top of page

GDPR Compliance

Image by Michael Pointner

Data Protection Notice

Dear Partner,

This document (Data Protection Notice) aims to inform individuals or clients (hereinafter referred to as "Data Subjects") associated with GLOBEFOX s.r.o. (hereinafter referred to as "Data Controller") about the processing of their personal data, the measures taken to protect this data, and the rights and obligations of the Data Subjects.

Data Controller's Information:

Company Name: Globefox s.r.o.

Registered Office: Sabinovská 65/9 821 03 Bratislava, SVK

VAT ID/DIČ: 2121882763

Company ID/IČO: 55100376


Phone: +421917705884

CEO: Somogyi Antónia

Image by Sean Pollock

1. Legal Basis for Data Processing

The Data Controller undertakes to carry out its activities in this regard in accordance with the applicable laws and regulations at any given time. Relevant legal provisions:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR for short),

  • Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act).

In matters not regulated by this document, the provisions of the Hungarian regulations in force at any given time shall be decisive, with particular regard to the legal provisions mentioned in point 1.

Image by Yeshi Kangrang

2. Definitions

Personal data: Any information related to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Data controller: The natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Restriction of processing: The marking of stored personal data with the aim of limiting their processing in the future.

Processor: A natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.

Processing operations: The technical tasks associated with processing, regardless of the methods and means employed or the location of the application.

Recipient: A natural or legal person, public authority, agency, or any other body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third party: A natural or legal person, public authority, agency, or any other body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

The data subject's consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data transfer: Making data accessible to a specific third party.

Public disclosure: Making data accessible to anyone.

Data erasure: Rendering data unrecognizable in such a way that their restoration is no longer possible.

Data blocking: The permanent or temporary prevention of the transfer, recognition, public disclosure, alteration, modification, destruction, erasure, combination, or alignment, and usage of the data.

Data destruction: The complete physical destruction of the data or the medium containing the data.

Data protection incident: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Image by Xiang Ji

3. Purpose of Data Processing

The most common purposes of data processing (not exhaustive) are:

- Communication with prospective and existing clients (e.g., corporate customers, subcontractors, suppliers, and official contacts, as well as private individuals),
- In case of purchase, the creation, definition, modification, monitoring of the contract, delivery of the ordered product, invoicing of its consideration, enforcement of related claims, documentation of compliance with performance, fulfillment of accounting obligations,
- Communication with prospective and existing employees,
- Management of documents and records containing the data of Data Subjects (e.g., business contracts, employment contracts, etc.),
- Fulfillment of contractual obligations,
- Enforcement of the Data Controller's rights,
- Data processing for business acquisition purposes,
- Compliance with legal obligations.

The Data Controller processes personal data solely for the purpose of exercising rights and fulfilling obligations based on consent, contract, legitimate interest, or legal requirements concerning the data subjects.

### Lawfulness of Data Processing

Our company (Data Controller) conducts personal data processing in accordance with this agreement and Article 6 of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council.

The Data Controller respects the constitutional fundamental right to the protection of personal data, which entails that everyone has control over the disclosure and use of their personal data, the regulations concerning the confidentiality of correspondence, and the right to maintain business secrets.

The Data Controller processes personal data only for the purposes defined in this data processing notice, to exercise lawful rights and fulfill obligations to the extent and for the duration necessary to achieve the purpose, and only those data that are essential for realizing the purpose of data processing.

The Data Controller processes the legally required data of natural persons who enter into business relationships with it as customers or suppliers, based on legal obligation, particularly for the fulfillment of accounting and tax obligations prescribed by law (accounting, taxation). The processed data include, but are not limited to: tax number, name, address, tax status as per Act CXXVII of 2017 on Value Added Tax, sections 169 and 202; name, address, designation of the person or organization ordering the economic transaction, the signatory and the person certifying the execution as per Act C of 2000 on Accounting, section 167; signature of the recipient on stock movement documents and cash handling documents, and the payer's signature on receipts; entrepreneurial certificate number, farmer's certificate number, tax identification number as per Act CXVII of 1995 on Personal Income Tax.

In contracts with legal entities, the legal basis for processing the contact data of natural persons is the legitimate interest of the Data Controller or the fulfillment of the contract, and the Data Controller may request the consent of the data subject for the processing as necessary.

The processing of personal data for direct business acquisition purposes is deemed to be based on the legitimate interest of the Data Controller, with the provision that the data subject may object to the data processing, in which case their data must be deleted. (According to Act XLVIII of 2008, section 6: “... advertising addressed directly to a natural person as the recipient of the advertisement, particularly via electronic mail or equivalent means of communication – except as specified in subsection (4) – may only be communicated if the recipient has given prior, explicit consent”).

Image by Matt Nelson

4. In cases not specified in the previous sections, personal data can only be processed with the voluntary, written consent of the data subject.

### Responsibility of the Data Controller

The Data Controller does not assume responsibility for the accuracy or content of the personal data provided by the data subject.

The Data Controller does not process or transmit special categories of personal data concerning the data subject (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data (except for fitness for work), sexual orientation, genetic and biometric data, criminal data, etc.). If such data is inadvertently acquired, it will be promptly deleted, and the data subject will be notified.

Personal data may only be processed or transferred to third parties in a manner different from what is specified in the data subject’s consent if the data subject has given prior consent to such processing or transfer.

The Data Controller strives to ensure the accuracy, completeness, and – if necessary for the purpose of processing – up-to-dateness of the data during data processing, provided that the data subject allows this. The Data Controller shall maintain the confidentiality of all personal and business secrets learned during data processing.

The Data Controller is responsible for ensuring data security and must take the necessary technical and organizational measures and establish internal policies required to enforce data protection regulations.

The Data Controller must protect personal data throughout the data processing period, especially against unauthorized access, alteration, transmission, public disclosure, deletion, or destruction, as well as accidental destruction and damage.

The detailed conditions and instructions for data processing are included in the Data Controller's internal Data Protection Policy, which applies to all employees involved in data processing.

### Processed Data
- Name, birth name, mother's name, residence, date and place of birth, tax number, bank account number, phone number, email address, represented company name, position, delivery address, billing address.

Additional data processing consent can be provided in a separate written consent form.

### Duration of Data Processing
Data processing is carried out for 8 years to fulfill accounting obligations as per Section 169 of Act C of 2000, or for the limitation period defined in Act XCII of 2003 on the Order of Taxation. If no invoice was issued in connection with the order, the order data is processed until the expiration of civil law claims, i.e., 5 years.

### Persons Authorized to Access the Data
Personal data can only be accessed by the Data Controller's authorized employees, agents, and authorities authorized by specific laws. The personal data on contracts and invoices can be accessed by the entity performing the Data Controller's accounting.

The Data Controller’s employees, agents, and accountants are bound by their respective contracts to treat personal data obtained during their work as confidential.

### Data Transfer
The Data Controller may only transfer personal data to a third party with the prior approval of the data subject. This does not apply to mandatory data transfers prescribed by law, which occur only in exceptional cases. Before fulfilling any official data request, the Data Controller will examine the legal basis for the data transfer for each individual data item.

Image by Sean Pollock

Rights and Obligations of Data Subjects

According to the relevant legislation (see Section 1), the Data Subject has the following rights and obligations concerning their personal data with the Data Controller:

- Right to access the conditions of personal data processing,
- Right to rectification of data,
- Right to erasure or restriction (except for mandatory data processing),
- Right to blocking,
- Right to object,
- Right to data portability.

#### Right to Access the Conditions of Personal Data Processing

Data Subjects may request information from the Data Controller about the processing of their personal data. The information request may cover the data subject's data processed by the Data Controller, the purpose of data processing, the legal basis, the duration, the name and address (headquarters) of the data processor, the activities related to data processing, and who has received or will receive the data and for what purpose.

Upon the Data Subject's request for information, the Data Controller will provide the information in writing, in an understandable form, within 30 days from the submission of the request at the latest. The information is provided free of charge if the Data Subject has not submitted a request for information on the same area to the Data Controller in the current year. In other cases, the information is provided against reimbursement of the incurred costs.

Image by Kah Hay Chee

Right to Rectification

If personal data do not correspond to reality and the Data Controller possesses the correct personal data, the Data Controller will rectify the personal data. The Data Subject has the right to request the rectification of their personal data from the Data Controller by specifying the correct data. The Data Controller will make the rectification in its records and inform the Data Subject of the rectification.

### Right to Erasure and Restriction

The Data Subject can withdraw their previously given consent for data processing at any time, in part or in whole, without justification. Exceptions include personal data that need to be processed based on legal requirements or for fulfilling contractual obligations with the Data Subject.

Upon receiving notification of the withdrawal of consent, the Data Controller will immediately terminate the data processing, permanently delete the affected personal data from its records, instruct the Data Processor (if any) and any third parties involved in data transfer to do the same, and inform the Data Subject of the completion of these actions.

The Data Controller will delete personal data if the processing is unlawful, the Data Subject requests it, the purpose of the data processing has ceased, the statutory period for data storage has expired, or it has been ordered by a court or the data protection authority.

### Right to Blocking

Instead of deletion, the Data Controller will block the personal data if the Data Subject requests it, or if based on available information, it can be assumed that deletion would harm the legitimate interests of the Data Subject. Such blocked personal data may only be processed as long as the data processing purpose that excluded deletion persists.

### Right to Object

The Data Subject may object to the processing of their personal data if:

- The processing or transfer of personal data is necessary solely for the fulfillment of the Data Controller's legal obligations or for the assertion of the legitimate interests of the Data Controller, the data recipient, or a third party, except in the case of mandatory data processing,
- The personal data is used or transferred for direct marketing, public opinion polling, or scientific research purposes,
- In other cases specified by law.

Image by Tan Kaninthanond

Right to Data Portability

The Data Subject has the right to receive their personal data from the Data Controller in a printed format and transfer those data to another data controller. The Data Subject can also request direct data transfer between data controllers.

Right to Lodge a Complaint with a Supervisory Authority

The Data Subject has the right to lodge a complaint with a supervisory authority, particularly in the member state of their habitual residence, place of work, or place of the alleged infringement, if they believe that the processing of their personal data violates the Regulation. The supervisory authority where the complaint has been lodged must inform the complainant about the procedural developments and the outcome of the complaint, including the right to seek judicial remedy. These rules are outlined in Article 77 of the Regulation.

Right to an Effective Judicial Remedy Against a Supervisory Authority

Without prejudice to other administrative or non-judicial remedies, every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

Without prejudice to any other administrative or non-judicial remedy, each Data Subject has the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the Data Subject within three months on the progress or outcome of the complaint lodged.

Proceedings against a supervisory authority should be initiated before the courts of the member state where the supervisory authority is established.

If proceedings are brought against a decision of a supervisory authority that has been previously reviewed by the Board under the consistency mechanism, the supervisory authority shall submit the opinion or decision of the Board to the court. These rules are outlined in Article 78 of the Regulation.

Right to an Effective Judicial Remedy Against a Data Controller or Processor

Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, each Data Subject has the right to an effective judicial remedy where they consider that their rights under the Regulation have been infringed as a result of the processing of their personal data in non-compliance with the Regulation.

Proceedings against a data controller or a processor should be initiated before the courts of the member state where the data controller or processor has an establishment. Such proceedings may also be brought before the courts of the member state where the Data Subject has their habitual residence, unless the data controller or processor is a public authority of a member state acting in the exercise of its public powers. These rules are outlined in Article 79 of the Regulation.


Image by Martin Katler

Data Security, Data Protection Incident

The Data Controller takes all necessary measures to ensure the safe and intact handling of data and to establish and operate the necessary data management systems.

The Data Controller ensures that unauthorized persons cannot access, disclose, transmit, modify, or delete the managed data.

The Data Controller does everything within its power to ensure that data is not accidentally damaged or destroyed.

If data security is so severely compromised that it likely poses a high risk to the rights and freedoms of the Data Subject (e.g., unauthorized access to personal data), constituting a so-called data protection incident, the Data Controller is obligated to notify the relevant authority (the National Authority for Data Protection and Freedom of Information, abbreviated as NAIH) and the Data Subject within 72 hours.


Pozsony, 2023.07.01.

bottom of page