Privacy Policy

(Effective date: 19 May 2026)

StrategyPro Consulting Korlátolt Felelősségű Társaság (registered office: 8100 Várpalota, Újlaki út 1, 4th floor, door 17; company registration number: 19-09-524889; tax number: 32716168-2-19; hereinafter: the “Data Controller”) has prepared this privacy notice (hereinafter: the “Notice”) in order to ensure high-quality operation and compliance with the applicable data protection laws in force from time to time. This Notice contains information on the activities carried out by the Data Controller in connection with the processing of personal data, in accordance with Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: the “Info Act”) and Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter: the “GDPR”).

The purpose of this Notice is to inform the persons concerned by the processing of personal data, no later than at the time the personal data is obtained, about the information specified in Section 16 (1)–(2) of the Info Act and Article 13 of the GDPR, and to ensure that they may become familiar with the practice, purposes, legal bases and principles of the related data processing, in order to exercise their right to prior information.

Any person whose personal data is processed by the Data Controller (hereinafter: the “Data Subject”) is required to familiarise themselves with this Notice and acknowledge its provisions.

Where the personal data is provided to the Data Controller by the Data Subject, or where a data transfer takes place (i.e. the personal data is not provided to the Data Controller by the Data Subject), the authenticity and accuracy of the personal data shall be the sole responsibility of the Data Subject or the person providing the personal data, and the Data Subject / person providing the personal data shall be obliged to keep such data up to date. Where the personal data does not originate from the Data Subject, the person providing the personal data warrants that they have the appropriate authorisation and entitlement to make the personal data available to the Data Controller. The Data Controller shall not assume any liability for any deficiencies related to the data provided, or for any consequences arising from such deficiencies or inaccuracies, and expressly excludes its liability in this regard.

The Data Controller acknowledges the data processing rules detailed in this Notice as binding upon itself and carries out its data processing activities in accordance with these rules.

This Notice is continuously available and retrievable in Hungarian on the website available at www.strategyproconsulting.com (hereinafter: the “Website”), and in paper form at the registered office of the Data Controller.

The circumstances of data processing may change from time to time, and the Data Controller may decide at any time to supplement its ongoing data processing with a new data processing purpose; therefore, the Data Controller reserves the right to amend this Notice at any time. The Data Controller shall notify the Data Subjects of any amendment to this Notice primarily via the Website.

1. Name and contact details of the Data Controller

StrategyPro Consulting Korlátolt Felelősségű Társaság

Postal address: 8100 Várpalota, Újlaki út 1, 4th floor, door 17

Telephone number: +36 20 323 4298

Email address: csaba.veres@strategyproconsulting.com

Represented by: Csaba Veres, managing director

2. Data Protection Officer

The Data Controller is not required to appoint a data protection officer.

3. Definitions

personal data: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

controller: The specific person who, alone or jointly with others, determines the purposes and means of processing.

processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

recipient: A natural or legal person, public authority, agency or any other body to which personal data is disclosed, whether or not a third party. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing.

data subject: A natural person whose personal data is the subject of processing.

GDPR: An acronym formed from the initials of General Data Protection Regulation. In Hungarian: Általános Adatvédelmi Rendelet; Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Terms used in this Notice that are not defined in this section shall, in the absence of a specific different definition, be interpreted in accordance with the meanings used in the GDPR.

4. Principles of data processing

The processing carried out by the Data Controller complies with the data processing principles of the GDPR, which are as follows:

Principle of lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Principle of purpose limitation: Personal data must be collected only for specified, explicit and legitimate purposes and must not be processed in a manner that is incompatible with those purposes.

Principle of data minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Principle of accuracy: Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate in relation to the purposes for which they are processed are erased or rectified without delay.

Principle of storage limitation: Personal data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed.

Principle of integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data by using appropriate technical or organisational measures, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Principle of accountability: The Data Controller is responsible for compliance with the principles and must be able to demonstrate such compliance.

5. Possible legal bases for data processing

The Data Controller may process the personal data of the Data Subject where one of the following legal bases exists:

a) pursuant to Article 6(1)(a) of the GDPR, the data subject’s voluntary consent to processing based on appropriate information (hereinafter: “Consent”);

b) pursuant to Article 6(1)(b) of the GDPR, processing is necessary for the performance of a contract to which the data subject is party (hereinafter: “Performance of a Contract”);

c) pursuant to Article 6(1)(c) of the GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject (such as compliance with accounting and bookkeeping obligations – hereinafter: “Compliance with a Legal Obligation”);

d) pursuant to Article 6(1)(d) of the GDPR, processing is necessary in order to protect the vital interests of the data subject or of another natural person (hereinafter: “Vital Interest”);

e) pursuant to Article 6(1)(e) of the GDPR, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (hereinafter: “Processing Related to the Performance of Public Interest Tasks”);

f) pursuant to Article 6(1)(f) of the GDPR, processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (hereinafter: “Legitimate Interest”).

6. Scope of processed data and the related legal basis and purpose of processing

Scope of processed data

Legal basis

Purpose

Duration of processing

1. Data necessary for the establishment and performance of a contractual relationship – where the contracting party is a natural person:

• surname and first name
• birth name
• mother’s name
• place and date of birth
• residential address
• tax identification number
• email address
• telephone number

Performance of a Contract

Enabling the use and provision of the services provided by the Data Controller (specifically, the conclusion and performance of the contract for the provision of services).

Considering that the processing is carried out for the performance of a contract, personal data are processed until the statutory limitation period for the rights and obligations arising from the underlying obligation (contract) expires, or until the retention period prescribed by laws governing retention expires.

2. Data necessary for the establishment and performance of a contractual relationship – where the contracting party is not a natural person:

• surname and first name of the contact person
• email address
• telephone number
• position

Performance of a Contract

Enabling the use and provision of the services provided by the Data Controller (specifically, the conclusion and performance of the contract for the provision of services).

Considering that the processing is carried out for the performance of a contract, personal data are processed until the statutory limitation period for the rights and obligations arising from the underlying obligation (contract) expires, or until the retention period prescribed by laws governing retention expires.

3. Personal data provided via the contact form available on the Website:

• surname and first name
• email address
• personal data that may appear in the free-text message
• personal data that may appear in an uploaded and submitted CV, including in particular, but not limited to, data relating to previous workplaces, studies and education, qualifications and spoken languages.

Consent

Informing the Data Subject about suitable available positions and, with regard to positions advertised by a third party commissioning the Data Controller for workforce placement, conducting the selection procedure and forwarding the Data Subject’s application to such third party.

For 3 months from the date of obtaining the personal data, but no later than until the Data Subject withdraws consent.

4. Data necessary for carrying out the payment transaction under the contract:

• billing name
• billing address
• email address
• telephone number

Compliance with a Legal Obligation

Enabling proper accounting for the use of services provided by the Data Controller (specifically, the issuing of invoices by the Data Controller).

The Data Controller processes these personal data as accounting documents for 8 (eight) years pursuant to Section 169(2) of Act C of 2000 on Accounting.

5. Data processed for the management of possible legal disputes:

• surname and first name
• email address
• telephone number
• residential address

Legitimate Interest

If a legal dispute arises, the processing of certain personal data becomes necessary for the settlement of the dispute, in particular data enabling the identification of the Data Subject and communication with them.

Until the final settlement and closure of the legal dispute.

The Data Controller primarily carries out activities related to IT professional placement, within the framework of which it processes personal data in relation to both persons and organisations seeking resources and persons and organisations seeking (work) opportunities.

In the course of its activities, the Data Controller establishes contractual relationships with persons seeking IT professionals, who are typically not natural persons; therefore, the processing of personal data can only be discussed in relation to the natural-person contact designated by the given person.

Through the Website, the Data Controller provides IT professionals with the opportunity to choose from various opportunities and, by contacting the Data Controller (during which they may also provide their CV), to request information from the Data Controller about future opportunities relevant to them.

A prerequisite for using the IT professional placement service provided by the Data Controller is that all Data Subjects become familiar with the content of this Notice and accept it as binding upon themselves.

By sending their CV to the Data Controller and accepting this Notice, persons seeking (work) opportunities expressly consent to and at the same time request that the Data Controller inform them about opportunities relevant to them, use their personal data during the selection procedure where necessary, and potentially forward such data to persons and organisations seeking resources.

7. Data transfer and processors

The Data Controller forwards the personal data provided by persons personally involved in the performance of tasks to persons or organisations seeking resources. By providing their personal data, the Data Subject expressly acknowledges and consents to the transfer of their personal data to the person or organisation seeking a (work) resource.

We further inform you that the Data Controller may carry out data transfer activities in particular to processors and authorities.

In the context of data transfer to an authority, the Data Controller is entitled and obliged to forward all lawfully stored data to the competent authorities. Such data transfer may be based on law or a final and binding authority decision; the Data Controller cannot be held liable for consequences arising from such data transfer.

If the Data Controller uses a processor during processing, it forwards the personal data related to the data subjects to the processor for the implementation of the purpose of processing and warrants that, in such cases, the processor processes the personal data exclusively for the purpose described in Section 6. Processors may not make substantive decisions concerning the processing; they may process the personal data that come to their knowledge exclusively in accordance with the Data Controller’s instructions, may not process data for their own purposes, and are obliged to store and retain personal data in accordance with the Data Controller’s instructions.

In the course of processing personal data, the Data Controller uses the following processors:

Name and registered office of processor

Scope of transferred data

Purpose of data transfer and activity of processor

Rackhost Zrt. (6722 Szeged, Tisza Lajos körút 41.)

All personal data specified in Section 6 of this Notice.

Provision of IT services to the Data Controller

Soltész Doktor Kft. (2060 Bicske, Szent István út 5.)

Personal data specified in Sections 6.1–2 and 6.4 of this Notice, related to contract conclusion / performance and invoicing.

Provision of accounting services to the Data Controller

The following persons may also have access to personal data:

  • persons in an agency or employment relationship with the Data Controller;
  • the legal representative of the Data Controller.

The Data Controller draws the Data Subjects’ attention to the fact that, when using various social media platforms, the personal data transmitted are processed by the respective platform in accordance with the laws and privacy notice applicable to that platform.

Furthermore, the Data Controller’s website may in certain cases contain links to websites operated by third parties or to services provided by such persons, to which the privacy rules determined by the third party apply. In such cases, please read both the relevant general terms and conditions and the relevant privacy information carefully before using these services or providing your personal data to the third party. Since all such terms, operation and content are outside the Data Controller’s control, the Data Controller assumes no liability for them.

8. Data Subject rights

The right of the Data Subject relating to their personal data is a fundamental right that must be ensured throughout the entire processing.

The Data Controller draws the attention of data subjects to the fact that, unless excluded by law, they may exercise their data subject rights by sending a statement to the email address csaba.veres@strategyproconsulting.com. The Data Controller shall examine and respond to the statement within the shortest possible time from receipt, but no later than within 30 days, and shall take the necessary steps based on the statement, this Notice and the applicable laws.

In connection with providing information on data subject requests, the Data Controller may charge a reasonable fee only if the request is clearly unfounded or excessive, in particular because of its repetitive nature; in such cases, the Data Controller may also refuse to act on the request.

If the Data Subject wishes to exercise their rights, the Data Controller must identify them. If the Data Controller has reasonable doubts as to the legitimacy of the data subject request, including expressly the identity of the Data Subject, the Data Controller may request additional information necessary to confirm the Data Subject’s identity. The Data Controller may refuse to comply with the data subject request if it proves that the Data Subject cannot be reliably identified.

If the Data Controller refuses to comply with the Data Subject’s request, it is obliged to provide information on the reasons for the lack of action and on the legal remedies available to the Data Subject.

Within the duration of processing, the Data Subject is entitled to the following rights:

Right

Description

Right to information

At the time of obtaining the personal data, or if the Data Subject subsequently requests information, when such information is provided, the Data Subject must be informed about the essential aspects of processing, primarily by making this Notice available. In addition, the Data Subject is entitled at any time to request information as to whether their personal data are being processed and, if so, about the scope of personal data processed by the Data Controller concerning them, the source of such data, the purpose, legal basis and duration of processing, the names and addresses of any processors, activities related to the processing, and, where personal data are transferred, about who has received or will receive the Data Subject’s data and for what purpose.

Right of access

Upon request, we provide access to the personal data processed and to the information related to the processing detailed in this Notice. Upon the Data Subject’s request, the Data Controller shall provide the Data Subject with a copy of the personal data subject to processing. For additional copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Subject submitted the request electronically, the information must be provided in a commonly used electronic format, unless the Data Subject requests otherwise.

Right to rectification

Upon request, we rectify and supplement inaccurate data without undue delay.

Right to erasure

Upon request, we erase those personal data for the retention of which we have no legal obligation. Where processing is based on Article 6(1)(a) of the GDPR (consent), the Data Subject is entitled to withdraw consent at any time; however, this shall not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

Right to restriction of processing

Upon request, and in the cases permitted by applicable laws, we restrict the processing of personal data.

Right to object

The Data Subject is entitled, where processing is based on Article 6(1)(f) of the GDPR, to object at any time, on grounds relating to their particular situation, to the processing of their personal data. In this case, the Data Controller may no longer process the personal data, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject, or which are related to the establishment, exercise or defence of legal claims.

Right to data portability

Upon request, provided that the processing is based on Consent or Performance of a Contract or is carried out by automated means, the Data Subject shall receive the personal data concerning them which they have provided to the Data Controller in a structured, commonly used and machine-readable format, and shall have the right to transmit those data to another controller without hindrance from the original Data Controller.

9. Right to turn to an authority and to a court

In relation to legal remedies and complaints connected to data processing, complaints may be submitted to the Hungarian National Authority for Data Protection and Freedom of Information:

postal address: 1055 Budapest, Falk Miksa u. 9-11.

telephone number: +36 (1) 391-1400

email address: ugyfelszolgalat@naih.hu

website: www.naih.hu

Data Subjects also have the right to turn to a court. Under the relevant provisions of the GDPR, proceedings against the Data Controller must be initiated before the court of the Member State where the Data Controller has an establishment, which in this case is a Hungarian court. Among Hungarian courts, the regional court has jurisdiction to proceed in relation to the Data Subject’s complaint. The lawsuit may also be initiated, at the Data Subject’s choice, before the regional court competent according to the Data Subject’s place of residence. The list and contact details of regional courts can be viewed via the following link: www.birosag.hu/torvenyszekek

10. Data security and procedure in the event of a personal data breach

The Data Controller undertakes to ensure the security of data in accordance with the GDPR and the Info Act, keeping the rights of Data Subjects in mind. As part of this, the Data Controller takes all necessary measures to ensure the secure and damage-free processing of data and the establishment and operation of the data processing systems required for this. The Data Controller ensures that unauthorised persons cannot access, disclose, transmit, modify or erase the processed data.

The Data Controller stores the personal data named above at its registered office, in its own IT system, and on the servers of the processors responsible for hosting services.

Personal data may be accessed by persons acting within the Data Controller’s sphere of interest – in particular agents and employees – for whom this is necessary for the performance of their activities and who are aware of and know the obligations related to the processing of data.

In addition to the above, the Data Controller undertakes to ensure data security with the most up-to-date and appropriate equipment and security rules, with particular regard to preventing unauthorised access to data and preventing data from being unlawfully disclosed, erased or destroyed. It makes every effort to ensure that data are not accidentally damaged or destroyed. The Data Controller also imposes the above undertaking on its employees involved in data processing activities.

Any event in which personal data are accessed, modified, lost or disclosed without authorisation – whether accidentally or intentionally – qualifies as a personal data breach.

The Data Controller investigates all personal data breaches and keeps records of them in accordance with legal requirements. If the personal data breach that has occurred is likely to result in a risk to the rights and freedoms of data subjects, the Data Controller shall notify the supervisory authority within 72 hours of becoming aware of it and, in the event of a higher risk, shall also notify the Data Subjects.

11. Cookie notice

A cookie is a small text file that is stored on the hard drive of the Data Subject’s computer or mobile device until the expiry time set in the cookie and is reactivated during subsequent visits. Its purpose is to record information related to the visit and personal settings; however, such data cannot be linked to the visitor’s person. Cookies also help create a user-friendly website and mobile application and enhance the Data Subject’s online experience.

By consenting to the storage of statistical and marketing cookies appearing on online interfaces, and by accessing and using the Data Controller’s online interfaces, the Data Subject consents to the storage and collection of other local storage technologies, data collectors and other data on their devices.

Based on the above, the classification of cookies used on the Websites is as follows:

  • Necessary cookies: Necessary cookies make it possible to use the website, are essential for proper operation, and are required for the use of certain basic functions.
  • Analytical cookies: These cookies help optimise the operation of the website and aim to improve performance and user experience. By enabling more thorough and deeper-level analysis, the cookies contribute to displaying advertisements and personalised content to users.

It is important that the data subject has the possibility to delete cookies from their own device and can generally configure the browser to accept or reject all cookies. In general, the browser’s “Help” function provides guidance on how to set cookie rules in the browser. Certain online functions, however, require cookies to work, so disabling them may affect the use of online interfaces or certain parts of them and the user experience.