Privacy Policy


1. ChemPass Korlátolt Felelősségű Társaság (hereinafter Data Controller) respects the privacy of all those whose personal data it controls and is committed to the protection of personal data. On the one hand with regard to this intention on the other for the compliance with the Regulation (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: GDPR) which shall be applied obligatory from 25 May 2018 the Data Controller created this information on data protection.
2. The Data Controller issues this Information in order to make the Interested Parties understand the way in which the Data Controller processes their personal data and to understand their rights related to data processing.
3. The Data Controller pursuant to Article 13 of the GDPR provides the following information:
Data of the Data Controller:
1. Company name:
ChemPass Hálózatelemző Kutatási Fejlesztési Kft.
2. Registered office:
1031 Budapest, Záhony utca 7
3. Website:
4. E-mail:
5. Data Protection Officer:
the data protection officer pursuant to Article 37 of the GDPR is not obliged to appoint a data protection officer.
6. Data protection requests:
if you have any request or question regarding data processing you may send your request via post to the address indicated in Section 4.2 or by electronic means to the e-mail address: We will send our reply without delay but no later than 30 days to the address you request.
7. Data transfer to foreign countries:
there is no data transfer to foreign countries.
4. The purpose of the intended processing of personal data, and the legal basis of the data processing:
1. The purpose of data processing:
Controller wants to help online visitors get in touch with the Controller easily with their questions and remarks. (

Controller requires some basic personal data from those, who fill out this form: Name, Organization (optional) and Email + the reason of contact, which can be:
Partnering/ Business Inquiries
Research Collaborations
Those of Collector’s visitors who wish to get a deeper insight into what ChemPass is doing, can download a Scientific Whitepaper from the site.
To do this, Controller requires them to give the same information as in the contact form.
This happens through a separate form, with the same fields.
Questions are the same here as above.
The processing of data is to support the efficiency of the contracts in question, and the mutual business and professional success of the Data Controller and its Partners.
In the case of CVs and applications, the purpose of the processing of data is to facilitate the filling of the advertised position. In accordance with this, if the Data Controller chooses a person for the advertised position from the applicants, then the purpose of the data processing ceases to exist, and the personal data of the applicants not chosen must be erased. Simultaneously, the obligation to erase the data also exists in the case that the data subject changes his or her mind during the application process, withdraws his or her application.
2. The legal basis of the processing of personal data:
the consent of the data subject according to point a) paragraph (1) Article 6 of the GDPR, which consent shall especially cover their possible store.
In the case of natural person Partners, under recital (44) of the preamble of the GDPR, and/or Article 6. paragraph (1) point b), data processing is necessary regarding a contract between the Parties, for the performance of the contract.
In the case of legal entity Partners, the personal data of the contact points are to be processed under Article 6. paragraph (1) point f) of the GDPR, based on the legitimate interest for the performance of the contract between the legal entity Partners and the Data Controller,
In the case of processing CVs and applications, the express, unambiguous, and freely given consent of the data subject as prescribed in Article 6. paragraph (1) point a) of the GDPR, which consent must particularly include the possible retention of the foregoing. However, even in the case of the retention of these documents, the Data Controller must determine a specific period in compliance with the purpose of the processing of data, and with the principles of the accuracy and the up-to-date manner of data processing. To ensure lawfulness, the Data Controller requests consent from the applicants to retain the CVs and the applications after the closing of the application process.
5. The recipients of personal data, and the categories of the recipients:
Data Controller shall not provide personal data to the recipient specified in Article 4 (9) of the GDPR.
6. The period for which the personal data is stored, and the criterion to define such period:
1. The data requested from the visitors shall be processed by the Data Controller until the data subject exercises his/her right to data erasure, data restriction and data portability pertaining to his/her personal data.
2. The term of the contracts referred., extended with the limitation period for the assertion of any possible claim arising from the contract. Except for the case when the data subject exercises, at an earlier time and regarding their personal data, their right to erasure, right to restriction of processing, and right to data portability.
3. The personal data of those legal entities and natural persons with whom no contract is concluded must be erased upon the occurrence of this circumstance.
4. Under s. 169. ss. (2) of Act C. of 2000. on Accounting, all accounting documents directly and indirectly supporting the accounting records (including ledger accounts, analytical records, and/or detailed registers), must be retained for a minimum of 8 years, in a legible form, and in such a manner that the documents are retrievable via the references indicated in the accounting records.
5. Regarding the applications and CVs, the consent of the applicants is requested subsequent to the filling of the particular position, for the probationary period of the particular position (a maximum of 1 year, regard to the special expertise required by the Data Controller).
7. The categories of personal data concerned:
1. Name,
2. Organization (optional) and
3. Email +
4. the reason of contact, which can be:
Partnering/ Business Inquiries
Research Collaborations
5. Personal data included in the CV.
2. The rights of the data subject:
1. Right of access by the data subject
The data subject shall have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and all significant information on the data processing, namely:
the purposes of the data processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
the envisaged period for which the personal data will be stored;
the right to rectification, erasure or restriction of processing of personal data or the right to object;
the right to fill a complaint with a supervisory authority;
information on data sources;
the existence of automated decision-making, including profiling,
meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
2. Right to rectification:
The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data and the completion of incomplete data.
3. Right to erasure:
The data subject shall have the right to obtain from the controller upon his/her request the erasure of personal data concerning him or her and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
the data subject objects to the processing, and there are no overriding legitimate grounds for the processing
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services.
4. Right to restriction of processing:
Upon the request of the data subject the controller restricts the processing where one of the following applies:
the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
the data subject has objected to processing; in this case the restriction is pending the verification whether the legitimate grounds of the controller override those of the data subject
5. Right to data portability:
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller.
6. Right to object:
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her or to object to the processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions.
In case of objection the data controller shall no longer process the personal data unless the processing is justified by such compelling legitimate grounds which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Security of processing
1. The data controller for the processing of personal data selects and operates the information devices in the course of the provision of service in a way that
the processed data is available for the ones authorized to do so (availability);
the authenticity and the authentication of the processed data is secured (authenticity of data processing);
the consistency of the processed data is verifiable (integrity of the data);
the processed data is protected against unauthorized access (confidentiality of the data).
2. The data controller protects the data by adequate measures in particular against unlawful access, alteration, transfer, disclosure, erasure, or destruction and against accidental destruction, damage, in addition against becoming inaccessible due to the alteration of the applied technique.
3. The data controller in order to protect the sets of data processed electronically in its different records, secures by means of an adequate technical solution that the stored data, unless it is enabled by the law, shall not be directly linked and assigned to the data subject.
4. The data controller in view of the current technological development shall ensure the protection of the data processing’s security by way of such technological, organizational, and structural measures, which provide the adequate protection level against the risks which emerge in relation to the data processing.
5. The information technology system and the network of the data controller and its partners is protected against fraud, espionage, sabotage backed by computer as well as against vandalism, fire, flood, furthermore against computer viruses, computer intrusion and attacks resulting in refusal to perform. The operator ensures the protection procedures on a server as well as on an application level.
6. Data Controller informs the data subjects that the electronic messages transmitted through the internet, regardless of the protocol (e-mail, web, ftp, etc.), are vulnerable to such network threat which result to improper activity or disclosure, alteration of information. In order to protect from such threats the data controller shall take all reasonable precaution measures to the best of its ability. It shall observe the systems in order to record all security deviations and to be able to provide evidence in case of all security matters. In addition, the system observation enables the monitoring of the applied precaution measures’ efficiency.
3. Proceeding rules in the event of the data subject’s request
1. The controller shall provide information on action taken on a request (application) to the data subject without undue delay and in any event within one month of receipt of the request. Where necessary, taking into account the complexity of the request and the number of the requests, this time limit may be extended by two months.
2. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
3. The data controller provides the requested information and communication free of charge. Where the request from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller taking into account the administrative costs of providing the information or communication or taking the action requested may charge a reasonable fee or refuse to act on the request.
4. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means, unless otherwise requested by the data subject.
4. Damages and compensation:
1. Any person who has suffered material or non-material damage as a result of an infringement of the data protection regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. A processor shall be liable for the damage caused by processing only where it has not complied with obligations provided by the law specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
5. Legal remedy:
1. In Hungary the data protection supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information (NAIH) (1125 Budapest, Szilágyi Erzsébet fasor 22/c)
2. Competent court: ruling on data protection proceedings shall fall under the competence of the Regional Court (Törvényszék) At the choice of the data subject the action may be brought before the court of his or her permanent address or habitual residence.
6. Laws on which the data processing is based:
1. The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).
2. Act V of 2013 on the Civil Code
3. Act CXII of 2011 on Informational Self-Determination and the Freedom of Information (“Privacy Act”)
Data controller informs the data subjects, that according to the legal view and the legal interpretation of the controller from the 25th of May 2018 the provisions of the GDPR Regulation shall prevail primarily, particularly in the event that the sectorial laws referred to in this section in the individual case(s) contain a provision contrary to the guidance of the GDPR. In the event that the referred sectorial laws govern matters that are not governed by the GDPR then the referred sectorial laws shall prevail. The sectorial laws shall also prevail in the case when they provide stricter requirements in order to protect personal data than the GDPR.