Data protection information

Privacy statement for the website www.scaleimpact.hu and Scale Impact questionnaires

Last modification: 2022. 2 June.

Table of contents

  1. GENERAL INFORMATION
  2. UPDATE AND AVAILABILITY OF THE PROSPECTUS
  3. SPECIFIC DATA PROTECTION CONDITIONS
  4. THE SCOPE OF THE DATA PROCESSED AND THE PURPOSES OF THE PROCESSING
  5. PERSONS AUTHORISED TO PROCESS DATA
  6. DATA SECURITY (TECHNICAL AND ORGANISATIONAL) MEASURES
  7. DATA SUBJECTS’ DATA PROTECTION RIGHTS AND REMEDIES

GENERAL INFORMATION

The Scale Impact Nonprofit Limited Liability Company (the “Company”) is subject to the EU law 2016/679.EU 2016/679 concerning the data protection of visitors to its website www.scaleimpact.hu and its questionnaires, as well as third parties and other persons (collectively “data subject(s)”). General Data Protection Regulation (“GDPR”) 4. Article 1. it processes information that is “personal data” within the meaning of point (a) of the Privacy Notice.

This privacy notice (“Notice”) provides information on the processing of these personal data and on the rights and remedies of data subjects in relation to data processing.

Contact details of the Company:

  • The registered office of the Company is at Temes utca 11, 1038 Budapest, Hungary. E. intact. 1.
  • The Company’s company registration number is Cg. 01-09-386369
  • The Company is registered with the Commercial Court of the Metropolitan Court of Budapest
  • Phone number of the Company: +36-30-5879054
  • Company email address: info@scaleimpact.hu
  • The person responsible for data protection matters on the Company’s side and his contact details is Gábor Lévai – +36-30-5879054

UPDATE AND AVAILABILITY OF THE PROSPECTUS

The Company reserves the right to amend this Policy unilaterally, with effect from the date of the amendment, subject to the restrictions set out in the applicable legislation and, if necessary, with due notice to the data subjects. In particular, this Notice may be amended if necessary due to changes in legislation, data protection authority practices, business or employee needs, new activities involving the processing of personal data, newly identified security risks or feedback from data subjects. In communicating with the data subject in relation to this Notice or data protection issues, or otherwise in contacting the data subject, the Company may use the contact details of the data subject available to the Company for contact and communication purposes. For example, upon request, the Company will provide the data subject with a copy of the current version of the Prospectus or confirm that the data subject has read the Prospectus.

SPECIFIC DATA PROTECTION CONDITIONS

In some specific cases, specific data protection conditions may also apply, which will be communicated separately to the data subjects. This includes, for example, the information about cookies used by the Company on its websites.

In any case, the data subjects are obliged to provide the Company with the relevant personal data in accordance with the applicable legislation. In particular, they must have appropriate and informed consent or other legal basis for the transfer of personal data (for example, in the case of providing contact details). If the Company becomes aware that any data subject’s data have been disclosed without his or her consent or other appropriate legal basis, the Company may delete the data without delay and the data subject shall be entitled to exercise the rights and remedies provided for in this Notice. The Company shall not be liable for any damage, loss or injury that may arise from the breach of the above undertaking or representation by the data subjects.

THE SCOPE OF THE DATA PROCESSED AND THE PURPOSES OF THE PROCESSING

The scope of the data processed, the purposes of the processing, the legal basis for the processing, the duration of the processing and the data subjects who have access to the data are set out in the table below. Where a processing purpose is necessary to pursue a legitimate interest of the Company or a third party, the interest balancing test used to determine the legitimate interest will be made available by the Company upon request to one of the contact details above.

The Company expressly draws the attention of the data subject to the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on legitimate interests, including profiling based on the aforementioned provisions. In this case, the Company will no longer process the personal data, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.

If the limitation period for the enforceability of a claim is specified in this Notice as the period of processing, the act that interrupts the limitation period extends the period of processing until the new date on which the limitation period starts to run (Act V of 2013 on the Civil Code – “Civil Code Act”).”In the event of the expiry of the limitation period, the claim may be asserted within a period of one year from the date of the cessation of the obstacle – three months if the limitation period is one year or less – even if the limitation period has already expired or is less than the above period (Civil Code, Civil Code, Art. 6:24. § (2)).

The Accounting Act 2000. The 8-year data retention period set out in Act C of 2006 (“Accounting Act”) is calculated from the date on which an accounting entry relating to the data occurred in the year or the reporting/bookkeeping relied in any way on the data. In practice: if the data is included in a contract under which several deliverables are provided (e.g. several consultancies are provided under one contract), the 8 years should be calculated separately for each deliverable, because each deliverable is invoiced separately and the transaction is accounted for separately. If the data is included in a contract for the sale of an item (the transfer takes place and the contract is terminated on completion), the contract and the invoice are used to record the transaction in the year in question, and the 8 years start from there.

Purpose of data processing Legal basis for processing Scope of the data Data retention period, recipients of data transfers
Subscribe to newsletters and receive newsletters by e-mail. GDPR 6. (1) (a) of Art. XLVIII. Act 6. § (1) – the prior, unambiguous and explicit consent of the data subject.The consent may be withdrawn at any time, without restriction and without giving any reason, free of charge. The withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.Without your consent, the Company cannot send you newsletters by e-mail. Name of the potential recipient, name of your organisation and e-mail address. If the data subject withdraws his or her consent or unsubscribes from the newsletter, the personal data will be deleted.
Registration of social purpose organisations or companies via the websiteDuring the registration process, organisations or companies wishing to register will complete a survey test in several areas (e.g. financial literacy, management skills, etc.) in order for the Company to assess where the organisation or company is in the field of social impact measurement and, based on this, the Company can propose free or fee-based consultations. Registration is also used to describe the activities of the organisation or company and to recommend it to potential partner companies. GDPR 6. Article 2(1)(f) (processing is necessary for the purposes of the legitimate interests pursued by the Company). Legitimate interest: to increase the Company’s knowledge in the field of social impact assessment and, depending on the results of the survey, to determine the need for consultation, to promote the activities of socially oriented organisations and to facilitate contacts with such organisations and companies, and thus to promote the Company’s activities, to establish and strengthen partnerships. Name, telephone number, contact name, telephone number, e-mail address of the organisation or company. If the data subject does not object to the processing of his/her data, the Company will process the data for 5 years after the last contact with the data subject (Civil Code. 6:22. § (1) – claims are time-barred after 5 years).
Processing of data of contact persons of contractual partners and/or persons involved in the performance/performance monitoring for the purpose of the performance (day-to-day implementation) of the contract.This includes, for example, managing the postal address of contact persons, instructing contact persons to make payments or provide a service, or sending official notifications using contact details and information about contractual obligations to be fulfilled. GDPR 6. Article 2(1)(f) (processing is necessary for the purposes of the legitimate interests pursued by the Company). Legitimate interest: the performance of contractual obligations by the Company and its contracting undertaking, the exercise of rights and the economic cooperation of the parties. The provision of personal data is a contractual requirement; without the personal data the Company cannot conclude and perform the contract. The names of the contact persons of the contractual partners and of the persons involved in the performance and monitoring of the performance, their contact details (e-mail, telephone number, mobile phone number, fax number) and any activity and communication containing personal data in relation to the contract (e.g. communication from the contact person or any natural person acting on behalf of the partner). The personal data are provided to the Company either by the contracting partner or by the data subjects themselves. 5 years from the termination of the contractual relationship (Civil Code. 6:22 (1) – unless otherwise provided for in the Civil Code, claims expire within 5 years) With regard to the fulfilment of tax obligations: the data retention period is 5 years from the last day of the calendar year in which the tax should have been declared, reported or notified, or in the absence of a declaration, report or notification, the tax should have been paid (pursuant to the Act on the Rules of Taxation 2017. In the case of accounting documents: the data retention period is 8 years (§§ 168-169 of the Accounting Act). In practice, this is the case if the data are part of the documents supporting the accounting, for example, documents related to the conclusion of a contract between the partnership and the partner (e.g. an order) or the invoice issued.

PERSONS AUTHORISED TO PROCESS DATA

The Company uses the following contractual partners to perform tasks related to data processing operations in addition to those indicated above. The contracted partner acts as a so-called “data processor”: it processes the personal data set out in this Policy on behalf of the Company.

The Company shall only use processors that provide adequate guarantees, in particular in terms of expertise, reliability and resources, to implement technical and organisational measures to ensure compliance with the requirements of the GDPR, including the security of processing. The specific tasks and responsibilities of the data processor are governed by the contract between the Company and the data processor. After the processing has been carried out on behalf of the Company, the processor shall, at the Company’s option, return or delete the personal data, unless the storage of the personal data is required by EU or Member State law applicable to the processor.

The data processor His work

List of subcontractors – exact name, contact details and task (brief description)

András Harsányi
project manager
harsanyi.andras@scaleimpact.hu

Tamás Mehlhoffer
communications
mehlhoffer.tamas@scaleimpact.hu

Full management of the Scale Impact project, liaising with corporate and NGO partners, organisational developers.

Managing external communication for the Scale Impact project.

Web hosting, domain provider, website developer – exact name, contact details

NetMasters Europe Ltd.
szia@netmasters.hu

WPViking Agency
hello@wpviking.agency

web hosting and domain provider

website developer

Billing system – exact name, contact details

KBOSS.hu Ltd. (szamlazz.hu) info@szamlazz.hu

billing system

DATA SECURITY (TECHNICAL AND ORGANISATIONAL) MEASURES

The Company protects the personal data it processes primarily by restricting access to information and by clearly defining user rights. Access to the systems and tools used to process the personal data contained in this Notice is restricted to those persons who need to have access to it in order to achieve the purposes mentioned above and who are authorised to do so. For example: the administrators assigned to the case.

The Company takes the following measures to ensure the security of the data processed by the Company:
– the use of password-protected data recorders, both offline and in the cloud.

DATA SUBJECTS’ DATA PROTECTION RIGHTS AND REMEDIES

Data protection rights and remedies

The data subjects’ data protection rights and remedies are set out in detail in the relevant provisions of the GDPR (in particular Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80 and 82 of the GDPR). The following summary sets out the most important provisions and the Company provides information to data subjects on their rights and remedies in relation to data processing.

The information must be provided in writing or by other means, including electronic means where appropriate. At the request of the data subject, oral information may be provided, provided that the identity of the data subject has been verified by other means.

The Company shall inform the data subject of the measures taken in response to his/her request without undue delay and in any event within one month of receipt of the data subject’s request to exercise his/her rights (see Articles 15-22 GDPR). If necessary, and taking into account the complexity of the application and the number of requests, this deadline may be extended by a further two months. The Company shall inform the data subject of the extension of the deadline within one month of receipt of the request, stating the reasons for the delay. Where the data subject has made the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise.

If the Company fails to act on the data subject’s request, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.

Right of access of the data subject

The data subject is entitled to receive feedback from the Company on whether his or her personal data is being processed. If such processing is ongoing, the data subject has the right to access the personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed by the Company, including in particular recipients in third countries or international organisations;
  • where applicable, the envisaged period of storage of the personal data or, if this is not possible, the criteria for determining that period;
  • the data subject’s right to request the Company to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data;
  • the right to lodge a complaint with a supervisory authority; and
  • if the data were not collected from the data subject, any available information on their source.

Where personal data are transferred to a third country, the data subject is entitled to be informed of the appropriate safeguards regarding the transfer.

The Company shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the Company may charge a reasonable fee based on administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.

The right to rectification

The data subject shall have the right to obtain from the Company, at the data subject’s request and without undue delay, the rectification of inaccurate personal data relating to him or her. The data subject also has the right to request that incomplete personal data be completed, including by means of a supplementary declaration.

Right to erasure (“right to be forgotten”)

The data subject shall have the right to obtain, upon his or her request, the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed by the Company;
  • the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  • the personal data have been unlawfully processed;
  • the personal data must be erased to comply with a legal obligation under Union or Member State law applicable to the Company; or
  • personal data are collected in connection with the provision of information society services.

If the Company has disclosed the personal data and is required to delete it as described above, it will take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the data controllers that have processed the data that the data subject has requested the deletion of the links to or copies of the personal data in question.

Paragraphs 1 and 2 shall not apply where the processing is necessary for, inter alia:

  • to exercise the right to freedom of expression and information;
  • for the purposes of complying with an obligation under EU or Member State law that requires the processing of personal data applicable to the Company;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right referred to in paragraph 1 would be likely to render such processing impossible or seriously impair it; or
  • to bring, enforce or defend legal claims.

Right to restriction of processing

The data subject shall have the right to obtain, at his or her request, the restriction of processing by the Company if one of the following conditions is met:

  • the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the Company to verify the accuracy of the personal data;
  • the data processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
  • the Company no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
  • the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the Company’s legitimate grounds prevail over the data subject’s legitimate grounds.

Where processing is restricted pursuant to paragraph 1, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

The Company shall inform in advance the data subject at whose request the processing has been restricted on the basis of the above about the lifting of the restriction of processing.

Obligation to notify the rectification or erasure of personal data or restriction of processing

The Company will inform each recipient of any rectification, erasure or restriction of processing to whom or with which it has disclosed the personal data, unless this proves impossible or involves a disproportionate effort. Upon request, the Company will inform the data subject of these recipients.

The right to data portability

receive personal data in a structured, commonly used, machine-readable format, and have the right to transfer such data to another controller without hindrance from the Company, if:

  • the processing is based on consent or on a contract; and
  • the processing is carried out by automated means.

In exercising the right to data portability under paragraph 1, the data subject shall have the right to request, where technically feasible, the direct transfer of personal data between data controllers (such as the Company and other data controllers).

The exercise of the right described above must be without prejudice to the provisions on the right to erasure (“right to be forgotten”) and must not adversely affect the rights and freedoms of others.

The right to protest

The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on the basis of legitimate interest. In this case, the Company will no longer process the personal data, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.

If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for these purposes.

In connection with the use of information society services and by way of derogation from Directive 2002/58/EC, you may exercise your right to object by automated means based on technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the provisions of the GDPR. In Hungary, the competent supervisory authority is the National Authority for Data Protection and Freedom of Information (website: http://naih.hu/; address: 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf.: 9.; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu).

Right to an effective judicial remedy against the supervisory authority

The data subject has the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him or her.

The data subject has the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments or the outcome of the complaint.

Proceedings against the supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

The right to an effective judicial remedy against the Company or the data processor

including the right to lodge a complaint with a supervisory authority, if you believe that your rights under the GDPR have been infringed as a result of the processing of your personal data in a way that does not comply with the GDPR.

Proceedings against the Company or the processor shall be brought before the courts of the Member State in which the Company or the processor is established. Such proceedings can also be brought in the courts of the Member State of habitual residence. In Hungary, such a lawsuit falls within the jurisdiction of the court. You can also bring the case before the court of the place where you live or stay, if you choose. You can find out the jurisdiction and contact details of the court (tribunal) at www.birosag.hu.

Budapest, 2022.06.02