(Effective date: 19 May 2026)
StrategyPro Consulting Korlátolt Felelősségű Társaság (registered office: 8100 Várpalota, Újlaki út 1, 4th floor, door 17; company registration number: 19-09-524889; tax number: 32716168-2-19; hereinafter: the “Data Controller”) has prepared this privacy notice (hereinafter: the “Notice”) in order to ensure high-quality operation and compliance with the applicable data protection laws in force from time to time. This Notice contains information on the activities carried out by the Data Controller in connection with the processing of personal data, in accordance with Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: the “Info Act”) and Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter: the “GDPR”).
The purpose of this Notice is to inform the persons concerned by the processing of personal data, no later than at the time the personal data is obtained, about the information specified in Section 16 (1)–(2) of the Info Act and Article 13 of the GDPR, and to ensure that they may become familiar with the practice, purposes, legal bases and principles of the related data processing, in order to exercise their right to prior information.
Any person whose personal data is processed by the Data Controller (hereinafter: the “Data Subject”) is required to familiarise themselves with this Notice and acknowledge its provisions.
Where the personal data is provided to the Data Controller by the Data Subject, or where a data transfer takes place (i.e. the personal data is not provided to the Data Controller by the Data Subject), the authenticity and accuracy of the personal data shall be the sole responsibility of the Data Subject or the person providing the personal data, and the Data Subject / person providing the personal data shall be obliged to keep such data up to date. Where the personal data does not originate from the Data Subject, the person providing the personal data warrants that they have the appropriate authorisation and entitlement to make the personal data available to the Data Controller. The Data Controller shall not assume any liability for any deficiencies related to the data provided, or for any consequences arising from such deficiencies or inaccuracies, and expressly excludes its liability in this regard.
The Data Controller acknowledges the data processing rules detailed in this Notice as binding upon itself and carries out its data processing activities in accordance with these rules.
This Notice is continuously available and retrievable in Hungarian on the website available at www.strategyproconsulting.com (hereinafter: the “Website”), and in paper form at the registered office of the Data Controller.
The circumstances of data processing may change from time to time, and the Data Controller may decide at any time to supplement its ongoing data processing with a new data processing purpose; therefore, the Data Controller reserves the right to amend this Notice at any time. The Data Controller shall notify the Data Subjects of any amendment to this Notice primarily via the Website.
1. Name and contact details of the Data Controller
StrategyPro Consulting Korlátolt Felelősségű Társaság
Postal address: 8100 Várpalota, Újlaki út 1, 4th floor, door 17
Telephone number: +36 20 323 4298
Email address: csaba.veres@strategyproconsulting.com
Represented by: Csaba Veres, managing director
2. Data Protection Officer
The Data Controller is not required to appoint a data protection officer.
3. Definitions
personal data: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
controller: The specific person who, alone or jointly with others, determines the purposes and means of processing.
processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
recipient: A natural or legal person, public authority, agency or any other body to which personal data is disclosed, whether or not a third party. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing.
data subject: A natural person whose personal data is the subject of processing.
GDPR: An acronym formed from the initials of General Data Protection Regulation. In Hungarian: Általános Adatvédelmi Rendelet; Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Terms used in this Notice that are not defined in this section shall, in the absence of a specific different definition, be interpreted in accordance with the meanings used in the GDPR.
4. Principles of data processing
The processing carried out by the Data Controller complies with the data processing principles of the GDPR, which are as follows:
Principle of lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Principle of purpose limitation: Personal data must be collected only for specified, explicit and legitimate purposes and must not be processed in a manner that is incompatible with those purposes.
Principle of data minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Principle of accuracy: Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate in relation to the purposes for which they are processed are erased or rectified without delay.
Principle of storage limitation: Personal data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed.
Principle of integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data by using appropriate technical or organisational measures, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Principle of accountability: The Data Controller is responsible for compliance with the principles and must be able to demonstrate such compliance.
5. Possible legal bases for data processing
The Data Controller may process the personal data of the Data Subject where one of the following legal bases exists:
a) pursuant to Article 6(1)(a) of the GDPR, the data subject’s voluntary consent to processing based on appropriate information (hereinafter: “Consent”);
b) pursuant to Article 6(1)(b) of the GDPR, processing is necessary for the performance of a contract to which the data subject is party (hereinafter: “Performance of a Contract”);
c) pursuant to Article 6(1)(c) of the GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject (such as compliance with accounting and bookkeeping obligations – hereinafter: “Compliance with a Legal Obligation”);
d) pursuant to Article 6(1)(d) of the GDPR, processing is necessary in order to protect the vital interests of the data subject or of another natural person (hereinafter: “Vital Interest”);
e) pursuant to Article 6(1)(e) of the GDPR, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (hereinafter: “Processing Related to the Performance of Public Interest Tasks”);
f) pursuant to Article 6(1)(f) of the GDPR, processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (hereinafter: “Legitimate Interest”).
6. Scope of processed data and the related legal basis and purpose of processing
Scope of processed data | Legal basis | Purpose | Duration of processing |
1. Data necessary for the establishment and performance of a contractual relationship – where the contracting party is a natural person: | Performance of a Contract | Enabling the use and provision of the services provided by the Data Controller (specifically, the conclusion and performance of the contract for the provision of services). | Considering that the processing is carried out for the performance of a contract, personal data are processed until the statutory limitation period for the rights and obligations arising from the underlying obligation (contract) expires, or until the retention period prescribed by laws governing retention expires. |
2. Data necessary for the establishment and performance of a contractual relationship – where the contracting party is not a natural person: | Performance of a Contract | Enabling the use and provision of the services provided by the Data Controller (specifically, the conclusion and performance of the contract for the provision of services). | Considering that the processing is carried out for the performance of a contract, personal data are processed until the statutory limitation period for the rights and obligations arising from the underlying obligation (contract) expires, or until the retention period prescribed by laws governing retention expires. |
3. Personal data provided via the contact form available on the Website: | Consent | Informing the Data Subject about suitable available positions and, with regard to positions advertised by a third party commissioning the Data Controller for workforce placement, conducting the selection procedure and forwarding the Data Subject’s application to such third party. | For 3 months from the date of obtaining the personal data, but no later than until the Data Subject withdraws consent. |
4. Data necessary for carrying out the payment transaction under the contract: | Compliance with a Legal Obligation | Enabling proper accounting for the use of services provided by the Data Controller (specifically, the issuing of invoices by the Data Controller). | The Data Controller processes these personal data as accounting documents for 8 (eight) years pursuant to Section 169(2) of Act C of 2000 on Accounting. |
5. Data processed for the management of possible legal disputes: | Legitimate Interest | If a legal dispute arises, the processing of certain personal data becomes necessary for the settlement of the dispute, in particular data enabling the identification of the Data Subject and communication with them. | Until the final settlement and closure of the legal dispute. |
The Data Controller primarily carries out activities related to IT professional placement, within the framework of which it processes personal data in relation to both persons and organisations seeking resources and persons and organisations seeking (work) opportunities.
In the course of its activities, the Data Controller establishes contractual relationships with persons seeking IT professionals, who are typically not natural persons; therefore, the processing of personal data can only be discussed in relation to the natural-person contact designated by the given person.
Through the Website, the Data Controller provides IT professionals with the opportunity to choose from various opportunities and, by contacting the Data Controller (during which they may also provide their CV), to request information from the Data Controller about future opportunities relevant to them.
A prerequisite for using the IT professional placement service provided by the Data Controller is that all Data Subjects become familiar with the content of this Notice and accept it as binding upon themselves.
By sending their CV to the Data Controller and accepting this Notice, persons seeking (work) opportunities expressly consent to and at the same time request that the Data Controller inform them about opportunities relevant to them, use their personal data during the selection procedure where necessary, and potentially forward such data to persons and organisations seeking resources.
7. Data transfer and processors
The Data Controller forwards the personal data provided by persons personally involved in the performance of tasks to persons or organisations seeking resources. By providing their personal data, the Data Subject expressly acknowledges and consents to the transfer of their personal data to the person or organisation seeking a (work) resource.
We further inform you that the Data Controller may carry out data transfer activities in particular to processors and authorities.
In the context of data transfer to an authority, the Data Controller is entitled and obliged to forward all lawfully stored data to the competent authorities. Such data transfer may be based on law or a final and binding authority decision; the Data Controller cannot be held liable for consequences arising from such data transfer.
If the Data Controller uses a processor during processing, it forwards the personal data related to the data subjects to the processor for the implementation of the purpose of processing and warrants that, in such cases, the processor processes the personal data exclusively for the purpose described in Section 6. Processors may not make substantive decisions concerning the processing; they may process the personal data that come to their knowledge exclusively in accordance with the Data Controller’s instructions, may not process data for their own purposes, and are obliged to store and retain personal data in accordance with the Data Controller’s instructions.
In the course of processing personal data, the Data Controller uses the following processors:
Name and registered office of processor | Scope of transferred data | Purpose of data transfer and activity of processor |
Rackhost Zrt. (6722 Szeged, Tisza Lajos körút 41.) | All personal data specified in Section 6 of this Notice. | Provision of IT services to the Data Controller |
Soltész Doktor Kft. (2060 Bicske, Szent István út 5.) | Personal data specified in Sections 6.1–2 and 6.4 of this Notice, related to contract conclusion / performance and invoicing. | Provision of accounting services to the Data Controller |
The following persons may also have access to personal data:
The Data Controller draws the Data Subjects’ attention to the fact that, when using various social media platforms, the personal data transmitted are processed by the respective platform in accordance with the laws and privacy notice applicable to that platform.
Furthermore, the Data Controller’s website may in certain cases contain links to websites operated by third parties or to services provided by such persons, to which the privacy rules determined by the third party apply. In such cases, please read both the relevant general terms and conditions and the relevant privacy information carefully before using these services or providing your personal data to the third party. Since all such terms, operation and content are outside the Data Controller’s control, the Data Controller assumes no liability for them.
8. Data Subject rights
The right of the Data Subject relating to their personal data is a fundamental right that must be ensured throughout the entire processing.
The Data Controller draws the attention of data subjects to the fact that, unless excluded by law, they may exercise their data subject rights by sending a statement to the email address csaba.veres@strategyproconsulting.com. The Data Controller shall examine and respond to the statement within the shortest possible time from receipt, but no later than within 30 days, and shall take the necessary steps based on the statement, this Notice and the applicable laws.
In connection with providing information on data subject requests, the Data Controller may charge a reasonable fee only if the request is clearly unfounded or excessive, in particular because of its repetitive nature; in such cases, the Data Controller may also refuse to act on the request.
If the Data Subject wishes to exercise their rights, the Data Controller must identify them. If the Data Controller has reasonable doubts as to the legitimacy of the data subject request, including expressly the identity of the Data Subject, the Data Controller may request additional information necessary to confirm the Data Subject’s identity. The Data Controller may refuse to comply with the data subject request if it proves that the Data Subject cannot be reliably identified.
If the Data Controller refuses to comply with the Data Subject’s request, it is obliged to provide information on the reasons for the lack of action and on the legal remedies available to the Data Subject.
Within the duration of processing, the Data Subject is entitled to the following rights:
Right | Description |
Right to information | At the time of obtaining the personal data, or if the Data Subject subsequently requests information, when such information is provided, the Data Subject must be informed about the essential aspects of processing, primarily by making this Notice available. In addition, the Data Subject is entitled at any time to request information as to whether their personal data are being processed and, if so, about the scope of personal data processed by the Data Controller concerning them, the source of such data, the purpose, legal basis and duration of processing, the names and addresses of any processors, activities related to the processing, and, where personal data are transferred, about who has received or will receive the Data Subject’s data and for what purpose. |
Right of access | Upon request, we provide access to the personal data processed and to the information related to the processing detailed in this Notice. Upon the Data Subject’s request, the Data Controller shall provide the Data Subject with a copy of the personal data subject to processing. For additional copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Subject submitted the request electronically, the information must be provided in a commonly used electronic format, unless the Data Subject requests otherwise. |
Right to rectification | Upon request, we rectify and supplement inaccurate data without undue delay. |
Right to erasure | Upon request, we erase those personal data for the retention of which we have no legal obligation. Where processing is based on Article 6(1)(a) of the GDPR (consent), the Data Subject is entitled to withdraw consent at any time; however, this shall not affect the lawfulness of processing carried out on the basis of consent before its withdrawal. |
Right to restriction of processing | Upon request, and in the cases permitted by applicable laws, we restrict the processing of personal data. |
Right to object | The Data Subject is entitled, where processing is based on Article 6(1)(f) of the GDPR, to object at any time, on grounds relating to their particular situation, to the processing of their personal data. In this case, the Data Controller may no longer process the personal data, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject, or which are related to the establishment, exercise or defence of legal claims. |
Right to data portability | Upon request, provided that the processing is based on Consent or Performance of a Contract or is carried out by automated means, the Data Subject shall receive the personal data concerning them which they have provided to the Data Controller in a structured, commonly used and machine-readable format, and shall have the right to transmit those data to another controller without hindrance from the original Data Controller. |
9. Right to turn to an authority and to a court
In relation to legal remedies and complaints connected to data processing, complaints may be submitted to the Hungarian National Authority for Data Protection and Freedom of Information:
postal address: 1055 Budapest, Falk Miksa u. 9-11.
telephone number: +36 (1) 391-1400
email address: ugyfelszolgalat@naih.hu
website: www.naih.hu
Data Subjects also have the right to turn to a court. Under the relevant provisions of the GDPR, proceedings against the Data Controller must be initiated before the court of the Member State where the Data Controller has an establishment, which in this case is a Hungarian court. Among Hungarian courts, the regional court has jurisdiction to proceed in relation to the Data Subject’s complaint. The lawsuit may also be initiated, at the Data Subject’s choice, before the regional court competent according to the Data Subject’s place of residence. The list and contact details of regional courts can be viewed via the following link: www.birosag.hu/torvenyszekek
10. Data security and procedure in the event of a personal data breach
The Data Controller undertakes to ensure the security of data in accordance with the GDPR and the Info Act, keeping the rights of Data Subjects in mind. As part of this, the Data Controller takes all necessary measures to ensure the secure and damage-free processing of data and the establishment and operation of the data processing systems required for this. The Data Controller ensures that unauthorised persons cannot access, disclose, transmit, modify or erase the processed data.
The Data Controller stores the personal data named above at its registered office, in its own IT system, and on the servers of the processors responsible for hosting services.
Personal data may be accessed by persons acting within the Data Controller’s sphere of interest – in particular agents and employees – for whom this is necessary for the performance of their activities and who are aware of and know the obligations related to the processing of data.
In addition to the above, the Data Controller undertakes to ensure data security with the most up-to-date and appropriate equipment and security rules, with particular regard to preventing unauthorised access to data and preventing data from being unlawfully disclosed, erased or destroyed. It makes every effort to ensure that data are not accidentally damaged or destroyed. The Data Controller also imposes the above undertaking on its employees involved in data processing activities.
Any event in which personal data are accessed, modified, lost or disclosed without authorisation – whether accidentally or intentionally – qualifies as a personal data breach.
The Data Controller investigates all personal data breaches and keeps records of them in accordance with legal requirements. If the personal data breach that has occurred is likely to result in a risk to the rights and freedoms of data subjects, the Data Controller shall notify the supervisory authority within 72 hours of becoming aware of it and, in the event of a higher risk, shall also notify the Data Subjects.
11. Cookie notice
A cookie is a small text file that is stored on the hard drive of the Data Subject’s computer or mobile device until the expiry time set in the cookie and is reactivated during subsequent visits. Its purpose is to record information related to the visit and personal settings; however, such data cannot be linked to the visitor’s person. Cookies also help create a user-friendly website and mobile application and enhance the Data Subject’s online experience.
By consenting to the storage of statistical and marketing cookies appearing on online interfaces, and by accessing and using the Data Controller’s online interfaces, the Data Subject consents to the storage and collection of other local storage technologies, data collectors and other data on their devices.
Based on the above, the classification of cookies used on the Websites is as follows:
It is important that the data subject has the possibility to delete cookies from their own device and can generally configure the browser to accept or reject all cookies. In general, the browser’s “Help” function provides guidance on how to set cookie rules in the browser. Certain online functions, however, require cookies to work, so disabling them may affect the use of online interfaces or certain parts of them and the user experience.