Privacy Policy

Introduction
This data management information sheet is on the protection of natural persons regarding the processing of personal data and on the free flow of such data, as well as Regulation (EU) 2016/679 on the repeal of Directive 95/46/EC (GDPR), as well as on the right to informational self-determination and the CXII of 2011 on freedom of information made on the basis of law.

Temporal scope of regulation

This instruction enters into force on the day of approval, the tasks and rules contained in the document are applicable from this date. The policy is valid until withdrawn.

Glossary and abbreviations

Data subject: The natural person whose data is stored or processed in any other way.
Data group: Data, (i.e. formalized display of facts, concepts or instructions, fixed sequence of signals, for communication, interpretation and processing by speech or technical means. Text, number series, fact, information, sketch, generally prepared in writing or electronically - stored on any data medium graph, picture and figure) and summary names of data circles, usually based on a registration function.
Data processor: The natural or legal person or organization without legal personality who processes data based on the contract concluded with the data controller - including the conclusion of a contract based on the provisions of the law.
Data controller: Regarding personal data managed by a specific organizational unit, the head of the organizational unit who is responsible for handling all personal data managed by his organizational unit in accordance with these regulations (hereinafter: data controller). If it is necessary to make a decision regarding personal data managed in an IT system, and it affects the responsibility of the data controller according to the Information Security Regulations, the personal data controller shall make its decision with the agreement of the data controller appointed under the Information Security Regulations.
Data controller: Business company defined in point 4 of this Data Management Information.
Data scope: Named list of data types. From the point of view of use, business data that is functionally related, i.e. a set that can be or should be managed uniformly at a logical level, and the protection requirements of the elements of the set are almost at the same level.
Risk: Events that have not yet occurred but may jeopardize or prevent the achievement of the objectives of the implementation phase.
Special data:
a) personal data relating to racial origin, belonging to a national and ethnic minority, political opinion or party affiliation, religious or other worldview convictions, membership of an interest representation organization, sexual life,
b) personal data relating to health status, pathological addiction, and criminal personal data.
NAIH: National Data Protection and Freedom of Information Authorities.
Personal data: Data that can be associated with the data subject - in particular the data subject's name, identification mark, and one or more physical, physiological, mental, economic, cultural or social characteristics of the data subject - as well as the conclusion about the data subject that can be drawn from the data.
Natural personal identification data: Surname and surname of the person concerned, name at birth, mother's name, place and time of birth.

Data controller
Name of data controller: ViVeTech Nyrt.
Data controller registration (company register) number: 01 10 140801
Registered office and postal address: Szüret utca 15, 1118 Budapest.
Person authorized to represent the data controller: Róbert Rádai, operational director
E-mail address of data controller: info@vivetech.comPrinciples of data management
ViVeTech Nyrt. handles all personal data in accordance with the principles of legality, fair procedure, transparency and data saving. The management of the data is limited to the purpose, ViVeTech Nyrt. will only continue the data management in the case of the existence of one of the legal claims set out in this information, for the duration of the validity of the legal claim.
ViVeTech Nyrt. does not use the data for profiling, does not forward them to third parties - domestically or abroad, except in the case of an official or judicial request including the indication of the legal basis, or in the case of possible legal enforcement - during data management, only the information indicated in this information uses data processors.
ViVeTech Nyrt. protects the data with appropriate, risk-proportionate technical and organizational measures, handles any data protection incidents that may arise in accordance with the provisions of the GDPR, and provides information about them to the stakeholders - in the manner and with the data content required by law.
In the following, we present the personal data managed by Vivetech Nyrt. in groups, for what purpose and legal basis, for how long, and who can see it and who can access it. In addition to these, we also provide detailed information on the rights of data subjects, i.e. the owners of personal data, in connection with data management. and how they can be practiced.

Scope of data handled at Vivetech Nyrt

In the following, we present the managed data grouped by organizational unit of the company.

Labor case
Scope of affected personal data
- Personal identification data (e.g. name, date of birth, mother's name),
- Contact details (address, postal address, phone number, email address),
- Salary data, tax and holiday data
Purpose of data management
Fulfilment of related obligations: registration, salary payment, leave registration, reports to NAV.
Legal basis for processing personal data
1. Consent of the data subject
2. Mandatory data management based on law
3. Data management based on the legitimate interests of the employer
Time content of data management
According to the Labor Code and other applicable laws (e.g. Accounting Act, Personal Income Tax Act).
Categories of recipients - data transfer
In order to fulfill the notification obligation, data is transferred to authorities defined by law.
Data is also forwarded to an external data processor in connection with payroll processing:
Adoptimum Consulting Kft. (head office: 2120 Dunakeszi, Zerkovitz Béla utca 19/2., company registration number: 13-09-217623)
There is a data processing contract with the external data processor: Adatfeldolgozoi_szerzodes_Adoptimum_20220211.pdf
Consequences of failure to provide data
In the absence of data management, the employer cannot enter into a contract with the employee.

Back office
Scope of affected personal data
1. Contact details: Delivery company, name, contact details
2. Register of issued VVT-owned assets: employee ID - asset
Purpose of data management
1. Ensuring the operation of the company with the involvement of suppliers.
2. Ensuring asset registration
Legal basis for processing personal data
Consent of the data subject.
Employer's interest.
Time content of data management
Asset registration: as long as the employee's contract is valid and he has assets.
Contact details: as long as the contact is live.
Categories of recipients - data transfer
No data transfer.
Consequences of failure to provide data
Asset register: the up-to-date accountability of the employee would not be solvable.
Contact information: orders necessary for daily company operations would be difficult to secure.

Finance, accounting
Scope of affected personal data
Only if there is a company contract with an individual entrepreneur:
- Personal identification data (e.g. name, date of birth, mother's name),
- Contact details (address, postal address, phone number, email address),
Purpose of data management
Fulfillment of related obligations: registration, payment, reports to the authorities
Legal basis for processing personal data
Mandatory data management based on law
Time content of data management
8 years.
Categories of recipients - data transfer
In order to fulfill the obligation to report to the authorities defined by law.
External data processor in the case of accounting, the same as in the case of Labor, the data processing contract is also the same, it covers this activity as well.
Consequences of failure to provide data
Vivetech Nyrt. cannot enter into a contract with the individual entrepreneur.

Investor relations
Scope of affected personal data
Insider list: name, mother's name, place of birth, time, telephone, e-mail
Investor address list: name, e-mail address
Purpose of data management
Ensuring legal requirements. In the case of the investor address list, contact and information with investors.
Legal basis for processing personal data
Legislation and data subject consent. In the case of an investor address list, the consent of the person concerned.
Time content of data management
During the existence of the insider. In the case of an investor address list, until consent is withdrawn.
Categories of recipients - data transfer
By default, there is no data transfer. In the event of an investigation or procedure involving insiders, the data controller ViVeTech Nyrt. will transfer the processed data to the supervisory bodies (e.g. BÉT, MNB) within the framework of the procedure.
Consequences of failure to provide data
Violation of the law.

External compliance - law
Scope of affected personal data
Personal data related to litigation.
Purpose of data management
Resolution of litigation.
Legal basis for processing personal data
Legislation.
Time content of data management
Until the litigation is closed.
Categories of recipients - data transfer
Court or other competent authority.
Consequences of failure to provide data
It would become impossible to conduct the trial.

Sales and marketing
Scope of affected personal data
Customer contact data.
Purpose of data management
Liaising with clients and prospective clients.
Legal basis for processing personal data
The interest of Vivetech Nyrt. and the consent of the data subject.
Time content of data management
As long as the data subject is a customer or potential customer.
Categories of recipients - data transfer
No data transfer.
Consequences of failure to provide data
Failure to maintain contact with the customer - making future deals impossible.

Consulting - projects
Scope of affected personal data
Contact data related to project contracts: name, position, workplace, contact information.
Purpose of data management
During the project, maintaining contact and handling operational tasks.
Legal basis for processing personal data
Legislation and consent
Time content of data management
As long as the contracts, PADs, Reminders and other project documents are preserved.
8 years
In case of public procurement, 10 years
Categories of recipients - data transfer
There isn't.
Consequences of failure to provide data
Project failure.

Competence management
Scope of affected personal data
Employee basic data - competence test result - determination of annual goals, verification of achievement of goals, performance evaluation scoring.
In this case, the result of the scoring has no impact on the creation or quality of the service provided or to be provided to the data subject, therefore a data protection impact assessment is not required.
Purpose of data management
Competence assessment: assessment and control of employees' professional knowledge, as well as assessment of candidates' professional abilities
- on the basis of which future education and training are organized,
- the allocation of possible work in a specialized direction.
- assessing the professional competencies of new employees
Legal basis for processing personal data
Voluntary contribution.
Time content of data management
1 year
Categories of recipients - data transfer
There isn't.
Consequences of failure to provide data
Planning work organization, trainings and courses can become difficult.

Recruitment
Scope of affected personal data
Contact details, educational qualifications, qualifications, professional experience, CV and internal qualification based on interviews and possible tests of the person nominated for the position - scoring.
Due to the scoring, a data protection impact assessment was also carried out:
VVT- data protection impact assessment v0.2.docx
NAIH: 5. Scoring. The purpose of data management is to assess certain characteristics of the data subject, and its results have an impact on the creation or quality of the service provided or to be provided to the data subject.
During the application process, the applicant may decide to share with us some personal data classified under special categories of personal data.
We talk about special categories of personal data in the following cases:
• racial or ethnic origin
• for political opinion
• religious or worldview beliefs
• for trade union membership
• data on sex life or sexual orientation, and
• genetic and biometric data aimed at unique identification and
• health data
ViVeTech Nyrt. does not ask the applicant to provide such data under any circumstances.
If the applicant does provide special data, please note that we are unable to process them.
Purpose of data management
Loading positions, compiling your own recruitment database.
During the application, the CV is used for the following purposes:
• evaluating the applicant's application for a job, evaluating his/her suitability for open positions within ViVeTech Nyrt.
• maintaining contact with the applicant;
• in the event of an unsuccessful job application, notifying the applicant later
Legal basis for processing personal data
1. Voluntary consent given by the applicant by submitting the application.
2. ViVeTech Nyrt. has the legitimate interest to be able to make a decision on the evaluation of the applicant's application and to select the most suitable candidate for the given position.
Time content of data management
The recruitment database quickly becomes outdated, so the applicant's data will be deleted after 2 years.
Categories of recipients - data transfer
No data transfer.
Consequences of failure to provide data
In the case of applicants, incomplete data provision does not allow successful evaluation of the application.
Conduct a background check
Check public social media profiles: FB, LinkedIN.
Interview with the reference person provided by the candidate.

VVT IT service
Scope of affected personal data
Directory (Azure AD, Office 365) data: name, e-mail address, telephone number, position
Purpose of data management
Provision of IT services: mail, OneDrive, SharePoint, Teams
Legal basis for processing personal data
It is a voluntary contribution and it is the legitimate interest of Vivetech Nyrt to ensure the functionality of the company with the aforementioned services.
Time content of data management
From the beginning to the end of the employment relationship.
Categories of recipients - data transfer
There isn't.
Consequences of failure to provide data
It is not possible to provide the VVT IT service.

Internal security cameras of Vivetech Plc
Scope of affected personal data
Making video recordings of those entering the building (floor) and those going up to the 2nd floor.
The recordings are digitally stored on Vivetech's protected NAS server.
Purpose of data management
Ensuring property protection, proving violations and crimes, and deterring them from these acts, with the meaning of the cameras themselves.
The recordings (only of the entrance camera) can be viewed remotely by the owner of the House (Landlord), the purpose of which is to filter out incorrect handling of the alarm system and false alarms. In other words, there is also an external data processor in this case.
The external data processor: KYM Irodaházepító és Üzemeltető Kft. (1122 Budapest Városmajor utca 11., company registration number: 01-09-066930.
Final version of data processing contract not yet signed: VVT-KIM-data processing contract_v0.2.docx .
The purpose of the recordings is not to monitor employees and their activities.
Legal basis for processing personal data
The data controller's legitimate interest [GDPR Article 6 (1) point f)], which in this case is asset protection.
Time content of data management
10 days, after which the recordings are deleted.
Categories of recipients - data transfer
The aforementioned external data processor (Lessor) has access to the video recordings.
A weighing of interests investigation was carried out: VVT weighing of interests - camera system.v0.2.docx
If the crime were to take place or there were suspicions, the recordings would be handed over to the police.
Consequences of failure to provide data
The physical protection level of the building would decrease.

VVT portal
Scope of affected personal data
Contact information: name, e-mail address, company, position, phone number.
Purpose of data management
• making contact with potential partners and customers of ViVeTech Zrt., maintaining the relationship, handling comments and inquiries;
• information sharing
ViVeTech Nyrt. may also share marketing information with its partners regarding the company's products and services within the framework of information sharing. If the data subject does not wish to have access to information for marketing purposes, he has the option to block the sharing of information for marketing purposes via the contact details indicated in the statement on the portal.
Legal basis for processing personal data
In all cases, data management in connection with the portals is based on the consent of the data subject and the legitimate interest of ViVeTech Nyrt. The legal basis for data management is as follows
• Article 6 (1) of the GDPR point a), consent of the data subject; as well as
• Article 6 (1) of the GDPR point f), the enforcement of ViVeTech Zrt.'s legitimate interests.
Time content of data management
ViVeTech Nyrt. the data
• until the relevant consent is revoked;
• in the case of relevant purposes, until the existence of a legitimate interest related to them obsession;
• manages until notification of a change in the contact information.
Categories of recipients - data transfer
No forwarding outside the company.
Consequences of failure to provide data
The user of the portal does not have access to all the data and information provided by Vivetech Nyrt.
Data processors and services related to the portal
Data processor (or Service Provider) means a natural or legal person who processes data at the request of the Data Controller. In order to process the data more efficiently, we can use the services of different Service Providers.
ViVeTech Nyrt. during data management in connection with the portals, it uses the following data processors and services:
The portal uses the functions of the web analysis service Google Analytics, which is provided by Google Inc., 1600 Amphitheater Operated by Parkway , Mountain View , CA 94043, USA.
Google Analytics uses so-called " cookies " - these are text files stored on your computer that enable an analysis of your use of the website. The information generated by the cookie about your use of the website is usually transmitted to a Google server in the USA and stored there.
Google Analytics Cookies are stored based on Article 6, Paragraph 1, Subpoint f) of the GDPR. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its web offer and advertisements.
IP address anonymization
We have activated the IP anonymization function on our website. Google shortens your IP address within the member states of the European Union or other states that have joined the Agreement on the European Economic Area before transmission to the USA. The full IP address is transferred to Google's server in the USA and shortened there only in exceptional cases. On behalf of the operator of this website, Google evaluates your use of the website based on this information, prepares reports on activities on the website, and offers services related to the use of the website and Internet use to the website operator. In the context of Google Analytics, Google does not combine the IP address transmitted by the browser with other data.
Browser extension
the storage of cookies by setting the browser software accordingly. We draw your attention to the fact that in this case you may not be able to fully use all the functions of the website. In addition, you can prevent the recording of the data created by the cookie and related to the use of the website (including your IP address) and the processing of the data by Google by downloading and installing the browser plug-in available at the following link:
https://tools.google.com/dlpage/gaoptout
Denial of data collection
By clicking on the following link: Deactivate Google Analytics you can prevent data collection by Google Analytics . This sets an opt -out cookie that prevents your data from being recorded when you visit the website in the future.
the handling of user data by Google Analytics in Google's privacy statement:
https://support.google.com/analytics/answer/6004245?hl=en
Outsourced data processing
Google regarding the processing of order data, we fully enforce the strict requirements of the data protection authorities when using Google Analytics.
Demographics in Google Analytics
This website uses the "demographic characteristics" function of Google Analytics, which can be used to create reports containing findings about the age, gender and interests of site visitors. This data comes from interest-based advertising by Google and visitor data from third-party providers. These data cannot be assigned to individuals. You can disable this feature at any time by changing the ad settings in your Google account, or you can prevent the collection of data by Google Analytics as described in the section "Opposing data collection".
The data management guidelines of the data processors used are available at the contact details of the data processors indicated above.

Logistics - WebEye
Scope of affected personal data
Contact information: name, e-mail address, telephone number.
Special driver data: tachograph ID and data (daily, weekly driving time, rest time), VVT ID
Purpose of data management
ViveTech uses the WebEye real- time vehicle tracking system under a service contract. The contract between ViVetech and WebEye also includes a data processing contract. (APPENDIX 2. B. OF GENERAL BUSINESS CONTRACTUAL CONDITIONS - DATA PROCESSING AGREEMENT for the processing of personal data entered into the WebEye / MyWebEye system by using the WebEye Service)
The purpose of data management is to ensure the management and control of drivers
• data related to the movement and location of trucks and related shipments;
• drivers' rest, time spent at work, compliance with laws and regulations related to Tachograph data;
• fuel consumption;
• the condition of the trucks, their technical characteristics, real-time status information on their condition characteristics (and subsequent analysis options are also available);
Legal basis for processing personal data
Legal basis for data management
• the legitimate interest of the employer,
• legal requirements,
• and employee consent.
An interest assessment test was also prepared: VVT interest assessment - webEYE_v0.1.docx
The employee is informed about the tracking and has given his consent.
Categories of recipients - data transfer
WebEye Hungary is involved as a data processor based on Annex 2 of the subscriber framework contract concluded by ViveTech Nyrt.
Time content of data management
2 years.
Consequences of failure to provide data
The management and control of the Vivetech fleet would be based on considerably less data, and the current delivery information would be more imprecise.
Compliance with the drivers' rest period is in the interests of both parties and is also a legal requirement.

Method of storing personal data, security of data management
Vivetech Nyrt. keeps data security in mind, we follow strict security procedures when storing and transmitting personal data, as well as protection against accidental loss, destruction and damage. This is done by Vivetech Nyrt. with IT measures (for example, selection of suitable software, programs, firewall, SSL standard, backups), technical measures (for example, ensuring physical protection, in the framework of which documents are stored in a closed manner, the use of alarms and security cameras) and organizational measures ( for example, the application of an authorization system for the employees of Vivetech Nyrt., within the framework of which each employee only has access to information that is essential for their work).

The rights of data subjects concerned
The data controller (Vivetech Nyrt.) is obliged to respond to data subject requests without undue delay, but within 30 days at most. This deadline can be extended if necessary, provided that the data subject has been informed of this within 30 days and the postponement is sufficiently justified (for example, due to the complexity of the issues or the large number of requests).

Right to transparent information
• the main elements of the data management activity (for example, the scope of the managed data, the definition of the legal basis and purposes of the data management, the period of data retention, possible data transfers);
• the contact details of the parties involved (for example, data controllers, data protection officer - if any -, recipients);
• the possibilities of enforcing the rights of stakeholders.

The data subject's right of access
In the framework of the right of access (GDPR Article 15), the data subject is entitled to receive feedback from the data controller on whether his personal data is being processed, and if so, he is entitled to receive access to the processed personal data and a copy of them.
When responding to a request to exercise the right of access, the data controller is obliged to
• to inform the data subject about whether they manage their personal data;
• to make a copy of the personal data that is the subject of data management available to the data subject (unless this adversely affects the rights and freedoms of others);
• information must be provided:
o the purposes of data management;
o about the categories of personal data concerned;
o categories of recipient(s);
o the planned period of storage of personal data, i.e. how long you wish to store personal data;
o about the storage criteria;
o the data subject's right to request from the data controller the correction, deletion or restriction of processing of personal data relating to him and to object to their processing;
o the right to submit a complaint to a supervisory authority;
o if the data were not collected from the data subject, all available information about their source;
o the fact of automated decision-making, including profiling, as well as, at least in these cases, the logic used and the expected consequences of such data management.

Right to rectification
The data subjects have the right to have the data controller correct the information concerning them at their request. The right to rectification is also useful for data subjects and SMEs, because the latter can thus trust the quality of the processed data. The data controller is obliged to inform all interested parties with whom the data was previously disclosed about the correction, unless this proves to be impossible or requires a disproportionately large effort.

The right to erasure, i.e. "the right to be forgotten"
The data subjects have the right to have their personal data deleted by the data controller at their request.
The data controller is obliged to delete personal data if:
• the personal data are no longer needed for the purpose for which they were collected (or otherwise processed);
• collected in connection with information society-related services provided to children (if they reached the legal age in the meantime);
• personal data were handled illegally (for example, in the absence of a suitable legal basis);
• the data subject withdraws his consent or objects to the processing of his data, and there is no other valid legal basis for data processing;
• deletion is necessary to fulfil a legal obligation prescribed by EU or member state law.
However, the exercise of the right to be forgotten also has limitations including: the exercise of the right to freedom of expression and information; fulfilling the obligation under EU or member state law requiring the processing of personal data; submission, enforcement and protection of legal claims, etc.
The data controller is obliged to inform all interested parties to whom the data was disclosed about the deletion, unless this proves to be impossible or requires a disproportionately large effort.

The right to restrict data processing
The data subject has the right to request that the data controller restricts data processing if one of the following conditions is met:
• the accuracy of personal data is debatable;
• the data management is illegal and the data subject requests their restriction instead of their deletion;
• necessary for the exercise or protection of the legal claim of the data subject;
• for the period until it is determined whether the legitimate interests of the data controller take precedence over the rights of the data subject.
The data controller is obliged to inform all interested parties to whom the data was previously disclosed about the restriction, unless this proves to be impossible or requires a disproportionately large effort. In addition, the data controller is obliged to inform the data subject in advance about the lifting of restrictions on data management.

The right to data portability
The purpose of the right to data portability is that the data subjects can easily take their personal data with them if they wish to use another service or service provider.

The right to protest
The data subject has the right to object to the processing of his personal data if the controller:
• manages it on the basis of public interest or legitimate interest;
• handles it for the purpose of obtaining direct business;
• manages it in connection with services related to the information society;
• it is handled for scientific and historical research purposes or for statistical purposes.
If the data subject objects to the processing of his/her personal data, the data controller may not process them further, unless he/she can prove that the rights and freedoms of the data subject do not take precedence over his/her legitimate interest.

Right to go to court
In the event of a violation of their rights, the data subject may apply to the court against the data controller. The court acts out of sequence in the case.

Data protection official procedure
You can file a complaint with the National Data Protection and Freedom of Information Authority (NAIH):
Name: National Data Protection and Freedom of Information Authority
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Mailing address: 1530 Budapest, Pf.: 5.
Phone: 0613911400
Fax: 0613911410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

Budapest, August 30, 2023.

ViVeTech Plc.

Copyright 2022 ViVeTech Nyrt. All rights reserved.