SZILVESZTER ARANYI
SOLE PROPRIETOR
EFFECTIVE FROM:
01 January 2026 UNTIL WITHDRAWAL
Name of the Entrepreneur:
Szilveszter Aranyi Sole Proprietor
Registered Office:
3000 Hatvan, Kisfaludy Street 61/C
Tax Number:
68362368-1-30
Registration Number:
51638696
Phone Number:
+36 70 671 0186
Email Address:
hello@slyvervill.hu
The data controller acknowledges the contents of this legal notice as binding upon itself.
The purpose of this Privacy Notice is to inform clients and partners about the processing of their personal data. The data controller processes personal data exclusively in compliance with applicable legislation and in strict accordance with data protection regulations, observing the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity.
The data controller takes all necessary technical and organizational measures to ensure that the personal data of its partners are handled securely and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council.
In accordance with the above, the data controller has organized its daily operations and prepared its internal regulations, records, document templates, and information materials.
The data protection principles related to the data controller’s data processing activities are continuously available at the registered office of the data controller. The data controller reserves the right to modify this notice at any time. Naturally, the public will be informed of any changes in due time.
The data controller is committed to protecting the personal data of its clients and considers it of utmost importance to respect the informational self-determination rights of its partners. Personal data are treated confidentially, and all security, technical, and organizational measures are taken to guarantee the security of the data.
The data controller describes its data processing practices below.
The personal scope of this Privacy Notice extends to the data controller and to those natural persons whose data are included in the data processing activities covered by this Notice, as well as to persons whose rights or legitimate interests are affected by such data processing.
The material scope of this Notice covers all data processing activities arising during the operations of the data controller, except internal data processing activities (e.g., those related to employees), which are regulated in the Data Protection Policy of the data controller.
This Notice enters into force on the date of approval and remains valid until further notice for an indefinite period.
Personal Data:
Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly, particularly by reference to an identifier such as a name, number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Categories of Data:
Any data belonging to the special categories of personal data, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data used for uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation.
Data Processing:
Any operation or set of operations performed on personal data or data sets, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller:
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor:
A natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller.
Joint Controllers:
Where two or more controllers jointly determine the purposes and means of processing, they shall be considered joint controllers.
Third Party:
A natural or legal person, public authority, agency or body other than the data subject, the data controller, the data processor, or persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Consent of the Data Subject:
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data Breach:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Personal data may only be processed by the data controller in the following cases:
The data subject has given consent to the processing of their personal data for one or more specific purposes.
The processing is necessary for the performance of a contract to which the data subject is a party.
The processing is necessary for compliance with a legal obligation to which the data controller is subject.
The processing is necessary in order to protect the vital interests of the data subject or another natural person.
The processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party.
The lawfulness of data processing is examined by the data controller at every stage of its activity. Only such data are processed and only for as long as the purpose and legal basis of the processing can be justified.
If a legal basis ceases to exist, data processing may only continue if another appropriate legal basis can be demonstrated.
As a general rule, the legal basis must be documented in writing. Even in cases where the legal basis arises through implied conduct, it must be examined whether it can be clearly proven afterwards. In case of doubt, reasonable and cost-effective efforts should be made to confirm such implied legal bases in writing.
In cases where processing is based on consent, the data subject provides written consent for the processing of personal data. While the consent itself does not require a specific form, proof of consent requires written documentation, either on paper or in electronic form.
Processing based on compliance with a legal obligation is independent of the data subject’s consent, as the processing is determined by law.
Regardless of the mandatory nature of such processing, the data subject must be informed prior to the start of the processing that the processing is mandatory and unavoidable, and must be clearly and comprehensively informed about all relevant facts concerning the processing of their personal data.
According to the GDPR (General Data Protection Regulation), personal data may also be processed where processing is necessary for the performance of a contract to which the data subject is a party, or where processing is necessary in order to take steps at the request of the data subject prior to entering into a contract.
On this legal basis, the data controller may process personal data for the purposes of concluding, performing, and terminating contracts.
The data controller provides electrical installation services and performs electrical industrial work for its clients. During the provision of these services, the data controller may come into contact with the personal data of natural persons.
The data controller performs the following data processing activities:
The contractual partners of the data controller may be both natural persons and legal entities.
The establishment of a contractual relationship is preceded by a request for quotation submitted in person, by telephone, or via email. The person requesting the quotation provides their name, phone number, and email address to which the data controller sends the relevant offer.
If the offer is rejected, the personal data of the interested party will be deleted immediately, but no later than within 3 working days.
The legal basis for processing personal data is the establishment of a contract (Article 6(1)(b) of the General Data Protection Regulation).
If the data subject orders the offered service, a contractual relationship is established between the parties. Upon the establishment of the contractual relationship, the data controller may obtain additional personal data of private individuals (partners and contact persons).
The legal basis for data processing is the performance of contractual obligations (Article 6(1)(b) GDPR), and in the case of the contact person of a legal entity, the consent of the data subject (Article 6(1)(a) GDPR).
The data controller issues invoices for the services provided. The invoice contains the name, address, and possibly the tax number of the data subject.
Issuing an invoice is a legal obligation of the data controller. Therefore, the legal basis for processing personal data included on invoices is compliance with a legal obligation (Article 6(1)(c) GDPR).
With regard to the retention of personal data included on invoices, the data controller acts in accordance with the provisions of Act CXLVII of 2012 on the Itemized Tax for Small Taxpayers and the Small Business Tax, and stores such data for 5 years.
During the performance of its activities, the data controller processes the email addresses and telephone numbers of its partners and clients.
The legal basis for such processing is either:
the performance of contractual obligations (Article 6(1)(b) GDPR), or
the consent of the data subject (Article 6(1)(a) GDPR).
During its operations, the data controller may enter into contractual relationships with subcontractors, suppliers, and service providers, which may also require the processing of personal data.
In such cases, the legal basis for the processing of personal data:
in the case of a private individual or sole proprietor is the performance of contractual obligations (Article 6(1)(b) GDPR),
in the case of the contact person of a legal entity is the explicit consent of the data subject provided after prior information (Article 6(1)(a) GDPR).
Natural persons applying for a position with the data controller may submit their curriculum vitae (CV) to the business.
Personal data contained in the CV are also processed.
The legal basis for this processing is the consent of the data subject (Article 6(1)(a) GDPR).
In connection with complaints related to the activities of the data controller, the purpose of data processing is to enable the submission of complaints, identify the data subject and the complaint, record the data required by law, investigate the complaint, and maintain contact in relation to the resolution of the complaint.
In the event of a complaint, the handling of the case – and thus the processing of personal data – is mandatory under Act CLV of 1997 on Consumer Protection.
Accordingly, the legal basis for processing personal data is the fulfillment of a legal obligation (Article 6(1)(c) GDPR).
The data controller maintains a data processing register of the above data processing activities. The register also includes the deadlines established for the deletion of personal data.
This register forms an annex to this Privacy Notice.
If data processing is carried out on behalf of the data controller by another party, the data controller shall only use data processors that provide sufficient guarantees for compliance with the requirements of the General Data Protection Regulation (GDPR) and implement appropriate technical and organizational measures to ensure the protection of the rights of the data subjects.
The data controller hereby declares that during its operations it only cooperates with data processors that provide adequate guarantees of compliance with the GDPR and implement appropriate technical and organizational measures to protect the rights of data subjects.
The relevant declarations of the data processors are available to the data controller.
By acknowledging and accepting this Privacy Notice, the data subjects accept that the data controller may transfer their personal data to the following data processors and joint controllers.
KBOSS.hu Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
1031 Budapest, Záhony utca 7.
Tax number: 13421739-2-41
Data Protection Officer:
Dr. Éva Istvánovics, Attorney-at-Law
Contact:
dpo@kboss.hu
Rackhost Zrt.
Address:
1132 Budapest, Victor Hugo utca 18-22.
Registered office:
6722 Szeged, Tisza Lajos körút 41.
Tax number:
25333572-2-06
Aranyi-Komáromi Lucia Sole Proprietor
3000 Hatvan, Kisfaludy utca 61/C
Tax number: 56525836-1-30
The contracted data processors and data controller partners process personal data only based on the instructions of the data controller (except where required by law) and undertake confidentiality obligations when handling partners’ personal data.
The contractual partners of the data controller may be both natural persons and legal entities.
The establishment of a contractual relationship is preceded by a request for quotation submitted in person, by telephone, or by email. The person requesting the quotation provides their name, phone number, and email address to which the data controller sends the relevant offer.
If the offer is rejected, the personal data of the interested party will be deleted immediately, but no later than within 3 working days.
The legal basis for processing personal data is the establishment of a contract (Article 6(1)(b) GDPR).
If the data subject orders the offered service, a contractual relationship is established between the parties.
Upon the establishment of the contractual relationship, the data controller may obtain additional personal data of private individuals (partners and contact persons).
The legal basis for processing personal data is the performance of contractual obligations (Article 6(1)(b) GDPR), and in the case of the contact person of a legal entity, the consent of the data subject (Article 6(1)(a) GDPR).
The data controller issues invoices for the services provided. The invoice contains the name, address, and possibly the tax number of the data subject.
Issuing invoices is a legal obligation of the data controller.
Therefore, the legal basis for processing personal data on invoices is compliance with a legal obligation (Article 6(1)(c) GDPR).
In accordance with Act CXLVII of 2012, the data controller stores such personal data for 5 years.
The data controller may also process the contact details of suppliers (name, email address, telephone number) and may maintain contractual relationships with service providers and subcontractor companies.
In order to maintain communication with partners, personal data of contact persons or private individuals (including sole proprietors) may also be processed.
The legal basis for processing personal data is:
the performance of contractual obligations (Article 6(1)(b) GDPR), or
the consent of the contact person (Article 6(1)(a) GDPR).
The data controller requests a consent declaration from the contact persons of companies, informing them of their rights regarding personal data and requesting their consent for the processing of such data.
In such cases, the legal basis for processing personal data is the explicit written consent of the data subject based on proper information (Article 6(1)(a) GDPR).
If the contract with the partner has terminated and there is no legal obligation to retain the data, telephone numbers and email addresses will be deleted.
Personal data included in contracts and invoices are retained in accordance with Act CXLVII of 2012, and are stored by the data controller for 5 years.
The data controller issues invoices for the services provided. The invoice contains the name, address, and possibly the tax number of the data subject.
Issuing invoices is a legal obligation of the data controller. Therefore, the legal basis for processing the personal data included on invoices is compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).
With regard to the retention of personal data included on invoices, the data controller acts in accordance with the provisions of Act CXLVII of 2012 on the Itemized Tax for Small Taxpayers and the Small Business Tax, and stores such data for 5 years.
The data controller does not process personal data of children.
Special categories of personal data that come to the knowledge of the data controller will not be recorded. If such data are entered into any system of the data controller without the data controller’s knowledge, they will be deleted immediately upon detection.
During its activities, the data controller may obtain the email addresses and telephone numbers of its partners and clients.
Personal data obtained in this manner are processed primarily for the purpose of fulfilling contractual obligations (Article 6(1)(b) GDPR).
If the contract with the partner has terminated and there is no legal obligation to retain the related data or documents, the telephone numbers and email addresses will be deleted.
In certain cases, the data controller may still have a legitimate interest in retaining the data. In such cases, the data controller will request the explicit written consent of the data subject for the retention of their personal data (Article 6(1)(a) GDPR).
Natural persons applying to the data controller may submit their curriculum vitae (CV) to the business.
If the CV was submitted because the data controller announced a job vacancy and is looking for an employee, the CV may only be used in relation to that specific job position.
If the applicant does not meet the conditions of the advertised position and another candidate is selected, the CV will be destroyed immediately.
The data controller may retain the application only with the explicit, clear and voluntary consent of the data subject (Article 6(1)(a) GDPR), provided that retention is necessary to achieve the purpose of the data processing.
The data controller does not publish anonymous job advertisements (job advertisements where the employer does not indicate its name), as this would violate the requirement of prior information regarding the identity of the data controller.
Whenever the data controller publishes a job advertisement, the identity of the data controller is always disclosed to applicants.
If the applicant submits a CV voluntarily without a job advertisement, the applicant will be asked to declare whether they consent to the processing of their personal data by the data controller.
Submitting a CV does not automatically mean that the data subject consents to the storage of the application materials.
Furthermore, the data controller may use the CV only for the positions indicated by the applicant.
CVs are generally stored for 3 months, unless the data subject has given consent for a longer retention period.
During the evaluation of job applications, the data controller may review and obtain information from the applicant’s social media profile only if the applicants were informed of this in advance.
Even in such cases, only publicly available information may be reviewed, and only information relevant to the job application or position will be considered during the selection process.
Under no circumstances will the applicant’s social media profile be saved, stored, or transmitted to third parties.
If the applicant is not selected for the position, the data controller will inform the applicant and provide the reason for rejection.
During complaint handling related to the activities of the data controller, the purpose of data processing is to enable the submission of complaints, identify the data subject and the complaint, record the data required by law, investigate the complaint, and maintain contact in relation to resolving the complaint.
In the event of a complaint, case handling – and thus the processing of personal data – is mandatory under Act CLV of 1997 on Consumer Protection.
Accordingly, the legal basis for the processing of personal data is compliance with a legal obligation (Article 6(1)(c) GDPR).
The data controller retains the minutes of the complaint and a copy of the response for 5 years, and processes the related personal data during this period.
The data controller undertakes to ensure the security of personal data and to take all necessary technical and organizational measures and maintain procedures that guarantee the protection of the collected, stored, and processed data, and prevent their destruction, unauthorized use, or unauthorized alteration.
The data controller also undertakes to require any third party to whom the data are transferred to comply with data security requirements.
The data controller ensures that unauthorized persons cannot access, disclose, transmit, modify, or delete the processed data.
The processed data may only be accessed by the data controller and the data processor(s) used by the data controller and will not be disclosed to third parties who are not authorized to access such data.
The data controller pays particular attention to the security of the personal data of its partners and clients.
Personal data protection includes:
physical protection (documents stored in locked rooms or cabinets), and
IT protection (use of antivirus software and firewalls).
Personal data provided by the data subject are primarily stored on the servers of the data processors specified in this Privacy Notice, equipped with standard protection systems, partly on the data controller’s own IT devices, and in the case of paper documents, securely stored at the registered office.
Data subjects acknowledge and accept that if personal data are provided, the complete protection of data on the internet and within computer systems cannot be fully guaranteed.
In the event of unauthorized access or data disclosure occurring despite the efforts of the data controller, the procedures described in this Privacy Notice will be followed.
This Privacy Notice aims to provide clear, concise, transparent, and understandable information about the data processing activities carried out by the data controller.
The data subject has the right to obtain confirmation from the data controller as to whether their personal data are being processed.
If such processing takes place, the data subject has the right to access the personal data and the following information:
the purpose of the processing
the categories of personal data concerned
the recipients to whom the personal data have been disclosed
the planned duration of the storage of personal data
Requests for information may be submitted to the data controller at the following address:
Szilveszter Aranyi Sole Proprietor
3000 Hatvan, Kisfaludy utca 61/C
Email: hello@slyvervill.hu
The data controller will respond to requests within 30 days.
Requests sent by post will be answered by post, while requests sent by email will be answered by email.
The data subject has the right to request that the data controller correct inaccurate personal data concerning them.
Requests may be submitted to:
Szilveszter Aranyi Sole Proprietor
3000 Hatvan, Kisfaludy utca 61/C
Email: hello@slyvervill.hu
The data controller will respond within 30 days.
The data subject has the right to request the deletion of personal data concerning them.
The data controller must delete the personal data if one of the following applies:
the personal data are no longer necessary for the purposes for which they were collected
the data subject withdraws consent and there is no other legal basis for processing
the data subject objects to the processing and there are no overriding legitimate grounds
the personal data have been processed unlawfully
deletion is required for compliance with a legal obligation under EU or Member State law
Requests may be submitted to:
Szilveszter Aranyi Sole Proprietor
3000 Hatvan, Kisfaludy utca 61/C
Email: hello@slyvervill.hu
The data controller will respond within 30 days.
The data subject has the right to request that the data controller restrict the processing of personal data, particularly if:
the accuracy of the data is contested
the processing is unlawful but the data subject does not request deletion
The data subject has the right to receive personal data concerning them in a structured, commonly used, machine-readable format, and has the right to transmit those data to another data controller.
The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them, in accordance with Article 21 of Regulation (EU) 2016/679.
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
Automated decision-making refers to any procedure or methodology where technical automation evaluates the personal characteristics of a data subject.
The data controller does not apply automated profiling systems that would significantly affect the rights of data subjects.
The data controller undertakes to inform all recipients to whom personal data have been disclosed about requests related to the above rights, unless this proves impossible.
The data controller further undertakes to inform the data subject within 30 days about the handling and decision regarding such requests.
A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
In the event of a data breach, the level of the security breach must pose a serious risk to data security, meaning that the breach must result in:
destruction of personal data
loss of personal data
alteration of personal data
unauthorized disclosure of personal data
unauthorized access to personal data
A data breach occurs if any of the above circumstances take place, although multiple circumstances may occur simultaneously.
Not only intentional and malicious actions fall within this scope, but also breaches resulting from negligence. Therefore, a data breach occurs if it is caused by either an accidental or unlawful act.
Examples of data breaches include:
illegal transmission of personal data through documents, portable devices, data carriers or IT systems (e.g. via email)
unauthorized access to IT systems or applications that process personal data
damage to or loss of a database containing personal data, in whole or in part
partial or complete failure of an IT system caused by viruses or other malicious software
A data breach may cause physical, material or non-material damage to natural persons if appropriate measures are not taken in time. Such damage may include:
loss of control over personal data
restriction of rights
discrimination
identity theft or identity fraud
financial loss
unauthorized reversal of pseudonymisation
damage to reputation
breach of confidentiality of personal data protected by professional secrecy
other significant economic or social disadvantages.
If a data breach occurs (unless it is unlikely to result in a risk to the rights and freedoms of natural persons), the data controller shall notify the National Authority for Data Protection and Freedom of Information (NAIH) without undue delay.
The notification must be made without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach.
If the notification cannot be made within 72 hours, the reason for the delay must be indicated, and the required information must be provided without further undue delay, even in stages if necessary.
The National Authority for Data Protection and Freedom of Information operates a dedicated electronic system on its website through which data breach notifications can be submitted.
The data controller maintains a record of data breaches, including:
the facts related to the breach
its effects
the measures taken to remedy the breach.
The record must also include:
the causes of the breach
the events surrounding the breach
the categories of personal data affected
the consequences and impacts of the breach
the corrective measures taken
the conclusions of the data controller (e.g., why the breach was not reportable, or the reason for delayed reporting).
It is not necessary to notify the supervisory authority if the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
If the data breach is likely to result in a high risk to the rights and freedoms of the partners or clients of the data controller, the affected persons shall be informed without undue delay.
The notification must clearly and understandably describe:
the nature of the data breach
the most important information about the breach
the measures taken to address it.
The affected persons do not need to be informed if any of the following conditions apply:
the data controller has implemented appropriate technical and organizational protection measures, especially measures that render the personal data unintelligible to unauthorized persons (such as encryption);
the data controller has taken subsequent measures ensuring that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
the notification would require disproportionate effort, in which case public communication or a similar measure ensuring equally effective information must be used.
The most important legal regulations related to data processing are:
Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Info Act)
Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR)
Act V of 2013 on the Civil Code
Act CXLVII of 2012 on the Itemized Tax for Small Taxpayers and the Small Business Tax.
In the event of a violation of their rights, the data subject may bring legal proceedings against the data controller before a court.
The court shall proceed with the case as a matter of priority.
Complaints may be submitted to the National Authority for Data Protection and Freedom of Information (NAIH):
Name:
National Authority for Data Protection and Freedom of Information
Registered Office:
1125 Budapest, Szilágyi Erzsébet fasor 22/C
Postal Address:
1530 Budapest, Pf.: 5.
Phone:
+36 1 391 1400
Fax:
+36 1 391 1410
Email:
ugyfelszolgalat@naih.hu
Website:
http://www.naih.hu
For data processing activities not listed in this Privacy Notice, information will be provided at the time of data collection. In such cases, the applicable legal regulations shall be considered governing.
The data controller hereby informs its clients and partners that courts, prosecutors, investigating authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information, the Hungarian National Bank, and other authorities authorized by law may request information, data disclosure, data transfer, or the provision of documents.
The data controller shall provide personal data to such authorities only to the extent strictly necessary for achieving the purpose specified in the request.
Further information on data protection rights referenced in this Privacy Notice is available on the website of the Data Protection Authority.
Hatvan, 01 January 2026
Szilveszter Aranyi
Sole Proprietor
(Data Processing Register)
| No. | Description of Personal Data Processing | Purpose of Processing | Legal Basis | Data Retention Period |
|---|---|---|---|---|
| 1 | Personal data of private individuals or sole proprietors requesting quotations (name, email address, phone number) | Providing quotations and maintaining contact | Contract establishment (GDPR Article 6(1)(b)) | If the offer is rejected, data are deleted immediately, but no later than within 3 working days |
| 2 | Personal data of contact persons of legal entities during quotation requests | Providing quotations and maintaining contact | Consent of the data subject (GDPR Article 6(1)(a)) | Immediately upon withdrawal of consent or within 3 working days if the offer is rejected |
| 3 | Personal data obtained during contractual relationships (name, address, email, phone number, tax number) | Contract performance | Contract performance (GDPR Article 6(1)(b)) and legal obligation (GDPR Article 6(1)(c)) | Within 30 days after the expiry of the legal retention period (5 years) |
| 4 | Personal data of contact persons of legal entities during contractual relationships | Contract performance and communication | Consent of the data subject (GDPR Article 6(1)(a)) | Upon withdrawal of consent or within 10 working days after termination of the contract |
| 5 | Personal data appearing on invoices issued to customers | Compliance with legal obligation | Legal obligation (GDPR Article 6(1)(c)) | Within 30 days after the expiry of the legal retention period (5 years) |
| 6 | Personal data related to incoming emails and telephone numbers | Contract performance or consent-based processing | Contract performance (GDPR Article 6(1)(b)) or consent (GDPR Article 6(1)(a)) | Within 10 working days after completion of the task or within 3 working days after withdrawal of consent |
| 7 | Personal data of suppliers, service providers or subcontractors (private individuals or sole proprietors) | Contract performance | Contract performance (GDPR Article 6(1)(b)) | Within 30 days after the expiry of the legal retention period (5 years) |
| 8 | Personal data of contact persons of supplier companies or subcontractors | Contract performance and communication | Consent of the data subject (GDPR Article 6(1)(a)) | Upon withdrawal of consent or within 10 working days after contract termination |
| 9 | Personal data contained in job applicants’ CVs | Filling the advertised position or potential future vacancies | Consent of the data subject (GDPR Article 6(1)(a)) | Immediately deleted if the application is unsuccessful unless consent for longer storage is provided |
| 10 | Personal data obtained during complaint handling | Identification and handling of complaints | Legal obligation (GDPR Article 6(1)(c)) | Within 30 days after the expiry of the legal retention period (5 years) |
