SFC Nonprofit Ltd.

Privacy Policy

Table of contents

Introduction

Responsibilities for data processing

Principles, purpose and legal basis of data processing

Duration of data processing

Data processing steps

Tools for the processing of personal data

The RIGHTS of data subjects

Introduction

This privacy notice describes the processing of personal data in services provided by Székely Family and Company Nonprofit Kft. as data controller under the European General Data Protection Regulation (GDPR) and informs the data subjects on the process, their rights and the obligations of the data controller. This document seeks, within the framework of regulatory framework, to fully comply with the requirements of clarity and pertinence, in simple, comprehensible language. In the event of any interpretation issue, the company’s data protection officer will be happy to provide further information at the request of the data subject.

Responsibilities of processing

Data controller

Székely Family and Company Ltd.,

1191 Budapest Main street 11. 7/20.,

info@szekely.family

Data Protection Officer

Bence JUHÁSZ

sustainability@szekely.family

+36303271404

Data processors

  1. European Commission https://commission.europa.eu/privacy-policy-websites-managed-european-commission_en
  2. Microsoft https://privacy.microsoft.com/en-us
  3. Google https://policies.google.com/privacy?hl=en-US
  4. Automattic https://automattic.com/privacy/
  5. PayPal https://www.paypal.com/us/webapps/mpp/ua/privacy-full
  6. Stripe https://stripe.com/en-hu/privacy
  7. Billingo https://www.billingo.hu/adatkezelesi-tajekoztato
  8. Mango Technologies Inc. https://clickup.com/privacy
  9. Meta Platforms Ireland Inc. https://www.facebook.com/privacy/explanation
  10. ASUSTek Computer Inc. www.asus.com/hu/Terms_of_Use_Notice_Privacy_Policy/Privacy_Policy
  11. EPIC Games Store (https://www.epicgames.com/en-US/privacypolicy?lang=en-US)
  12. SZTAKI https://sztaki.hun-ren.hu/en/privacy-policy
  13. LUT https://www.lut.fi/en/data-protection
  14. TUD https://www.tudublin.ie/explore/gdpr/
  15. KPMG https://kpmg.com/ie/en/home/misc/general-privacy-statement.html
  16. General Mechatronics https://www.gorillariaszto.hu/aszf.html#nyolc

We use data processors through software and cloud services for:

  1. deliver our services,
  2. perform research, innovation and bring those results to the public,
  3. perform management, financial and administration tasks.

Principles, legal basis and purpose of data process

A brief description of data process

The purposes of the data processing are to provide services and fulfil other contractual obligations of Székely Family and Company Nonprofit Llc., to ensure the operation of the company, to secure legitimate interests and to perform research, innovation and bring those results to the public. In exceptional cases, data processing may also be carried out by means of complaint handling, or by means of an obligation imposed by law or by an authority authorised to do so. Data management is carried out in registers, in principle in purpose-oriented registers, but also in accordance with the requirement of data economy, where it is reasonable to have one database (physical register) serving several administrative registers (functional register). A record is permanently deleted when it is no longer required to be managed by one of the records.

Proportionality and necessity of processing

The Székely Family and Company Nonprofit Llc. only processes personal data when its processing is proportional and neccessary to the advance of security, sustainability and space capabilities of humanity, contributes towards the expected impact along the just and green societal and economic transformation of our society, which is serving mutual interest of the data subject and the company or other specified, explicit and legitimate purposes such as human dignity, sustainable welfare, fundamental rights or recognized by law. This includes processing which is mandatory under law or legal order. We only process data when there is a good reason and a justified purpose and we do not process data longer than is strictly necessary, without prejudice to archiving purposes.

Overview of the legal basis and purposes of data processing

An overview of legal bases and purposes of data processing by Székely Family and Company Nonprofit Llc.:

  1. We process data in the context of record-keeping necessary for the performance of contractual obligations where “processing is necessary for the performance of a contract to which the data subject is a party or for the purposes of taking steps at the request of the data subject prior to entering into a contract” (Art.6(1)(b) GDPR). For example, when we write a contract or monitor its performance, provide access to software or license a software to an end-user, issue a performance certificate or invoice, we use the data for the production of documents in the context of this processing.
  2. We process data to ensure the operation of the company if “processing is necessary for compliance with a legal obligation to which the controller is subject” (Article 6(1)(c) GPDR). This includes tax returns, mandatory data transfers to the tax authority, records of health and safety training, employee records, other documents and records that must be kept.
  3. We will process data for the purposes of our legitimate interests if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child” (GPDR 6. This includes our CCTV footage taken during a security incident, data necessary for the enforcement of our financial claims, audio recordings made with the consent of the participants in a dispute resolution negotiation, temporary collection of personal data and turning it into statistical data such as performance data with the aim to provide better services.
  4. We will process data for a specific purpose mainly in the form of performing research, innovation on a specific topic and making results of those available to the public if “the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes” (Article 6(1)(a) GPDR). For example when a natural person volunteers to participate in a research by giving an interview and for this reason shares its name and contact data, we contact the volunteer, conclude the interview and then keep the identifiers in a pseudonymised format to comply with scientific method requirements.

Register for the performance of contractual obligations

When Székely Family and Company Nonprofit Ltd. and a natural person enter into a contract (including for example provision of any service or licensing a software), or take preparatory steps for the conclusion of a contract, such as preparing and sending a personalised offer, in order to serve its clients, it processes the following data on this legal basis:

  1. Name
  2. Birth date (in case needed for provision of age-restricted content)
  3. Estimated geographical location (country or county level, to optimise performance)
  4. Photo or avatar representing the person (if given voluntarily)
  5. Mailing (billing) address
  6. Email address
  7. Phone number
  8. Other electronic contact information (e.g. Facebook, Instagram, LinkedIn, Twitter ID).
  9. Payment details (bank account number, PayPal, Simple or other online payment identifier).
  10. List of transactions to date.
  11. Username and password pair or other secure means of identification of a single user (e.g. secure session token, electronic signature and its certificate).
  12. Identifiable devices linked to the person (for example smartphone used for 2FA).
  13. Network performance data (IP, packet statistics, route).
  14. Individual performance data (for example learning progress in an e-learning course, points, badges, leaderboard position, ranking, user feedback, warnings or bans etc.).
  15. Information related to use of devices (to provide better customer experience, for example a software error log including data identifying the device or another example the movement distance of virtual reality controllers). 
  16. Data following performance of the contract (e.g. a cookie logging progress in the course or the client’s examination mark, log files, a video or audio recording of performance).

Register for company management

This register shall contain the data necessary to fulfil the legal obligations relating to the operation of the company. This includes, for example, contracts for employees and natural persons agents with employment or commissioning relationship, data for the tax authority, company email accounts for natural persons.

  1. Name (based on identity document).
  2. Identity document number.
  3. Place and date of birth.
  4. Mother’s name.
  5. Driver’s license number, category and period of validity.
  6. Travel document number for a foreign natural person.
  7. Number of visas or residence permits for a natural person from a third country.
  8. Social security identification mark or, in the case of a foreigner, full health insurance bond number.
  9. Tax number.
  10. Tax deduction notes, timesheets and time offs, justification data (e.g. children’s names and tax number).
  11. Copy of certifications or diplomas and data contained therein (e.g. name, photo, OH identifier).
  12. Benchmarking data (personal data, such as number of hours worked,  number of contracts successfully concluded).
  13. Other electronic contact (e.g. Facebook, Instagram, LinkedIn, Twitter ID).
  14. Images, audio and video recording (only recordings not violating personal dignity and with prior knowledge and consent of the person concerned).
  15. The login details and content of the email account provided by the company to the employee.
  16. Login details and content of cloud hosting and other cloud-based services provided by the company to the employee.
  17. Data content of any data-capturing device (laptop, tablet, mobile phone, etc.) provided by the company to the employee.
  18. Data from satellite tracking, movement, temperature and relative position detection devices provided by the company to the employee.
  19. Electronic log files related to the use of the system (log files are generated by the data processors and may be obtained only in justified cases, on the basis of a written decision by the management).
  20. The number and validity of the epidemiological protection certificate of an employee, a delegate of a natural person or a client present in person, and the corresponding indication of the protection application.
  21. If an employee is placed in official quarantine for any reason, the starting and (if known) ending date and place of quarantine.

Legitimate interests register

The register contains data that cannot be included in the scope of the other registers, but whose processing is unavoidably necessary in order to enforce the legitimate interests of Székely Family and Company Nonprofit Kft., its clients or third parties in connection with the operation of the company. For example, this includes claims for compensation or damages against third parties, the enforcement of claims or the performance of obligations in relation to natural persons other than by contract, employment or agency. For example, if a visitor to the premises of a company is involved in an accident at work, his details must be recorded in the accident report.

  1. Name
  2. E-mail
  3. Phone number.
  4. Mailing address.
  5. Image, sound and video recordings (only recordings made with the knowledge and consent of the data subject and which do not violate the dignity of the data subject)
  6. Electronic log files related to the use of the system (log files are generated by the data processors and may be obtained only in justified cases, based on a written decision of the executive manager)
  7. Personal data recorded for any reason by an employee in a company e-mail account, cloud storage or other database, on a device provided by the company to the employee, the processing of which is necessary because the data is inseparable from the processing of data contained in the records for the operation of the company (in such cases, the processing of such data may be carried out only by the replacement employee, the Data Protection Officer, the administrator and the manager, in the presence of the employee, in the presence of his/her representative if the employee is prevented from doing so, or in the absence of a representative, with written notification to the employee). The processing of such data, if not carried out by the employee concerned, shall be documented in writing. In such a case, the rights as data subject may be exercised by both the employee and the person to whom the personal data relate, the latter’s statement being taken into account in the event of a contradictory statement.
  8. Personal data stored in a company email account, cloud storage or other database for any reason, which has been recorded by mistake, technical error or data breach (only stored to safeguard the rights of data subjects and pending investigation of the incident). Examples include private letters sent to a company email account or data recorded on company-provided devices that are not work-related.

Register for data processed for the specific purpose of performing research, innovation and making results of those available to the public

This register contains the information of natural persons who have requested or have given informed consent to contact them, subscribe to our news feeds, visit our websites or follow our channels, pages, register and participate in our research and innovation actions and related events, such as workshops, hackathons, conferences, volunteer to test our newly developed solutions, give interviews, take part in surveys. This processing shall be based solely on the informed consent of the data subject, which may be withdrawn at any time without any adverse consequences for the data subject.  

  1. Name
  2. Email
  3. Phone number
  4. Other electronic contact (e.g. Facebook, Instagram, LinkedIn, Twitter ID).
  5. Trackers (cookies) indicating the use of the website and related to previous contracts to the extent that the data subject agrees when opening the website.
  6. Pictures, sound and video recording captured on workshops, conferences and other meetings, allowing the data subjects to request rendering their face and/or voice unidentifiable.
  7. Pseudonym (handle or nickname),
  8. Location information (if and as long as required by specific activity, such as an EV driving survey or a mobile walking game exercise).
  9. Special categories of data (health status, movement, vulnerable status).
  10. Usage data collected  from devices, such as AR/VR systems and related sensors, which are linked to the individual user for a temporary time period as set in the specific research method (usually starting from a 30 days up to 5 years), before their anonymisation, such as
    1. Sensor, Motor and Behavioral Data: Sensor Data from the VR system is processed to control the game. Used data depends on the given headset. Generally aiming gyroscope, accelerometer, gesture and movement tracking. Optional goal is to use hand/eye tracking. Input sent from VR controllers is used as the default control scheme.
    2. User Interaction Data: Interactions with objects, characters, or environments, user preferences during interaction, decision-making processes, and problem-solving strategies, understand navigation behavior and navigation patterns, e.g., fire evacuation routes. Tracking user progression regarding completed scenarios, difficulties, achievements. Game data, to improve user experience and the performance of services such as: achieved game levels, rewards, rankings, completed game missions, statistics including the game time or the use of the various features as well as the data associated with any bugs and malfunctions. 
    3. Other data that can be generated from the use of our VR or AR softwares is  statistical behavioural data on the user performance (private data) (the actions of players, choices, conditions affecting their choices, etc.).
    4. User statistical data (private data) can be generated from all the parts of the projects (VR, RU, IM). The following data is predicted to be recorded: User satisfaction, number of accounts created, number of API keys distributed, number of citizens involved in testing and validation, number of total downloads, number of user roles, statistical data, ratings, reviews, etc.

Duration of data processing

The duration of the processing depends on the particular register.

  1. In the case of a register necessary for the fulfilment of contractual obligations, due to the rules of the Civil Code of Hungary on the limitation of claims,  the data will be processed until the termination of the contract then stored in the framework of limited processing (archives) for five years. Legislation or Grant Agreements may require a longer retention period for certain contracts (there are grants where data must be retained for up to 10 years after the end of the project).
  2. The data in the register for management of the company will be processed by Székely Family and Company Nonprofit Kft. until the end of the tax return period following the termination of the employment or contract and then stored for a further period of 2 years thereafter or for a period specified in other legislation or contracts and then deleted from the register.
  3. In the framework of the legitimate interests register, we will only process data until we have exhausted the possibilities to pursue the interest in question or until it is recognised earlier that the processing of the data infringes the interests of the data subject which are disproportionately overriding our legitimate interests. As the enforcement of interests may take many years in certain cases, for example in the case of judicial proceedings, although we intend to process these data for as short a period as possible, it is not possible to determine the exact duration of the processing.
  4. The processing based on the informed consent of the data subject shall continue until the data subject withdraws his or her consent, after which the processing shall cease. The obligation to erasure does not exclude the processing of information obtained from the anonymised processing of data for statistical purposes prior to their erasure, but such information must not contain personal data and must not make the data subject identifiable. To minimise the amount of data processed, if the data subject does not interact with the company for five years it will be contacted to reinforce its consent and wish to remain in the register, in case there is no answer it has to be assumed that the consent is withdrawn.

Data processing steps

Information for the data subjects

The data subject must be provided with all information before the start of the data process. This can be done, for example, by making it legible on the website, by handing over a printed version for example on a workshop during registration, or by posting a poster or sign (typically at the entrance to an area protected by a CCTV system).

In case of a request from the data subject on providing information on the data processing, the data subject shall be informed of the range of data processed in connection with it, the data records (in order to enable right to rectification, to completion or to correction if necessary) and, in the case of automatic processing, the basic features of the algorithm (e.g. an algorithm  that tries to propose the next training on the basis of the results so far) and the remaining time of processing. Information may also be provided through a web interface where the data subject can view his/her profile, in which case the answer for the request is automated.

Determination of the legal basis

Before starting the processing, it is necessary to examine the legal basis on which the data subject’s personal data are processed. Theoretically there may be multiple legal bases for the processing of the personal data of a particular data subject, but this may mean a difference on the types of data that can be processed. Only data which exists in the list of our register connected to the particular legal basis may be processed. For example, in the sales register, where the legal basis is a consent based on information, the social security identification mark of the data subject concerned cannot be processed even if it was previously employed and thus was legally processed in the other register before (register to ensure the operation of the company ). If no legal basis can be established, for example, the data subject has not given a consent and there is no other legal basis for the processing, the initiation of the process shall be aborted or the process shall be terminated and the data deleted.

Data capture

Data processing can be initiated in two ways: either by the communication of data by the data subject or by the recording of data based on the data subject’s informed consent. Examples of the former are the provision of data required for a contract, an enrolment or registration form and the latter include cookies on a website or the recording of images and audio recordings of participants at a workshop. The legal basis for the processing must be checked before recording, in particular where the data subject’s consent is required. In case of doubt, the data subject or the DPO should be contacted.

Data classification

Data classification should identify which personal data should be processed in which register(s). The data may only be processed in registers for which there is a legal basis for the data.

Data storage and data management

The data is then stored and processed automatically and, if necessary, manually. As a result of the processing, it is possible to carry out various transactions with the data subject, such as concluding a contract, making training available, sending a newsletter, providing a service, paying a salary, issuing an invoice, etc. If there are no more transactions in progress, the data will be automatically subject to restricted processing and deleted after the expiry of the storage period (immediately if no such period is specified). The processed data may be anonymised and used to produce statistical reports upon termination of the processing; the anonymised statistical report thus produced is no longer personal data.

Additions, corrections, data changes

The data subject has the right to request that personal data stored about him or her be supplemented (e.g. to obtain a doctorate), corrected (e.g. typing errors, incorrect entries) or changed in accordance with the changed situation (e.g. change of name due to marriage, change of address due to move, new email address). This can also be done by the data subject changing the data on his or her user profile on the web interface. For reasons of data security, the change should be logged (the log file is part of the records of the company’s operations) and notified to the data subject.

Withdrawal of consent

The data subject may withdraw his or her consent at any time without undue prejudice. A legitimate consequence included in a contract, employment contract or conditions of participation, such as the termination of a service, restriction of access to a business area, cancellation of registration for an event, shall not be considered as an unjustified disadvantage. The withdrawal of consent shall not be impeded in any way, including by persuasion or inducement. The possibility to withdraw consent should be provided in a simple and comprehensible way (e.g. in a maximum of two clicks). After withdrawal of consent, it should be examined which personal data of the data subject can be further processed on another legal basis. The data subject’s attention should be drawn to this, so that he or she can, if he or she so wishes, arrange for the termination of another legal basis (e.g. termination of a contract). For data which do not have a legal basis for processing, the termination of processing should be implemented.

Restriction and termination of processing

When the legal basis ceases to apply, it must be ensured that the data controller has fulfilled all accounting and transfer obligations in relation to the data subject (e.g. payment of the contract, issue of certificates to the employee). If the record is subject to a retention obligation, the data must be subject to temporarily restricted processing, i.e. it must be stored in an archive (this means a separate, encrypted data container within the storage space, from which information cannot be automatically extracted). Thereafter, the data may not be further processed, except for deletion, until a legal basis for its processing is re-established (e.g. the data must be handed over by the Funding Authority in the context of a post-project audit). The data subject also has the right to request the restriction of processing, in particular if he or she contests the legal basis for the processing, if the data need to be clarified or if he or she wishes to prevent the deletion of the data in order to protect his or her legitimate interests. The data subject’s request for restriction of processing should be complied with until the situation is clarified, but efforts should be made to resolve it as quickly as possible.

Erasing data

If there is no retention obligation or the retention period has expired, the data must be erased. If the data is also present on a physical medium, the erasure must be made permanent by overwriting after deletion or, if this is not possible, by physical destruction (e.g. by ripping a DVD), but physical destruction must not cause damage to the environment (e.g. burning plastic media outdoors is prohibited). This will terminate the data management. The data subject must be informed of the fact of erasure before it starts.

Data transmission

We will not disclose the data to third parties without the express authorisation of the data subject for the data and the transfer. Exceptions to this are our own contracted data processors and authorities to whom we are legally obliged to transfer the data (for example, the employee’s tax identification number for the tax authorities in the case of records relating to company operations). An exception is also made if the transfer is necessary to protect the vital interests of the data subject or of another natural person. An example of a transfer by authorisation is where the data subject consents, for commercial purposes, to the transfer of his or her name, email address and telephone number to a third party who wishes to use the services of the data subject.

Data Management Flowchart

The data management flowchart shows the process according to ISO 5807:1985. The connectors without an arrow or with an arrow have the same meaning and is merely to facilitate interpretation. In decisions, direction “Y” means yes, direction “N” means no. Transactions shall also mean employment, other employment relationships, services provided under a subscription contract or a separate contract or free of charge.

Tools for the processing of personal data

Personal data is handled on secure servers, computers, laptops and mobile devices with up-to-date operating systems and office software, protected by password, biometric or two-factor authentication, and with drive-level encryption. Storage is encrypted and activity-tracking, redundant and synchronised in the cloud. Network connections used for processing are also encrypted. We do not connect our devices to open, unencrypted WiFi networks or install unsigned or unlicensed software. We keep paper documents containing personal data in a locked room, where they are only allowed to be with our permission and supervision, and we use couriers or the public postal service for delivery. We use a shredder for the destruction of data media.

The RIGHTS of data subjects

Information to stakeholders

Data subjects have the right to be informed about the fact of processing of their data, the data processed, and the way the data is processed. Data subjects are primarily informed in groups operating on the web interface, email or social network, where all stakeholders can view their processed data. If the data subject requests or is required in the situation (e.g. a data breach or a clear error in the data entered and rectification, the data designated for deletion and the fact of erasure, the introduction or resolution of the restriction), the data subject will be notified separately at one of the contact details.

Data subject’s right to lodge a complaint

In the process of data processing, we strive to proactively address the problems encountered and to ensure maximum cooperation with data subjects and other stakeholders. If the data subject has a complaint or comment about the processing, it shall contact our Data Protection Officer first using the contact details provided above. Nevertheless, the data subject has the right to complain to the  National Data Protection and Freedom of Information Authority (www.naih.hu).

Data subject’s right to be forgotten (right of erasure)

The data subject has the right to request termination of processing and the deletion of the data. In the case of the sales register, this also means the withdrawal of the consent. Otherwise, the data will be deleted if there is no justifiable purpose and legal basis to be processed. For example, on request, we will also delete contractual data for which we have already been cleared after the termination of the contract, we have no claim to each other and there is no legal order to preserve it. Data that is required to bring forward, enforce, or protect legal claims are not automatically deleted (see legitimate interest register).

Right of the data subject to object

The data subject may object to the processing of data in the register of legitimate interests and the processing of data in the marketing register. In the first case, it is necessary to examine whether the claim for legitimate advocacy has actually been made in contact with the person concerned. If so and justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the data subject or which relate to the submission, enforcement or protection of legal claims, the data may be further processed. In the second case, this consent shall be deemed to be withdrawn and the processing in the marketing register shall be terminated immediately.