SurveyTransfer Ltd. (Headquarter: 7629 Pécs, Fehérhegyi út 5. TT 22. a.; Company registration number: 02-09-087805; Tax number: 32339185-2-02; EU ID: HUOCCSZ.02-09-087805; e-mail: [email protected])
DATA PROTECTION RULES
On the basis of the European Parliament and of the Council
In effect from August 10, 2023
General provisions and contact information
Updating and availability of the Document
Insofar as you, in the course of registering on the website, provide us with personal data, this constitutes a recognition of the version in effect at that time.
In the course of the use of certain services, specific data protection conditions may be in effect about which you will be informed upon requesting that service.
Guiding legal principles
In the case of any data handled by us, the legal basis and the period over which it is in force are governed by the following:
– the rights of autonomy and freedom of information, as set out in Law CXII of 2011
– the law protecting the free flow of personal information concerning private individuals, that is, regulation 2016/679 of the European Parliament and Council of Europe (General Data Protection Regulation, GDPR)
Storing Your Preferences:
Login and Authentication:
We process information using cookies to help maintain product security and detect fraud and abuse.
Scope and Purpose of Data Processing
Providing your name and email address through the “LEAVE US A MESSAGE!” contact form on the website https://surveytransfer.net/ is mandatory in order to identify the sender of the message. This allows the Data Controller to establish personalized contact with the message sender.
In the course of newsletter subscription, providing your name and email address is mandatory; optionally, you can also provide the name of your company. The purpose of the newsletter is online marketing activities. The Data Controller sends regular updates about the latest blog posts in English (https://surveytransfer.net/blog/) and Hungarian (https://surveytransfer.net/blog-hu/) to registered users, and this is published on the SurveyTransfer website. Additionally, registered users can receive updates on the progress of SurveyTransfer software development.
Providing your name and email address through the “FEEDBACK!” option (https://surveytransfer.net/feedback/) is mandatory in order to identify the sender of the message. This allows the Data Controller to establish personalized contact with the message sender.
By subscribing for the SurveyTransfer data sharing service, the user acknowledges that his email address will be included in the database for marketing purposes managed by the data processor MailChimp c/o The Rocket Science Group, LLC (see “Data processors”), from which he can unsubscribe at any time via the unsubscribe link in the newsletters, or with the cancellation request sent to the email address.
When subscribing to the SurveyTransfer data sharing service, the following data can be entered: email address (mandatory), name (optional), company name (optional).
Persons Authorized for Data Processing
The Data Controller may engage data processors in certain cases to perform technical tasks related to data processing operations, and for the development of SurveyTransfer. The identities of the data processors are provided in this section. If the circle of data processors expands in the future, the relevant section of the Notice will be updated accordingly, and the individuals concerned will be informed in accordance with the Data Processing Policy.
Data Processors: The Data Controller will not transmit the personal data provided by you to any other person. If such transmission is necessary, it can only take place after the User has been informed and has given their consent. An exception to this is the transfer of data upon an official request from a governmental authority or court. Another exception is that the data is transferred to the following party solely for the purpose of fulfilling the email newsletter:
Name: MailChimp c/o The Rocket Science Group, LLC
Address: Address: 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA
By subscribing to the newsletter on the website, the User gives their consent to receive marketing-related communications. You can unsubscribe from the newsletter at any time, free of charge, without restriction or justification, by using the unsubscribe link provided in the newsletters or by sending a deletion request to the email address. Upon unsubscribing from the newsletter, the personal data registered in connection with the sending of the newsletter will be deleted, and you will no longer receive newsletters or notifications from us.
Hosting Service Provider: For the website, we use the following company as our hosting service provider: Name: Hostinger International Limited Company Registration Number: CY10301365E Registered Address: 61 Lordou Vironos Street 17, Lumiel Building, 4th floor, Larnaca, CY 6023, Cyprus
Physical Storage Location of the data: North Carolina, United States
Rights of data subjects:
The right to be informed (Articles 13-14 of the Regulation) The data subject has the right to be informed of facts and information concerning the processing of their data before the commencement of said data processing.
A) Information to be provided if personal data is collected from the data subject: 1.1. If personal data is collected from the data subject, the Data Controller shall provide the following information to the data subject at the time of obtaining said personal data:
a) The identity and contact details of the Data Controller and, if applicable, the Data Controller’s representative;
b) Contact details of the data protection officer, if applicable;
c) The purpose and legal basis of the intended processing of personal data;
d) In the case of processing based on Article 6(1)(f) of the Regulation (legitimate interests pursued by the Data Controller or a third party), the nature of those legitimate interests pursued by the Data Controller or a third party;
e) Where applicable, the recipients or categories of recipients of the personal data;
f) Where applicable, the fact that the Data Controller intends to transfer personal data to a third country or international organization, the existence of a Commission adequacy decision or, in the case of the transfers referred to in Article 46, 47 or 49(1) second subparagraph of the Regulation, the reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
1.2. In addition to the information mentioned in point 1.1, at the time of obtaining personal data, the Data Controller shall inform the data subject of the following supplementary information to ensure fair and transparent processing:
a) The period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
b) The existence of the right to request from the Data Controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to such processing, as well as the right to data portability;
c) Where the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the Regulation, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
d) The right to lodge a complaint with a supervisory authority;
e) Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data;
f) The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
1.3. If the Data Controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the Data Controller shall inform the data subject about this different purpose and provide any relevant supplementary information mentioned in paragraph (2) before such further processing.
1.4. The provisions of points 1.1-1.3 shall not apply to the extent that the data subject already has the information specified therein.
B) Information to be provided if personal data were not obtained from the data subject: 1.5. In addition to the data specified in point A/1.1: the categories of personal data of the data subject;
1.6. In addition to the data specified in point A/2, the source of personal data and whether the data originate from publicly accessible sources; the data subject must be informed.
1.7. The information referred to in points 1.5 and 1.6 shall be provided by the Data Controller as follows:
a) Taking into account the specific circumstances of the processing of personal data, within a reasonable period from the acquisition of the personal data, but no later than one month;
b) If the personal data are used for communication with the data subject, at the latest at the first contact with the data subject; or
c) If it is expected that the data will be disclosed to other recipients, at the latest at the time of the first disclosure of the personal data. 1.8. If the Data Controller intends to further process personal data for a purpose other than that for which the personal data were obtained, the data subject shall be informed of this different purpose and of all relevant supplementary information referred to in point 2 before such further processing.
1.9. Points 1.5 to 1.8 shall not apply or shall apply to a lesser extent if:
a) The data subject already has the information;
b) The provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in compliance with the conditions and safeguards referred to in Article 89(1) of the Regulation, or if the obligation referred to in that paragraph is likely to render impossible or seriously impair the achievement of the objectives of such processing. In such cases, the Data Controller shall take appropriate measures, including making the information publicly available, to protect the rights, freedoms, and legitimate interests of the data subject;
c) The acquisition or disclosure of the data is expressly laid down by Union or Member State law to which the Data Controller is subject, which provides appropriate measures to protect the data subject’s legitimate interests; or
d) The personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
The data subject’s right of access (Article 15 of the Regulation).
2.1. The data subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed and, if so, to access the personal data and the following information:
a) The purposes of the processing;
b) The categories of personal data concerned;
c) The recipients or categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
d) Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) The existence of the data subject’s right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject, and to object to such processing;
f) The right to lodge a complaint with a supervisory authority;
g) Where the data were not collected from the data subject, any available information as to their source;
h) The fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, as well as, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2.2. The Data Controller shall provide the data subject with a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means, the information shall be provided in a widely used electronic format, unless otherwise requested by the data subject. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
Right to rectification (Article 16 of the Regulation)
3.1. The data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (“right to be forgotten”) (Article 17 of the Regulation)
4.1. The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay, and the Data Controller shall have the obligation to erase personal data without undue delay if one of the following applies:
a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) The data subject withdraws consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a) of the Regulation, and where there is no other legal ground for the processing;
c) The data subject objects to the processing pursuant to Article 21(1) of the Regulation, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the Regulation;
d) The personal data have been unlawfully processed;
e) The erasure of personal data is required by Union or Member State law to which the Controller is subject;
f) The personal data were collected in relation to the offer of information society services referred to in Article 8(1) of the Regulation.
4.2. Where the Data Controller has made the personal data public and is obliged to erase them pursuant to the above, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other Data Controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
4.3. Paragraphs 4.1 and 4.2 shall not apply to the extent that processing is necessary:
a) In order to exercise the rights of freedom of expression and information;
b) In order to comply with a legal obligation which requires processing by Union or Member State law to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
c) In cases of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the Regulation;
d) For the purpose of archiving in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the Regulation, in so far as the right referred to in paragraph 4.1 would likely render impossible or seriously impair the achievement of the objectives of that processing, or
e) For the submission, enforcement, and protection of legal claims.
The right to restriction of processing (Article 18 of the Regulation)
5.1. The data subject has the right to request the Data Controller to restrict the processing of personal data if one of the following conditions is met:
a) The data subject disputes the accuracy of the personal data, in which case the restriction shall be for a period enabling the Data Controller to verify the accuracy of the personal data;
b) The processing is unlawful, and the data subject opposes the erasure of the data and requests the restriction of their use instead;
c) The Data Controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the submission, enforcement, or protection of legal claims; or
d) The data subject has objected to the processing pursuant to Article 21(1) of the Regulation; in this case, the restriction shall be for a period until it is determined whether the legitimate grounds of the Data Controller override those of the data subject.
5.2. Where processing has been restricted under point 5.1, such personal data, with the exception of storage, shall only be processed with the data subject’s consent or for the submission, enforcement, or protection of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
5.3. The Data Controller shall inform any data subject whose processing has been restricted in accordance with point 1 in advance about the lifting of the restriction on processing.
The obligation to notify in connection with the rectification or erasure of personal data or restriction of processing (Article 19 of the Regulation)
6.1. The Data Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. At the data subject’s request, the Data Controller shall inform them about these recipients.
Right to data portability (Article 20 of the Regulation)
7.1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, machine-readable format, and shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, in the following cases:
a) The processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the Regulation, or on a contract pursuant to Article 6(1)(b) of the Regulation; and
b) The processing is carried out by automated means.
7.2. In exercising the right to data portability pursuant to point 7.1., the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
7.3. The exercise of this right shall not prejudice the provisions of Article 17 of the Regulation. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7.4. The right referred to in point 7.1. shall not adversely affect the rights and freedoms of others.
Right to object (Article 21 of the Regulation)
8.1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on Article 6(1)(e) (performance of a task carried out in the public interest or in the exercise of official authority) or (f) (legitimate interests pursued by the controller or a third party), including profiling based on those provisions. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
8.2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
8.3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
8.4. The right referred to in points 8.1. and 8.2. shall be explicitly brought to the attention of the data subject and presented clearly and separately from any other information at the latest at the time of the first communication with the data subject.
8.5. In the context of the use of information society services and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
8.6. Where personal data are processed for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out in the public interest.
Automated individual decision-making, including profiling (Article 22 of the Regulation)
9.1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
9.2. Paragraph 9.1. shall not apply if the decision:
a) is necessary for entering into or performance of a contract between the data subject and the controller;
b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c) is based on the data subject’s explicit consent.
9.3. In cases referred to in points 9.2. (a) and (c), the controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view, and to contest the decision.
9.4. Decisions referred to in point 9.2. shall not be based on special categories of personal data referred to in Article 9(1) of the Regulation, unless point (a) or (g) of Article 9(2) is applicable and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
Limitations (Article 23 of the Regulation)
10.1. The Data Controller or Processor may restrict the scope of the rights and obligations set out in Articles 12 to 22 and Article 34 of the Regulation, which are in line with the rights and obligations defined in Articles 12 to 22, by means of legislative measures applicable under Union or Member State law, provided that such restrictions respect the essence of fundamental rights and freedoms and constitute a necessary and proportionate measure in a democratic society, with regard to:
a) National security;
c) Public security;
d) The prevention, investigation, detection, or prosecution of criminal offenses, or the execution of criminal penalties, including the protection against threats to public security and the prevention of such threats;
e) Other important objectives of general public interest of the Union or a Member State, in particular an important economic or financial interest of the Union or a Member State, including monetary, budgetary, and tax matters, public health, and social security;
f) The protection of judicial independence and judicial proceedings;
g) The prevention, investigation, detection, and prosecution of breaches of ethics in regulated professions;
h) In cases mentioned in points (a) to (e) and (g), the performance of tasks carried out in the public interest or in the exercise of official authority entrusted to the controller or processor, including monitoring, inspection, or regulatory activities;
i) The protection of the data subject’s or others’ rights and freedoms;
j) The enforcement of civil law claims.
10.2. The legislative measures referred to in point 1 shall contain specific provisions at least on:
a) The purposes of the processing or categories of processing;
b) The categories of personal data;
c) The scope of the limitations introduced;
d) gGuarantees to prevent abuse or unlawful access or disclosure, including encryption methods that make the data unintelligible to unauthorized persons;
e) The designation of the controller or categories of controllers;
f) The retention periods and guarantees applicable, taking into account the nature, scope, and purposes of the processing or categories of processing;
g) The risks to the rights and freedoms of data subjects; and
h) The right of data subjects to be informed about the restriction, unless it could prejudice the purpose of the restriction.
Information to be provided to the data subject in the event of a personal data breach (Article 34 of the Regulation)
11.1. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the personal data breach without undue delay.
11.2. The information provided to the data subject in accordance with paragraph 1 shall be presented in a clear and easily understandable manner and shall include at least the information and measures specified in points (b), (c), and (d) of Article 33(3) of the Regulation.
11.3. The obligation to notify the data subject referred to in paragraph 11.1 shall not apply if any of the following conditions are met:
a) The Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
b) The Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 11.1 is no longer likely to materialize;
c) It would involve a disproportionate effort. In such a case, the data subjects shall be informed through publicly available information or similar measures that ensure equally effective information.
11.4. If the Data Controller has not yet notified the data subject of the data breach, the supervisory authority, after considering whether the data breach is likely to result in a high risk, may order the data subject to be informed or determine that one of the conditions mentioned in point 11.3. be met.
Right to lodge a complaint with the supervisory authority (right to administrative remedy) (Regulation Article 77)
12.1. The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes the Regulation.
12.2. The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the Regulation.
Nemzeti Adatvédelmi és Információszabadság Hatóság
(National Authority for Data Protection and Freedom of Information)
1055 Budapest, Falk Miksa utca 9-11.
Tel.: (+36) 1/391-1400
E-mail: [email protected]
Right to an effective judicial remedy against the supervisory authority (Regulation Article 78)
13.1. Every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, or if the supervisory authority does not handle the complaint or does not inform the data subject within three months about the progress or outcome of the complaint.
Right to an effective judicial remedy against the controller or processor (Regulation Article 79)
14.1. Every data subject has the right to an effective judicial remedy if they consider that their rights under the Regulation or other applicable laws have been infringed as a result of the processing of their personal data that does not comply with the Regulation.
Data Security Measures, Confidentiality
Data Security Measures
1.1. Regarding data processing on the website https://surveytransfer.net/, the Data Controller is obliged to take the technical and organizational measures and establish the procedural rules necessary to enforce the Regulation and the Data Protection Act for the security of personal data.
1.2. The Data Controller protects the data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access by appropriate measures.
1.3. To ensure IT and data protection, the Data Controller shall take the following measures:
Protection of software/hardware devices within the framework of protection against unauthorized access, including password-protected computers, network security, determination of authorization levels.
Protection against viruses in data files (application of firewalls, use of legally obtained software).
Measures ensuring the recoverability of data files (backup, separate handling of copies).
Physical protection of data files and the devices containing them (uninterruptible power supply for power outages, use of batteries, protection against fire and water damage, installation and use of an alarm system).
1.4. The Data Controller ensures control over incoming and outgoing electronic communication to protect personal data.
Data Protection Incidents
Definition of Data Protection Incidents
1.1. “Data protection incident”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. (Article 4(12) of the Regulation)
1.2. The most common incidents may include: insecure storage of personal data (e.g., discarded payment papers, left-behind contracts, other documents); insecure transmission of data; unauthorized copying or disclosure of customer and partner lists; server attacks, etc.
Handling and Remediation of Data Protection Incidents
2.1. It is the responsibility of the Data Controller to prevent and manage data protection incidents and ensure compliance with relevant legal requirements.
2.2. In case of a data protection incident report, the Data Controller must promptly investigate the report, identify the incident, and determine whether it is a genuine incident or a false alarm. The following aspects must be examined and determined:
a) The date and location of the incident;
b) Description, circumstances, and impact of the incident;
c) Scope and quantity of compromised data;
d) Individuals affected by the compromised data;
e) Description of measures taken to mitigate the incident;
f) Description of measures taken to prevent, remedy, or reduce harm.
2.3. In the event of a data protection incident, the affected systems, individuals, and data must be isolated and separated. Evidence supporting the occurrence of the incident must be collected and preserved. Afterward, the restoration of damages and lawful operation can be initiated.
2.4. The Data Controller must notify the supervisory authority of the data protection incident without undue delay but no later than 72 hours after becoming aware of it. (Article 33 of the Regulation) If the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the data subjects must also be informed about the incident without undue delay.
Record-keeping of Data Protection Incidents
3.1. Records of data protection incidents must be maintained, including:
a) Scope of personal data affected;
b) Number and identity of individuals involved in the data protection incident;
c) Date and time of the data protection incident;
d) Circumstances and impact of the data protection incident;
e) Measures taken to address the data protection incident. f) Other information required by the legislation governing data processing.
3.2. Data relating to data protection incidents in the record must be retained for a period of 5 years.
Establishment and Modification of the Policy
SurveyTransfer Ltd. (Headquarter: 7629 Pécs, Fehérhegyi út 5. TT 22. a.; Company registration number: 02-09-087805; Tax number: 32339185-2-02; EU ID: HUOCCSZ.02-09-087805; e-mail: [email protected]), is authorized to establish and modify the policy.