers, articles and news, as well as maintaining and expanding the employment-related or business relationship established with interested parties | Article 6(1)(f) GDPR: legitimate interest | Until the data subject exercises their right to object under Section 5.5. | Marketing department staff |
In relation to the processing of the above data for direct marketing purposes, we hereby expressly inform data subjects that they may object at any time to the processing of their personal data for this purpose by clicking the “Unsubscribe” button included in marketing e-mails or by sending a request to the contact details of the controller indicated in Section 2. If the data subject objects to the processing of personal data for direct marketing purposes, the controller will no longer process the personal data for that purpose.
3.4. Display of reviews
On the website https://test-it.com/en/ and on our Company’s social media pages (primarily LinkedIn), the controller displays reviews or excerpts thereof published by its partners, either by name or anonymously, on the publicly available website https://clutch.co/ . The controller processes the personal data of the person writing the review within the framework of the following processing:
| Processed data | Purpose of processing | Legal basis for processing | Duration of processing | Persons authorised to process the data |
| name | Displaying a publicly available review on the website in order to increase trust during customer acquisition. | Article 6(1)(f) GDPR: legitimate interest | Until the data subject exercises their right to object under Section 5.5. | Marketing department staff |
| job title | ||||
| workplace | ||||
| city, state, country of residence |
In relation to the processing of the above data for direct marketing purposes, we hereby expressly inform data subjects that they may object at any time to the processing of their personal data for this purpose by sending a request to the contact details of the controller indicated in Section 2. If the data subject objects to the processing of personal data for direct marketing purposes, the controller will no longer process the personal data for that purpose.
3.5. Invoicing and accounting
Under the applicable laws, the controller is obliged to issue invoices to its customers for the consideration of the services. In connection with the issuance of invoices, the controller processes the billing data of its partners. The purpose of this processing is to enable the controller to comply with its legal obligation to issue accounting documents relating to economic events. In this context, the controller also processes the personal data of the contact person concerned:
| Processed data | Purpose of processing | Legal basis for processing | Duration of processing | Persons authorised to process the data |
| name/company name | Issuing accounting documents relating to economic events. | Article 6(1)(c) GDPR: compliance with a legal obligation [Section 159(1) of the VAT Act] | 8 years in accordance with the Accounting Act [Section 169(1)-(2) of the Accounting Act] | Finance department staff |
| residential address/registered office | ||||
| tax identification number/tax number | ||||
| e-mail address | ||||
| telephone number |
3.6. Photographs
At company events organised by our company (e.g. Christmas celebrations), photographs may be taken for the purpose of recording community life, corporate culture and good partner relationships. We use the photographs on our social media pages, in invitations to subsequent events, and make them available in proposal presentations for prospective partners. When using the photographs, we take into account the personality rights of the data subjects and the applicable legal requirements.
| Processed data | Purpose of processing | Legal basis for processing | Duration of processing | Persons authorised to process the data |
| image | Documentation of corporate community life and strengthening employee cohesion. | Article 6(1)(f) GDPR: the legitimate interest of our company | Until the data subject exercises their right to object under Section 5.5. | Employees of the Marketing Department and the management of the Company |
3.7. Security camera system
Our company operates a security camera system at its registered office. Our company uses the camera system only to monitor building sections, rooms and areas that are owned by us or are under our exclusive use, and not for monitoring public areas. Our company does not carry out surveillance in rooms where this could violate human dignity (in particular restrooms). The cameras do not record sound.
The location of the cameras and the monitored areas are set out in the table below.
| Location of camera | Monitored area |
| Entrance | The area in front of the inner side of the entrance door |
The cameras do not record sound.
| Processed data | Purpose of processing | Legal basis for processing | Duration of processing | Persons authorised to process the data |
| image | Protection of the Company’s assets, equipment and other valuables, the life, physical integrity and personal liberty of persons present in the area subject to surveillance, the Company’s trade secrets, as well as the prevention and detection of potential unlawful acts affecting the above, and evidence in administrative or court proceedings related to the above purposes. | Article 6(1)(f) GDPR: the legitimate interest of our company | The camera recordings are automatically deleted (overwritten) within 14 days, unless their retention is necessary for the investigation of an event related to the specified purposes or for use in administrative/court proceedings. In such case, the recordings are retained until the conclusion of the underlying procedure or until the expiry of the period for enforcing claims. | Operations Director |
3.8. Exercise of data subject rights
In connection with ensuring the exercise of the rights set out in Section 5 of this notice, we carry out data processing as follows:
| Processed data | Purpose of processing | Legal basis for processing | Duration of processing | Persons authorised to process the data |
| data related to a request for the exercise of data subject rights | Examination of the request, taking measures where necessary and informing the data subject thereof. | Article 6(1)(c) GDPR: compliance with a legal obligation [Article 12 GDPR] | 5 years from our response to the data subject request [general limitation period – Section 6:22(1) of the Civil Code] | Management |
3.9. Cookies
Cookies are small data files that our company places on the device used by the browser when visiting our company’s website (https://test-it.com/hu/). Cookies may serve several purposes: they ensure the basic functioning of the website, help improve the user experience, enable the remembering of user preferences, and contribute to analysing website traffic and implementing targeted marketing communication.https://test-it.com/en/) meglátogatásakor a böngésző által használt eszközön társaságunk helyez el. A sütik többféle célt szolgálhatnak: biztosítják a weboldal alapvető működését, segítenek a felhasználói élmény javításában, lehetővé teszik a felhasználói preferenciák megjegyzését, valamint hozzájárulnak a weboldal forgalmának elemzéséhez és a célzott marketingkommunikáció megvalósításához.
When our company’s website is visited for the first time, a pop-up window appears informing the data subject about the use of cookies. Here, the data subject has the possibility to view this privacy notice by clicking on the link “You can read more about our data management here.”, to reject the cookies that are not strictly necessary by clicking the “Reject” button, or to allow the use of all cookies by clicking the “Allow all” button. By clicking the “Customize” button, the “Settings” window appears, where the data subject receives detailed information about the individual cookie categories and can individually manage which categories of cookies they allow (except for the cookies that are indispensable for operation). During subsequent visits to the website, the data subject may modify the cookie settings at any time in the “Settings” window.
Up-to-date and detailed information on the cookie categories used on our company’s website, the specific cookies belonging to each category, their purpose, operation and storage duration can be found in the “Engedélyek beállítása” window.
The legal basis for cookie processing is, in respect of necessary cookies, the legitimate interest of our company pursuant to Article 6(1)(f) GDPR (ensuring the proper functioning of the website), while for the other cookies it is the consent of the data subject pursuant to Article 6(1)(a) GDPR.
4. RECIPIENTS OF PERSONAL DATA AND DATA TRANSFERS
4.1. The recipients of personal data are those natural or legal persons with whom the personal data are disclosed. The processing of personal data is carried out primarily directly by our company as controller, during which our company seeks to ensure that the personal data are known only to the strictly necessary group of persons. This group of persons authorised to process the data is identified separately above for each processing operation, with the proviso that the management of the company is entitled to access all personal data within the scope of carrying out its duties.
4.2. For the purpose of carrying out activities underlying certain processing operations, our company engages external partners, to whom certain personal data of the data subject may be transferred. The identity of this group of recipients may change, but the subject matters of such engagement are defined as follows:
- Accountant (currently: Császár és Kovács Könyvelő Iroda Kft. – taxpayer core number: 14768554)
- Payment service provider (currently: OTP Bank Nyrt. – taxpayer core number: 10537914 / CIB Bank Zrt. – taxpayer core number: 10136915 / Revolut Bank UAB – registered office: Konstitucijos ave. 21B, 08130 Vilnius, Republic of Lithuania; company registration number: 304580906)
- HR platform provider (currently: PeopleForce Ltd. – registered office: 10 John Street London WC1N 2EB, United Kingdom; VAT number: 375717563)
- Electronic mail service provider (currently: MICROSOFT Magyarország Számítástechnikai Szolgáltató és Kereskedelmi Korlátolt Felelősségű Társaság - taxpayer core number: 10836653, company registration number: 01-09-262313)
- Newsletter service provider (currently: Mailchimp - The Rocket Science Group LLC, Intuit, Inc, registered office: 512 Means Street, Suite 404, Atlanta, GA 30318, USA)
- Website provider (currently: WordPress; Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA)
- Marketing services provider (YCO digital Kft. - core number: 23826836, company registration number: 02-09-078609; Odoo CRM - Odoo SA; registered office: Chaussée de Namur 40, 1367 Grand-Rosière, Belgium)
- Website analytics (Google Analytics – Google Ireland Limited, registered office: Gordon House, Barrow Street, Dublin 4, Ireland, tax number: IE6388047V)
- Website search analysis, indexing, SEO error reporting - Google LLC (Google Search Console, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
- Provider of the central code repository that collects and manages various measurement and marketing codes (Google Tag Manager, GTM – Google Ireland Limited, registered office: Gordon House, Barrow Street, Dublin 4, Ireland, tax number: IE6388047V)
- Assesses the activity of website visitors on the basis of web analytics criteria (Hotjar – Contentsquare SAS, 7 rue de Madrid, 75008 Paris, France, tax number: FR07503916033
4.3. Pursuant to Chapter V of the GDPR, our Company does not transfer any personal data of employees to third countries or international organisations.
4.4. Pursuant to Chapter V of the GDPR, our Company does not transfer the personal data of the data subjects concerned by the processing operations described in this notice to third countries or international organisations.
5. RIGHTS OF DATA SUBJECTS IN RELATION TO DATA PROCESSING
The rights of data subjects are set out in detail in the relevant provisions of the GDPR (in particular Articles 12-22 and 77-80), on which our company, as controller, provides the following overview.
The data subject shall be informed of the measures taken in response to his or her request to exercise rights within no more than one month from receipt of the request. The day of receipt of the request shall not be included in the time limit. Where necessary, taking into account the complexity of the request and the number of requests, that period may be extended by a further two months. The data subject shall be informed of any such extension, together with the reasons for the delay, within one month of receipt of the request.
5.1. Right of access
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the right of the data subject to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning him or her, or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
The controller shall provide the data subject with a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
5.2. Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
5.3. Right to erasure (“right to be forgotten”)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall be obliged to erase personal data concerning the data subject without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
c) the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services.
Where the controller has made the personal data public and is obliged pursuant to the above to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Erasure may be refused where the processing is necessary (i) for exercising the right of freedom of expression and information, or (ii) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (iii) for reasons of public interest in the area of public health; (iv) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; and (v) for the establishment, exercise or defence of legal claims.
5.4. Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to processing; in this case, the restriction shall apply for the period until it is determined whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of Hungary.
The controller shall inform the data subject who has obtained restriction of processing at his or her request before the restriction of processing is lifted.
5.5. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time by contacting the contact details indicated in Section 2 of our company, to processing of personal data concerning him or her which is based on Article 6(1)(e) or (f), including profiling based on those provisions. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or which are related to the establishment, exercise or defence of legal claims.
5.6. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format, and shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent or on a contract; and
b) the processing is carried out by automated means.
In exercising the right to data portability, the data subject shall have the right, where technically feasible, to have the personal data transmitted directly from one controller to another.
5.7. Right to a remedy
If the data subject considers that the controller has infringed the applicable data protection requirements in the course of processing his or her personal data, then
a) he or she may lodge a complaint with the Nemzeti Adatvédelmi és Információszabadság Hatóság (address: 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf. 9.; e-mail: [email protected]; website: www.naih.hu), or
b) lehetősége van adatainak védelme érdekében bírósághoz fordulni, amely az ügyben soron kívül jár el. Ebben az esetben szabadon eldöntheti, hogy a lakóhelye (állandó lakcím) vagy a tartózkodási helye (ideiglenes lakcím), illetve az adatkezelő székhelye szerint illetékes törvényszéknél nyújtja-e be keresetét. A lakóhelye vagy tartózkodási helye szerinti törvényszéket megkeresheti a http://birosag.hu/ugyfelkapcsolati-portal/birosag-kereso oldalon. Társaságunk székhelye szerint a perre a Fővárosi Törvényszék rendelkezik illetékességgel.
Frissítve: