Privacy Policy

(Date of acceptance: 2024-10-15)

1. Information about the data controller


Data Controller: Centre for Economic and Regional Studies
Registered seat: 1094 Budapest, Tóth Kálmán utca 4., Hungary
Email: titkarsag@krtk.hu

This document contains all relevant data processing information regarding the Supply Chain Disruptions Survey in accordance with General Data Protection Regulation (2016/679) of the European Union (hereinafter: Regulation or GDPR) and Act CXII of 2011 (hereinafter: Privacy Act).

2. Description of the data processing activities

2.1 Data collection Survey

The Data Controller collects data in the form of an online survey as part of the RETHINK-GSC Horizon Europe research project (N. 101061123).

The survey is anonymous if the data subject doesn’t give her/his email address or phone number to the Data Controller.

If the data subject gives her/his email address or phone number, the Data Controller may contact them for further information related to the Rethink-GSC Horizon Europe research project.

In every case, survey responses will be handled in an anonymized way during the research and the exact person responding the survey will be in secret. During the publication process of the research results, the Data Controller makes public aggregated data of the Survey. As a requirement of the publication process, the dataset of Survey responses will be published in a public research repository in an anonymized and strictly non-recoverable way. No information about the email address or the phone number of the data subject will be included in any of these.

Information on firm identity will only be used for matching survey responses to administrative company data, conditional on consent being given by the respondent. Other than that, data analysis will only use anonymized data.

Period of the data processing

The Data Controller will handle the personal data of the data subject until the closing of the Rethink-GSC Horizon Europe research project (N. 101061123). After that, the Data Controller immediately deletes any personal data from the database of the research.

Legal basis for the data processing

If the data subject gives her/his email address or phone number, the data processing is based on the consent of the data subject [Article 6(1)(a) of the Regulation].

2.2 Recipients of personal data

Activities of data processors for collecting personal data: We use for collecting the Data in Hungary, Poland and Ireland three research partner companies.

Name of the data processor in Hungary: Impetus Research Kft.

Website: https://impetusresearch.hu/

Contact details of the Data Processor:
Phone number of the Data Processor: +36 30 619 3342
Registered seat of the data processor: Hungary, Budapest 1092, Üllői út 25.
E-mail of the Data Processor: janos.bacher@impetusresearch.hu

Name of the data processor in Ireland: INTEGRAL RESEARCH, a company limited by guarantee (Registered in England number: 11074476)
Website: https://www.integralresearch.com/ 
Contact details of the Data Processor: 
Phone number of the Data Processor: +44 (0)23 8098 4718
Registered seat of the data processor: 46-48 East Smithfield, London, E1W 1AW
E-mail of the Data Processor: infosec@integralresearch.com

Name of the data processor in Poland: Antal Sp. z o.o.
Website: https://en.antal.pl/ 
Contact details of the Data Processor:
Phone number of the Data Processor: +48 22 490 43 31
Registered seat of the Data Processor: ul. Puławska 2, 02-566 Warsaw
E-mail of the Data Processor: office@antal.pl


3. Your rights in the course of the data processing

Within the period of data processing, you are entitled to the following rights pursuant to the provisions of the Regulation:
• right to withdraw consent

  • access to personal data and information related to data processing
  • right to rectification
  • restriction of data processing,
  • right to erasure
  • right to object
  • right to data portability.

If you wish to exercise your rights, it will involve your identification, and the Data Controller must necessarily communicate with you. Therefore, for the purpose of identification, it will be necessary to provide personal data (but only your data already processed by the Data Controller can serve as the basis of identification), and your complaints as regards data processing will be available in your email account within the period specified in this Privacy Notice regarding complaints.
The Data Controller will respond to complaints as regards data processing within 30 days at the latest.

3.1 Right to withdraw consent

You have the right to withdraw your consent to data processing at any time, in which case the data provided will be erased from our system.

3.2 Access to personal data

You have the right to obtain from the Data Controller confirmation as to whether your personal data are being processed, and where that is the case, you have the right to:

  • a gain access to the processed personal data, and
  • a receive information from the Data Controller on the following:
  • the purposes of data processing;
  • the categories of your personal data processed;
  • information on the recipients or categories of recipients to whom the personal data have been or will be disclosed;
  • the envisaged period of the processing of personal data or, if that is not possible, the criteria used to determine that period;
  • the existence of your right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

The purpose of exercising these rights may be aimed at establishing and verifying the lawfulness of data processing, therefore, in case of multiple requests for information, the Data Controller may charge a fair fee in exchange for providing the information.
Access to personal data is ensured by the Data Controller by sending you the processed personal data and information by email after your identification.
Please indicate in your request that you ask for access to personal data or information on data processing.

3.3 Right to rectification

You have the right to obtain from the Data Controller without delay the rectification of inaccurate personal data concerning you.

3.4 Right to the restriction of data processing

You have the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by you, for a period enabling the Data Controller to verify the accuracy of the personal data, and if the accurate data can be immediately established, then no restriction will take place;
  • the data processing is unlawful and you oppose the erasure of the personal data for any reason (for example because the data are necessary for the possible assertion of a claim) and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims, or
  • if you have objected to the data processing but the legitimate interest of the Data Controller may also serve as grounds for it, the data processing must be restricted until it can be established whether the legitimate grounds of the Data Controller override the legitimate grounds referred to by you.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
You will be informed by the Data Controller before the restriction of processing is lifted (at least 3 business days before the restriction is lifted).

3.5 Right to erasure – right to be forgotten

You have the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Data Controller;
  • you withdraw your consent on which the processing is based and there is no other legal ground for the processing;
  • you object to the processing based on legitimate interest and there are no overriding legitimate grounds (that is, legitimate interest) for the processing,
  • the personal data have been unlawfully processed by the Data Controller where that was established on the basis of the complaint,
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject.

Where the Data Controller, based on any lawful ground, has made the personal data public and is obliged to erase the personal data due to any of the above grounds, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other data controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The erasure shall not apply to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information;
  • or compliance with a legal obligation which requires processing by Union or Member State law to which the Data Controller is subject (data processing in the framework of invoicing is one of those cases, as the retaining of the invoice is prescribed by law), or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
  • for the establishment, exercise or defence of legal claims (e.g., if the Data Controller has any claims against you which has been not fulfilled yet, or there is undergoing complaint management process).

3.6 Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on legitimate interests. In such case, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

3.7 Right to data portability

If the data processing is carried out in an automated way or if the data management is based on your voluntary consent, you have the right to ask the Data Controller for the data you provided to the Data Controller, which the Data Controller will send in xml, JSON or csv format at your disposal, and, if this is technically feasible, you can request that the Data Controller forward the data in this form to another data controller.

3.8 Automated decision-making

You have the right not to be subject to a decision which is based solely on automated processing (including profiling) and which produces legal effects concerning you or similarly significantly affects you. In these cases, the Data Controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.
The above shall not apply if the decision:

  • is necessary for the conclusion and performance of the contract between you and the Data Controller;
  • is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  • is based on your explicit consent.

3.9 Data security measures

The Data Controller declares that it has taken appropriate security measures in order to protect personal data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as against becoming inaccessible due to changes in the technology used.
The Data Controller will do everything within its organizational and technical capabilities to ensure that its Data Processors also take appropriate data security measures when working with your personal data.

3.10 Remedies

If, in your opinion, the Data Controller has violated a legal provision relating to data processing or has not fulfilled any of your requests, then in order to terminate alleged unlawful data processing, you can initiate the investigative procedure of the Data Protection Authority.
We would also like to inform you that in the event of a violation of the legal provisions on data processing, or if the Data Controller has not fulfilled any of your requests, you may file a civil lawsuit against the Data Controller in court.

4. Amendment of the Privacy Policy

The Data Controller reserves the right to modify this data management information in a way that does not affect the purpose and legal basis of data processing. By using the website after the amendment enters into force, you accept the amended Privacy Notice.
If the Data Controller wishes to carry out further data processing in relation to the collected data for a purpose other than that of their collection, it will inform you, before commencing any further data processing, of the purpose of the data processing and the information on the following:

  • the envisaged period of the processing of personal data or, if that is not possible, the criteria used to determine that period;
  • the existence of your right to request from the Data Controller access to, rectification or erasure of personal data or restriction of processing of personal data concerning you, or to object to such processing in the case of data processing on the grounds of legitimate interest, or to request ensuring data portability in the case of data processing on the grounds of consent or contractual relationship;
  • in the case of data processing on the grounds of consent, that you may withdraw your consent at any time,
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is based on legislation or a contractual obligation or is a prerequisite for concluding a contract, as well as whether you are obliged to provide personal data, and what possible consequences the failure to provide data may have;
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

The data processing may only be commenced thereafter, and, in the case of data processing on the grounds of consent, your consent will also be required to the data processing in addition to the provision of the above information.