Data Protection Notice

‍

SCOLVO Zártkörűen Működő Részvénytársaság  (registered office: 8230 Balatonfüred, Fürdő utca 17. B. ép.; company registration number: 19 10 500362; tax number: 25482786-2-19; hereinafter the “Company” or “Controller”), hereby informs its partners, employees, the visitors to its website and the users of the software distributed by Company (hereinafter jointly referred to as the “Data Subject”) that it accepts these data protection and data processing principles (hereinafter the “Notice”) as binding. This Notice defines and regulates the processing of the personal data of the Data Subject pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter the “GDPR” or “Regulation”), Act V of 2013 on the Civil Code (hereinafter the “Civil Code”), Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter the “Privacy Act”) and all applicable legal regulations in effect from time to time. The Company reserves the right to amend this Notice to harmonize it with underlying laws amended in the meantime and with other internal regulations.

‍Data of the Controller

‍Company name: SCOLVO Zártkörűen Működő Részvénytársaság

Registered office: 8230 Balatonfüred, Fürdő utca 17. B. ép.

Company registration number: 19-10-500362

Tax number: 25482786219

Electronic contact details: hello@scolvo.com

Telephone: + 36 70 331-8180

Website: https://scolvo.com/‍

Scope of this Notice

‍This Notice shall apply to the processing of the data of natural persons. The scope of this Notice shall not extend to processing relating to legal persons.

‍Lawfulness of processing

‍Processing of personal data is lawful only if and to the extent that at least one of the following applies: the data subject has given consent to the processing of their personal data for one or more specific purposes; processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject; processing is necessary in order to protect the vital interests of the data subject or of another natural person; processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

‍Conditions for consent

‍Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of their personal data. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. The data subject is entitled to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of any processing that was conducted based on the consent prior to its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

‍

Data processing

Data processing related to the Scolvo software distributed by Company 

For the purpose of selling the Corlnfo software distributed by Company (hereinafter referred to as „software” or “application”) the Company enters into license agreements with its contractual partners (hereinafter referred to as “Clients”).

The following data of Clients is processed by Company:

• business data (company name, registered seat, tax ID, a chosen ID – hereinafter referred to as “Company ID”)
• personal data of those authorized to represent the company and personal data of other representatives (name, e-mail address, phone number)

The purpose of processing data within the meaning of the present section is assisting the Company to enter into agreements with Clients, assisting the proper performance of the existing agreements entered into by and between Company and Client and assisting the communication and exchange of information.  

The individual users of the Software are the employees, agents, and other contracting partners of Client (hereinafter referred to as “Users”). The following data of Users is processed by Company:

• e-mail address
• password
• Company ID
• phone number

Regarding the free trial version of the Software and the handling of commercial offers regarding the Software, the following data is processed by Company

• family name, first name
• e-mail address
• company name
• position
• phone number

The legal ground for processing data of Users is the prior consent of data subject within the meaning of Article 6. Section 1 subsection a.) of GDPR. 

When downloading the Software, data subjects (Clients and Users) are informed by Company about the processing of their data via the present Data Protection Notice.

The purpose of processing data – other than personal data of Client – provided by Client and User during the usage of the Software shall always be determined by Client. Regarding such data provided by Client and User, the Client shall be deemed as controller of such data while the Company shall be deemed as processor thereof.

The consent granted by User for the Company to process data at the time of downloading the Software shall not entitle Client to process data of User which is the competence and obligation of Client.

User identifies the Client via the Company ID. The data provided by User when using the software shall only be available to Clients previously identified by Company ID thus third parties shall not be able to access such data.

Client shall be responsible for processing of data of Client contained in Client’s user account and shall be responsible for all activities of the user account of Client. Client shall be responsible for using the software in full compliance with the relevant laws, with special regard to the lawful use of data provided by Client and Users partnering with Client, to the lawful use of the records prepared of such data provided, as well as all processing operation regarding the said data.

The Company informs Clients and Users that during the usage of the software, Users may provide data categorized as special category data. Such special category data shall only be processed by Client if User has given its explicit consent for processing thereof. 

Other than recording data and creating reports requested by Clients based on the data, Company shall not conduct data process operations and shall not manage data provided by Users.

The Company shall not be responsible for data, content and replies provided by Client and User during the registration and usage of the software, therefore the authenticity, relevance and accuracy thereof shall not be assessed by Company.

The duration of processing of data depends on the fact whether the data processed shall be deemed as accounting evidence or not. In case of granting the right of use of software free of charge, the Company shall erase the data provided by Client within 5 years following the removal of the registration of Client, while in case of granting the right of use of software for consideration, the Company shall erase data of and connected to the Client within 8 years following the termination of the agreement for using the software. 

‍Data processing relating to persons in contractual relationship with the Company 

The Company shall in all cases informs the natural persons in legal relationship with it about data processing pertaining to them. Where pursuant to Article 14(1) of the GDPR personal data have not been obtained from the data subject, the Company shall provide such natural persons with details of processing by publishing this Notice. In the event of contracts concluded with partners and the performance of concluded contracts, processing extends to: personal identification data, the data of the representative of the legal person contracting party (name, position) as well as the data required for contact (telephone number, email address), data of the natural person partner (name, name at birth, mother’s maiden name, place and date of birth), as well as the data required for contact (telephone number, email address, address), The purpose of processing as per this Section is the conclusion and performance of a contract, and communication. The duration of data processing depends on whether the data qualify as accounting documents. If yes, Section 169(2) of the Accounting Act shall prevail, and accordingly the data shall be retained by the Company for minimum 8 years, and for 5 years in all other cases with a view to the term of limitation as set out in the Civil Code. The legal basis for the processing is Article 6(1) b) of the GDPR, that is performance or conclusion of a contract.

‍

Processing related to calls for applications, applicants and resumes

‍In the case of the processing of personal data of persons applying for job vacancies, the purpose of data processing is for the employer to find an suitable employee for the position announced. Pursuant to Article 6(1) a) of the GDPR, the legal basis for processing is the consent granted by the data subject. The scope of the data processed varies depending on what data the data subject wishes to provide, but most frequently: name, name at birth, address, email address, telephone number, past workplace details, educational details, photograph. In line with Article 17(1) a) of the GDPR, the Company erases personal data when they are no longer necessary in relation to the purposes for which they were collected. The Company stores the personal data for a maximum of 1 year from consent granted, provided during this time the applicant is not hired as an employee or has not withdrawn consent in this period. In the case of applying to an unannounced position, the Company sends an email to the applicant or contacts them by other means, during which it provides information on the details of processing. If the data subject consents to processing, the Company stores the resume for a maximum of 1 year.  

‍

Processing the data of employees relating to employment

‍The purpose of data processing is the establishment, performance or termination of employment. Pursuant to Article 6(1) c) of the GDPR, the legal basis for processing is compliance with a legal obligation, and furthermore, pursuant to Article 6(1) b) of the GDPR, performance of a contract. During the processing of the personal data of employees, the Company applies the principles of purpose limitation and data minimisation, and acts in line with the compulsory legal provisions applicable to the various data types in respect of the erasure of data, and in the absence of such provisions, erases the personal data pertaining to the employee within 5 years after the termination of employment. The processing of the personal data of employees is regulated by Section 10(1) of the Labour Code. The aforementioned provision states that employees may only be requested to make statements or provide data where personal rights are not violated and such is essential for the purpose of establishing, performing or terminating employment. The employee may only be subjected to aptitude tests that are required by employment-related regulations or which are required in order to exercise a right or fulfil an obligation defined in employment-related regulations.

‍Processing of the data of website visitors and persons requesting information

‍The Company operates and maintains a website for the purpose of providing information to users. If the user requires additional information, they have to provide their name, email address; in case of representing a company, the name of the company and in case of business proposals, the position of those requesting such busines proposal shall also be provided.so that they can be contacted. Pursuant to Article 6(1) a) of the GDPR, the legal basis for processing is consent granted by the data subject. The Company processes such data for 6 months from the receipt of the letter requesting information.  In the event if data subject gives its explicit consent – by clicking on checkbox appearing on the Website – , the Company shall be entitled to use the data provided by data subject for the purpose of sending commercial offers and newsletters to data subjects. The consent granted for the processing of personal data provided during registration or subscribing to the newsletter may be withdrawn by the data subject at any time in writing, without limitation and justification, by sending such request to the Company’s above email address provided for the purpose of communication, or by clicking on the “Unsubscribe” button in the email received. 6 months after the unsubscription the data will be deleted.

Data processors

‍

‍Processing relating to book-keeping:

Name of processor: Jobbook Kft.

Registered office: 1222 Budapest, Mézesfehér utca 21. 2. em. 9.

Email address: info@jobbook.hu

Processing relating to accounting services:

Name of processor: MOBILCONSULT Könyvvizsgáló és Gazdasági Tanácsadó Kft.

Registered office: 1106 Budapest, Fehér út 10.

E-mail address: mobilconsult@mobilconsult.hu

Processing relating to storage services:

‍Name of processor:Amazon Web Services EMEA SARL

Registered office: 38 Avenue John F. Kennedy, L-1855, Luxembourg

E-mail address: privacyshield@amazon.com

Processing relating to the Corlnflo software:

‍Name of processor:Amazon Web Services EMEA SARL

Registered office: 38 Avenue John F. Kennedy, L-1855, Luxembourg

E-mail address: privacyshield@amazon.com

Name of processor: Zoho Corporation Pvt. Ltd.

Registered office: 4141 Hacienda Drive Pleasanton, CA 94588, USA

E-mail address: privacy@zohocorp.com 

Name of processor: Google LLC

Registered office: 1600 Amphitheatre Parkway Mountain View, CA 94043 US

Contact: https://www.google.com/contact/ 

Additional processors

Task-management software: JIRA

Name of processor: Atlassian Corporation Plc 

registered seat: 6/341 George St, Sydney NSW 2000, Australia)

Contact: https://www.atlassian.com/hu/trust/privacy

Internal communications software: Slack

Name of processor: Slack Technologies, Inc. Registered office: 500 Howard Street, San Francisco, CA, 94105, USA)

Contact: https://slack.com/intl/en-hu/privacy-policy

E-mail services: Google LLC

Registered seat: 1600 Amphitheatre Parkway Mountain View, CA 94043 US

Contact: https://www.google.com/contact/ 

Email client, document sharing and storage: Microsoft Office 365 Amazon Web Services EMEA SARL

Registered office: 38 Avenue John F. Kennedy, L-1855, Luxembourg

Email address: privacyshield@amazon.com

GitHub, Inc.88 Colin P. Kelly Jr. Street San Francisco, CA 94107 United States

Email address: support@github.com

CRM tool: Hubspot25

Registered office: First Street, 2nd Floor, Cambridge, MA 02141 United States

Phone number: +1 888 482 7768

Personal data breach

‍Pursuant to Article 4 of the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In the case of a personal data breach, the Company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall communicate the personal data breach to the Data Subject without undue delay. As part of such communication, the Company describes the nature of the personal data breach using clear and plain language, communicates information as well as measures taken.

‍

Rights of Data Subjects

1. Right to receive information:

The right to receive clear and transparent information is a fundamental right of the Data Subject. At the Data Subject’s request, the Company takes appropriate measures to provide the data subject with information on the processing of personal data, the circumstances of processing and the rights the Data Subject is entitled to, in a concise, easily accessible and easy to understand form and using clear and plain language.

‍

2. Right of access by the Data Subject:

The Data Subject shall have the right to obtain from the Company confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information: the purposes of data processing, the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period, the existence of the right to request from the Company rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing, the right to lodge a complaint with a supervisory authority, where the personal data are not collected from the Data Subject, any available information as to their source, the existence of automated decision-making, including profiling, and, at least in those cases, comprehensible information about the logic applied, as well as the significance and the envisaged consequences of such processing for the Data Subject. Moreover, based on the right of access, the Company ensures to the Data Subject the right of requesting copies. For any copies requested by the Data Subject, the Company may charge a reasonable fee based on administrative costs. Upon request by the Data Subject, the Company provides information electronically. At the Data Subject’s request, the Company may also provide information to the data subject verbally, after their identity has been credibly verified by the Company.  

‍

3. Right to rectification:

The Data Subject shall have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed.

‍

4. Right to be forgotten:

Pursuant to the Regulation, the Data Subject shall have the right to obtain from the Company the erasure of personal data concerning them without undue delay and the Company shall have the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, the Data Subject withdraws the consent on which the processing is based, and there is no other legal ground for the processing, the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing, the personal data have been unlawfully processed, the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject, the personal data have been collected in relation to the offer of information society services. The erasure of data may not be initiated if data processing is required in the cases set out in Article 17(3) of the Regulation. The Company shall erase the data indispensable for the provision of the service if the contract is ultimately not concluded or is terminated. Exception to the above are cases where such erasure is excluded by a provision of another legal regulation.  

‍

5. Right to restriction of processing:

The Data Subject shall have the right to obtain from the Company restriction of processing where one of the following applies: the accuracy of the personal data is contested by the Data Subject, for a period enabling the Company to verify the accuracy of the personal data, the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead, the Company no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims, or the Data Subject has objected to processing, pending the verification whether the legitimate grounds of the Company override those of the Data Subject. Where data processing is restricted, the data may only be stored, and all other data processing is subject to Data Subject consent and only for the purpose of the establishment of legal claims or for reasons of public interest.  

‍

6. Right to data portability:

The Data Subject shall have the right to receive the personal data concerning them, which they have provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company to which the personal data have been provided. Moreover, the Data Subject is entitled to request the personal data to be transmitted directly to another company. This can only be in relation to specific legal titles. The Company shall establish and ensure the technological and technical conditions for data portability.  

‍

7. Right to object:

The Data Subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company, or for the purposes of the legitimate interests pursued by the Company or by a third party, including profiling based on the provisions referenced above. In the event of such objection, the Company shall no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the Data Subject, or which are related to the establishment, exercising or defence of legal claims. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

‍

8. Automated decision-making, profiling:

The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. The above right shall not be applied where processing is necessary for entering into, or performance of, a contract between the Data Subject and the Company, or is authorised by Union or Member State law to which the Company is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests; or is based on explicit consent by the Data Subject.

‍

9. Right to withdraw consent:

The Data Subject is entitled to withdraw voluntary consent at any time. Procedural rulesThe Company shall provide information on action taken on a request pursuant to Articles 15-22 of the Regulation aimed at the exercising of rights to the Data Subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Company shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic form means, the information shall be provided by electronic means, unless otherwise requested by the Data Subject. If the Company does not take action on the request of the Data Subject, the Company shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. The Company provides the information requested free of charge. Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request. The Company shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Company shall inform the Data Subject about such recipients at the request of the Data Subject. The Company shall provide the Data Subject with a copy of the personal data undergoing processing. For any further copies requested by the Data Subject, the Company may charge a reasonable fee based on administrative costs. Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in electronic form.

Indemnification and compensation

Any person who has suffered material or non-material damage as a result of an infringement of the Regulation shall have the right to receive compensation from the Company or processor for the damage suffered. The Company or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

‍

Right to turn to court

Where their rights are violated, the Data Subject may turn to the court against the Company. The court shall proceed in the action as a matter of urgency. The Company shall compensate any damage caused by any unlawful processing of the Data Subject’s data or a breach of the data security requirements. In the event of the violation of the Data Subject’s personal rights, the Data Subject may demand compensation. The Company shall be exempt from liability if the loss was the result of a cause that it could not have prevented. The Company shall not compensate for damage and no compensation for personal rights violation may be claimed if such damage was caused by the wilful misconduct or gross negligence of the Data Subject.  

If you have comments relating to processing by the Company, please contact us using the email address specified for communication among the Company’s data. 

Data Security

Data controller shall be obliged to grant the security of personal data and shall be obliged to take all necessary measures to ensure the protection of the personal data from unauthorized access, erasure, alteration, and usage. Data controller shall be obliged to inform all third parties who the data has been provided to of all obligations set out herein for the purpose of full compliance.

‍

Lodging complaints

Complaints relating to the Company’s potential data processing-related infringements may be lodged at the Hungarian National Authority for Data Protection and Freedom of Information:

Hungarian National Authority for Data Protection and Freedom of Information

Registered office: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C

Mailing address: 1530 Budapest, PO Box: 5.

Phone number: +36-1-391-1400

Fax: +36-1-391-1410

Email address: ugyfelszolgalat@naih.hu