Biblioteca de cunoștințe

SystemLock Kft.
Effective: January 15, 2025

1. Introduction

SystemLock Kft. (the “Data Controller”, the “Company”) processes personal data in accordance with applicable data protection laws – in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and Act CXII of 2011 (Infotv.) – and their provisions.

The purpose of this notice is to clearly explain what personal data we process, for what purposes, on what legal basis, for how long, who may access it, and what rights data subjects have.

2. Definitions (briefly)

• Personal data: any information relating to an identified or identifiable natural person.

• Processing: any operation performed on personal data (collection, storage, use, disclosure, erasure, etc.).

• Controller: the party that determines the purposes and means of processing.

• Processor: the party that processes personal data on behalf of the Controller, based on the Controller’s instructions (e.g., accountant, payment service provider).

3. Data Controller details

Name: SystemLock Kft.
Registered office: 1173 Budapest, Pesti út 17.
Website: syslock.hu
E-mail: info@syslock.hu
Phone: +36 30 157 0877
Company registration number: 01-09-380206
Registering court: Company Court of the Metropolitan Tribunal (Fővárosi Törvényszék Cégbírósága)
Tax number: 29044559-2-42
Represented by: Szűcs Bálint, Managing Director

Pursuant to GDPR Article 37, the Company is not required to appoint a Data Protection Officer (DPO).

4. General principles of processing

The Company processes personal data:

• lawfully, fairly and transparently,

• for specified purposes (only for defined purposes),

• with data minimisation (only to the extent necessary),

• accurately and kept up to date,

• for a limited period (for the necessary retention period),

• with appropriate security (by organisational and technical measures).

5. Who is considered a data subject?

This notice applies to the following categories of data subjects:

• the Company’s employees,

• the Company’s customers/partners and their contact persons,

• users of the Company’s customer support (ticketing) system,

• visitors of the Company’s website,

• in the case of online payment, paying users.

6. Processing activities in detail

6.1 Processing of customers/partners and contact persons’ data

Purpose of processing: communication, providing offers, concluding and performing contracts, administration, invoicing, debt management, and the assertion and defence of legal claims.

Categories of data processed: name, address/registered office, e-mail address, phone number, billing data, contractual data, contact and communication data.

Legal basis for processing:

• conclusion / performance of a contract (GDPR Article 6(1)(b)),

• compliance with a legal obligation (e.g., invoicing, accounting) (GDPR Article 6(1)(c)),

• legitimate interest (e.g., assertion and defence of legal claims) (GDPR Article 6(1)(f)).

Retention period: as a general rule, 5 years after the termination of the legal relationship (general limitation period), and for accounting documents the period required by applicable law (typically 8 years).

Is providing the data mandatory? Providing the data necessary for concluding/performing the contract is a condition; without it, the Company cannot provide the service/conclude the contract, or can do so only to a limited extent.

6.2 Customer support, ticketing (support ticket) system

The Company operates an integrated customer support (ticketing) system that enables the recording and tracking of support tickets and requests, as well as the documentation of solutions.

Purpose of processing: handling incident reports and requests, communication, service performance, complaint handling, documentation and quality assurance, and the resolution of disputed matters.

Categories of data processed: name, e-mail address, phone number, (if applicable) company name, the content of the support ticket, attachments, communication data generated during handling, and timestamps.

Legal basis for processing:

• performance of a contract / provision of customer support (GDPR Article 6(1)(b)),

• where justified, legitimate interest (e.g., quality assurance, resolution of disputed matters) (GDPR Article 6(1)(f)).

Retention period: as a general rule, 5 years after the termination of the legal relationship.

Important information: Please include only the information necessary to resolve the issue in the support ticket, and preferably do not provide special categories of personal data (e.g., health data) or the personal data of third parties.

6.3 Online payments (Stripe)

For processing online bank card payments on the website, the Company uses Stripe’s payment services.

Purpose of processing: processing and completing payments, tracking transactions, handling refunds/chargebacks, providing data necessary for invoicing, fraud prevention, and transaction security.

Categories of data processed (typically): name, e-mail address, phone number (if provided), billing address, transaction data (amount, date, status), technical data related to the payment method, and refund/chargeback information.

Bank card data: the Company does not store full card details; card data are processed within Stripe’s system. In the case of recurring or later charges, a Stripe-provided token and limited card metadata (e.g., last 4 digits, expiry date, card type) may be processed to technically ensure payments. Payment-related data may be automatically updated via webhooks (e.g., changes to payment status).

Legal basis for processing:

• performance of a contract (GDPR Article 6(1)(b)),

• compliance with a legal obligation (invoicing/accounting) (GDPR Article 6(1)(c)),

• legitimate interest (fraud prevention, security) (GDPR Article 6(1)(f)).

Retention period: transaction/invoicing data are retained in accordance with statutory retention periods (for accounting documents typically 8 years); other administration-related data are retained as a general rule for 5 years.

Recipient/processor:

• Stripe Payments Europe, Limited (SPEL) – One Wilton Park, Dublin, D02 FX04, Ireland
  Contact (DPO): dpo@stripe.com

International data transfers: Stripe is a global service provider, so transfers outside the EEA may occur. In such cases, appropriate safeguards are applied (e.g., standard contractual clauses).

6.4 Website – logging and cookies

(A) Technical logging (logs)

Purpose of processing: ensuring the secure operation of the website, preventing abuse, troubleshooting, system operation, and statistical aggregations.
Categories of data processed: IP address, time of visit, page(s) viewed, browser type, operating system type, technical identifiers.
Legal basis for processing: legitimate interest (GDPR Article 6(1)(f)) – maintaining the security and operability of the website.
Retention period: as a general rule, 1 year.

(B) Cookies and measurement technologies

To operate the website, the Company may use cookies and similar technologies:

1. Necessary cookies (essential for operation):

   • Purpose: ensuring the basic operation of the website (e.g., session management).

   • Legal basis: legitimate interest and/or technical operation necessary for providing the service (GDPR Article 6(1)(f) / where applicable, (b)).

2. Statistical/analytics cookies (e.g., traffic measurement):

   • Purpose: measuring and improving website usage.

   • Legal basis: consent (GDPR Article 6(1)(a)).

3. Conversion and marketing cookies (Google Ads, Meta Pixel):

   • Purpose: measuring ad performance, conversion tracking, and campaign optimisation.

   • Legal basis: consent (GDPR Article 6(1)(a)).

Managing consent: analytics and marketing cookies are used only if you have given prior consent via the cookie management interface displayed on the website. You may withdraw or modify your consent at any time using the cookie management interface or your browser settings.

Retention period: cookie retention periods vary by type; some cookies are deleted when you close your browser (session), while others may be stored for longer.

International data transfers: for certain analytics/marketing service providers, transfers outside the EEA may occur; in such cases, appropriate safeguards are applied (e.g., standard contractual clauses).

6.5 Processing related to employees

Purpose of processing: establishing and performing the employment relationship, maintaining employment records, payroll and salary payments, tax and social contribution filings, working time and leave records, fulfilling occupational safety and occupational health obligations, and managing training.

Categories of data processed (typically): identification and contact data (name, address, e-mail/phone), birth data, tax identification number, social security number (TAJ), bank account number, employment-related data (position, salary, working time), qualifications/training, and data related to mandatory fitness/medical examinations – to the extent necessary for the employer.

Legal basis for processing:

• performance of a contract (GDPR Article 6(1)(b)),

• compliance with a legal obligation (GDPR Article 6(1)(c)),

• for health data, processing necessary for fulfilling obligations in the field of employment and social security (GDPR Article 9(2)(b)) and/or based on the applicable legal requirement.

Retention period: for the period required by applicable employment, tax and accounting laws; for accounting documents typically 8 years, and for other employment records in line with statutory and limitation periods.

7. Recipients and processors

The Company may engage processors to the extent necessary for the purposes of processing and subject to appropriate safeguards. Within the Company, only those persons may access personal data whose job duties require it.

Your data may be transferred to the following recipients/processors:

• Accounting and payroll: Dobos Ágota (registered office: 2243 Kóka, Kossuth Lajos u. 20.)

• Processing online payments: Stripe Payments Europe, Limited (SPEL) – One Wilton Park, Dublin, D02 FX04, Ireland

• Analytics and marketing service providers: providers of the measurement/conversion tracking solutions used on the website (Google Ads, Meta Pixel)

Hosting: hosting for the website and related systems is provided by the Company in its own operation.

Authority requests: the Company discloses personal data to courts, prosecutors, investigative authorities, administrative authorities and other authorised bodies only where required by law and only to the extent necessary for the purpose of the request.

8. International data transfers (outside the EEA)

If, due to the processing performed by certain service providers, personal data are transferred outside the European Economic Area (EEA), the Company and/or the service provider applies appropriate safeguards (for example, standard contractual clauses and, where necessary, additional protective measures).

9. Data security

The Company protects personal data with appropriate technical and organisational measures, in particular against unauthorised access, alteration, disclosure, erasure, damage or destruction (e.g., access control, authorisation management, backups, logging, security updates).

10. Data subjects’ rights

Under the GDPR, you have the following rights in particular:

• Right to information and access (processed data, purposes, legal basis, recipients, retention, etc.).

• Right to rectification.

• Right to erasure (in the cases specified in GDPR Article 17).

• Right to restriction of processing.

• Right to data portability (where processing is based on consent or a contract and is carried out by automated means).

• Right to object (where processing is based on legitimate interests).

• Withdrawal of consent (where processing is based on consent; withdrawal does not affect the lawfulness of processing before withdrawal).

Submitting requests: using the contact details provided in Section 3 (primarily by e-mail).
Deadline: the Company will respond without undue delay, but no later than within 1 month. Where necessary, the deadline may be extended by up to a further 2 months under the conditions of the GDPR, and you will be informed within 1 month.
Before fulfilling your request, the Company may, within reasonable limits, ask you to confirm your identity.

11. Complaints and legal remedies

If you believe that the Company’s processing of your personal data violates data protection rules, you may lodge a complaint with the supervisory authority:

National Authority for Data Protection and Freedom of Information (NAIH)
Registered office: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf.: 9.
E-mail: ugyfelszolgalat@naih.hu
Website: naih.hu

You may also seek judicial remedy. At your choice, you may bring the action before the competent tribunal having jurisdiction over your place of residence/stay or over the Company’s registered office.

12. Amendments to this notice

The Company reserves the right to amend this notice. The current version of the notice is available on the Company’s website.