Manage cookies
We use cookies to provide the best site experience.
Manage cookies
Cookie Settings
Cookies necessary for the correct operation of the site are always enabled.
Other cookies are configurable.
Essential cookies
Always On. These cookies are essential so that you can use the website and use its functions. They cannot be turned off. They're set in response to requests made by you, such as setting your privacy preferences, logging in or filling in forms.
Analytics cookies
Disabled
These cookies collect information to help us understand how our Websites are being used or how effective our marketing campaigns are, or to help us customise our Websites for you. See a list of the analytics cookies we use here.
Advertising cookies
Disabled
These cookies provide advertising companies with information about your online activity to help them deliver more relevant online advertising to you or to limit how many times you see an ad. This information may be shared with other advertising companies. See a list of the advertising cookies we use here.

Data Management Policy

This Data Management Policy outlines the rules for the handling of personal data in connection with the business contracts of GITMAX IT Services Zártkörűen Működő Részvénytársaság.

I. THE NAME OF THE DATA CONTROLLER, THE CONCEPT OF PERSONAL DATA, AND THE DATA SUBJECT
Data Controller: GITMAX IT Services Ltd.
Headquarters: 1118 Budapest, Kelenhegyi út 43. A. building, 4th floor, door 8
Website: https://gitmax.com/
Email: info@gitmax.com
Phone number: +36 1 808 90 21
Data Protection Officer: Dr. Rátky Miklós and Dr. Kovács Attila László info@ratkynet.hu)

II. SCOPE OF PROCESSED DATA
NATURAL PERSONS / SELF-EMPLOYED INDIVIDUALS (FREELANCERS):
- First name, last name
- Birth name
- Mother's maiden name (last name and first name)
- Place of birth, date of birth
- Nationality
- Address
- Marital status (married/single)
- Place of employment (country)
- ID card number (ID card number / passport)
- NI number (social security number)
- Job position (description)
- Starting date of the contract
- Contact information: email, phone
- Tax number = tax identification number
- Banking information: Bank name, address, account number, SWIFT/BIC
- Photograph
- Billing and payment information
- Electronic signature

ENTREPRENEURS:
- Full name of the organization
- Country of registration
- Legal address, mailing address
- Tax number
- Banking information: Bank name, address, account number, SWIFT/BIC
- Field of work (description)
- Start date of the contract
- Full name of the entrepreneur
- Email address and phone number of entrepreneur
- Place of birth, date of birth
- Nationality
- ID card number
- NI number (social security number)
- Photograph
- Billing and payment information
- Electronic signature

REPRESENTATIVES OF THE PARTIES (LEGAL ENTITIES):
- Full name of the contact representative
- Email address and phone number of the contact representative
- Position of the contact representative
- Company name of the contact representative

III. SPECIFIC DATA PROCESSING PURPOSES

1. GENERAL CONTRACT MANAGEMENT ACTIVITIES

a) Legal basis for the data controller's data processing
According to Article 6(1)(b) of the GDPR, data processing is necessary for the performance of a contract in which the Data Subject is a party, or for taking steps at the request of the Data Subject prior to entering into a contract.
Article 6(1)(f) of the GDPR applies to the data of representatives of the contractual partner.

b) Transfer of Personal Data
The Data Controller does not transfer personal data to third countries or international organizations.
However, during data processing, the Data Controller may use software (e.g., DocuSign, Zoom) operated by service providers with foreign headquarters. In such cases, the Data Controller will assess the impact of using the software on personal data, evaluate any potential risks, and verify the extent to which the foreign company complies with the GDPR's data security requirements before use.

c) Purpose of Data Processing
The purpose of data processing is to enable the Data Controller to fulfill its contractual obligations and to assert its rights arising from the contract.

d) Duration of Data Processing
Until the termination of the contract.


e) Data Security
The IT department of the Data Controller is responsible for the security of data processing. Automated decision-making, including profiling, does not occur during data processing.

f) Data Processors
A data processor is a natural or legal person who processes personal data on behalf of the Data Controller. No data processors will be utilized in this data processing.

2. DATA PROCESSING RELATED TO PRIMARY ACTIVITIES

a) Legal basis for the data controller's data processing
According to Article 6(1)(b) of the GDPR, data processing is necessary for the performance of a contract in which the Data Subject is a party, or for taking steps at the request of the Data Subject prior to entering into a contract.
Article 6(1)(f) of the GDPR applies to the data of representatives of the contractual partner.

b) Transfer of Personal Data
The Data Controller does not transfer personal data to third countries or international organizations.
However, during data processing, the Data Controller may use software (e.g., DocuSign, Zoom) operated by service providers with foreign headquarters. In such cases, the Data Controller will assess the impact of using the software on personal data, evaluate any potential risks, and verify the extent to which the foreign company complies with the GDPR's data security requirements before use.

c) Purpose of Data Processing
The purpose of data processing is to enable the Data Controller to fulfill its contractual obligations and to assert its rights arising from the contract in relation to client and business relationships associated with its primary activities of computer programming and information technology services.

d) Duration of Data Processing
Until the termination of the contract.

e) Data Security
The IT department of the Data Controller is responsible for the security of data processing. Automated decision-making, including profiling, does not occur during data processing.

f) Data Processors
No data processors will be utilized in this data processing.

3. USAGE IN POTENTIAL LEGAL DISPUTES RELATED TO GENERAL CONTRACT MANAGEMENT AND DATA PROCESSING RELATED TO PRIMARY ACTIVITIES

a) Legal basis for the data controller's data processing
According to Article 6(1)(f) of the GDPR, data processing is necessary for the legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, which require protection of personal data, particularly when the Data Subject is a child. The Data Controller has a legitimate interest in having personal data to support the facts in potential legal proceedings or out-of-court legal actions for the purpose of asserting or protecting its rights.

b) Transfer of Personal Data
The Data Controller does not transfer personal data to third parties for this data processing purpose.

c) Purpose of Data Processing
The purpose of data processing is for the Data Controller to retain contracts and their annexes to use them as evidence in any potential future legal disputes with the contracting partner.

d) Duration of Data Processing
For a period of 5 years following the termination of the contractual relationship.

e) Data Security
The IT department of the Data Controller is responsible for the security of data processing. There is no place for automated decision-making, including profiling, during data processing.

f) Data Processors
A data processor is a natural or legal person who processes personal data on behalf of the Data Controller. In relation to this data processing purpose, no data processors will be utilized.

IV. RIGHTS RELATED TO DATA PROCESSING AND REMEDIES

1. RIGHTS RELATED TO DATA PROCESSING
a) The Data Subject may request the following from the Data Controller:
• Information about the processing of their personal data (both prior to and during the data processing),
• Access to their personal data (to have their personal data provided by the Data Controller),
• Rectification and completion of their personal data,
• Deletion of their personal data,
• Restriction of processing their personal data,
• Objection to the processing of their personal data,
• Withdrawal of their consent to data processing.

b) The Data Subject may submit their request using the contact details specified in point 1. The Data Controller will respond to the Data Subject's lawful request within one month (considering the complexity of the request and the number of requests, this deadline may be extended by an additional two months if justified) and will notify the Data Subject at the contact details provided.

a) RIGHT TO REQUEST INFORMATION (PURSUANT TO ARTICLES 13-14 OF THE GENERAL DATA PROTECTION REGULATION)
The Data Subject may request in writing from the Data Controller information regarding:
• Which personal data they process,
• The legal basis for processing,
• The purpose of data processing,
• From what source,
• The duration of data processing,
• Whether a data processor is employed, and if so, the name, address, and activities related to data processing of the data processor,
• To whom, when, and under which legal provisions the Data Controller has granted access to their personal data or to whom their personal data has been disclosed,
• The circumstances, impacts, and remedial actions related to potential data protection incidents.

b) RIGHT OF ACCESS (PURSUANT TO ARTICLE 15 OF THE GENERAL DATA PROTECTION REGULATION)
The Data Subject has the right to receive feedback from the Data Controller regarding whether their personal data is being processed, and if such processing is underway, they are entitled to access their personal data being processed. This request can be made in writing according to section 8.1.1.
The Data Controller will provide a copy of the personal data that is the subject of processing to the Data Subject. If the request is submitted electronically, the information must be provided in a commonly used electronic format, unless the Data Subject requests otherwise.

c) RIGHT TO RECTIFICATION AND COMPLETION (PURSUANT TO ARTICLE 16 OF THE GENERAL DATA PROTECTION REGULATION)
The Data Subject may request in writing that the Data Controller modify or rectify any of their personal data (for example, they may change their email address or postal address at any time or request the Data Controller to rectify any inaccurate personal data they process). Considering the purpose of data processing, the Data Subject is entitled to request the appropriate completion of their incomplete personal data held by the Data Controller.



d) RIGHT TO DELETE (PURSUANT TO ARTICLE 17 OF THE GENERAL DATA PROTECTION REGULATION)
a) The Data Subject shall have the right to obtain from the controller the deletion of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• The personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
b) The data cannot be deleted if the processing is necessary for the following reasons:
• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• for the establishment, exercise or defence of legal claims

e) RIGHT TO RESTRICTION OF PROCESSING (PURSUANT TO ARTICLE 18 OF THE GENERAL DATA PROTECTION REGULATION)
The Data Subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
· the accuracy of the personal data is contested by the Data Subject, for a period enabling the controller to verify the accuracy of the personal data;
· the processing is unlawful and the Data Subject opposes the deletion of the personal data and requests the restriction of their use instead;
· the controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
· the Data Subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the Data Subject.
Where processing has been restricted as mentioned above, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The Data Controller will inform the Data Subject, whose processing has been restricted upon their request, in advance about the lifting of the restriction on processing.

f) RIGHT TO OBJECT (BASED ON ARTICLE 21 OF THE GENERAL DATA PROTECTION REGULATION)
The Data Subject has the right to object to the processing of their personal data based on the legitimate interests of the Data Controller (or a third party). In such cases, the Data Controller may not continue processing the personal data unless it can demonstrate that there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or that the processing is necessary for the establishment, exercise, or defense of legal claims.

If the processing of personal data is carried out for the purpose of direct marketing, the Data Subject may object at any time to the processing of their personal data for such purposes, including profiling, insofar as it is related to direct marketing. In the event of an objection from the Data Subject, the data may no longer be processed for that purpose.

g) RIGHT TO WITHDRAW CONSENT (BASED ON ARTICLE 7 OF THE GENERAL DATA PROTECTION REGULATION)
The Data Subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal. The Data Subject is entitled to withdraw their consent in the same manner as it was given.

h) REMEDIES RELATED TO DATA PROCESSING

Initiation of Judicial Proceedings
The Data Subject may file a lawsuit against the Data Controller, or against the Data Processor regarding data processing activities within the scope of their operations, if they believe that the Data Controller or the Data Processor, acting on their behalf, has processed their personal data in violation of the regulations on personal data processing established by law or by binding acts of the European Union. The court has jurisdiction over the case. The lawsuit -at the Data Subject's discretion - may be initiated at the competent court located in the Data Subject's place of residence or habitual residence:
http://birosag.hu/torvenyszekek.

The Data Controller shall compensate for damages caused by unlawful processing of the Data Subject's data or by violation of data security requirements, unless the damage was caused by an unavoidable reason beyond the scope of data processing. The Data Controller shall not compensate for damages to the extent that they arise from the intentional or grossly negligent conduct of the injured party. In the case of violation of the Data Subject's personal rights, the Data Subject may claim compensation for damages.

Initiation of Administrative Proceedings
The Data Subject may initiate an investigation or public proceedings with the Nemzeti Adatvédelmi és Információszabadság Hatóság (1055 Budapest, Falk Miksa Street 9-11, website: http://naih.hu; mailing address: 1396 Budapest, P.O. Box 9; phone: +36-1-391-1400; fax: +36-1-391-1410; email: ugyfelszolgalat@naih.hu) to enforce their rights, citing a violation of their personal data processing or the imminent threat thereof, particularly:

- If they believe that the Data Controller restricts their rights as defined in point 8.1 or rejects their request to exercise those rights (requesting an investigation), and
- If they believe that, during the processing of personal data, the Data Controller or the Data Processor, acting on their behalf, violates the regulations regarding personal data processing established by law or by binding acts of the European Union (requesting the initiation of public proceedings).