Name of Data Controller GreenFormation Kft.
Registered Office 1121 Budapest, Remete út 10, Building C, Block 2, Ground Floor, Door 5
Tax ID Number HU-32205314
Data Protection Officer Managing Director
Contact / Complaint Handling [email protected]
Effective Date July 1, 2026 (replacing the original 2023 policy)
Next Review In the event of changes to the law
GreenFormation Kft. is committed to protecting the personal data of its customers, partners, employees, and research participants. The purpose of this policy is to explain, in a transparent and understandable manner, how we process personal data and what rights data subjects have.
The subject matter of this Policy is to regulate the practices of GreenFormation Kft., as the data controller as defined in the General Data Protection Regulation (GDPR) (hereinafter: “Kft.”), regarding the processing of personal data. The scope of this Policy extends to the Kft.’s employees and agents, as well as to all data—regarding both legal entities and natural persons—recorded for the purpose of carrying out the company’s activities.
Personal data: Any information relating to an identified or identifiable natural person (data subject). This includes any data or information on the basis of which a natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (GDPR).
Data processing: Any operation or set of operations performed on personal data or on sets of personal data (including collection, recording, organization, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction) (GDPR).
LLC: The legal entity that determines the purposes and means of data processing.
Data Processor: The natural or legal person that processes personal data on behalf of the LLC.
Consent: A freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (GDPR).
Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data (GDPR).
GreenFormation Kft. adheres to the following principles when processing personal data:
The Company’s data processing activities are based on voluntary consent or statutory authorization. Under the GDPR, in cases of data processing based on voluntary consent, data subjects may withdraw their consent at any stage of the data processing, and they will be provided with appropriate information regarding this.
The Ltd. maintains a registry of the personal data of its members in accordance with the relevant provisions of the Civil Code, part of which is public. We ensure the processing of non-public data using appropriate password-protected technical measures. If membership is terminated, the relevant personal data will be deleted within 5 years following the termination.
Scope of personal data processed:
The Ltd. processes the personal data of individuals who contribute to the company’s operations under an employment relationship or a contract of engagement. The basis for data processing is the relevant provisions of the Labor Code. The listed personal data will be deleted five years after the termination of the employment relationship.
Scope of data processed:
In the case of data processing for research purposes, GreenFormation Kft. may collect personal data (e.g., name, contact information (e.g., email address), gender, educational background) provided that appropriate information is provided and consent is obtained. If the purpose of the research is to obtain aggregate data, such data will be collected only in anonymized or pseudonymized form. In addition, the Company ensures that the data cannot be traced back to individual data subjects in accordance with the GDPR, unless the research participants have provided separate consent regarding the use of their personal data by name. If research participants have given consent to the use of their personal data, we process such data in accordance with the terms of that consent and the provisions of the GDPR, ensuring compliance with applicable time limits and data security measures. In all cases, research participants will receive information regarding this (in the form of an “informed research consent” document), which they must approve and sign (digitally) or accept in another manner (e.g., by checking the appropriate boxes in an online questionnaire). The research consent form and the information it contains are essential for participation in the research, and it always describes the types of personal data, the retention period, and the rights of research participants. Approved and collected personal data are always deleted after the date specified in the research consent form. The types of personal data collected and other parameters (e.g., retention period) vary by research project.
In its EU-funded projects, the Company follows the Data Management Plan (DMP) set forth in the Grant Agreements for the management of research data, which must be kept up to date throughout the project’s duration. The Company applies the FAIR principles in the management of research data: data should be findable, accessible, interoperable, and reusable. Non-personal research data—in accordance with Horizon’s Open Science requirements—must be deposited in an open-access repository after the project’s completion, unless restricted by the grant agreement’s confidentiality or intellectual property provisions. Research datasets containing personal data (unless explicit consent has been obtained) may not be published with open access; in such cases, anonymization is a prerequisite for publication. Each project’s DMP is stored in the “admin” subfolder of the project’s Google Drive.
The company processes personal data (primarily official contact information: name and email address) for the purpose of maintaining contact with business partners and clients. The legal basis for data processing is the performance of a contract or the data subject’s consent. We store this data exclusively in a password-protected email account or on a password-protected Google Drive. The data will be deleted within 5 years of the termination of the business relationship (provided it is not public).
GreenFormation Kft. uses cookies on its website to improve the user experience. We use cookies only with the user’s prior consent. Users can change their cookie settings in their browser at any time.
GreenFormation Kft. uses Google Analytics to analyze website traffic statistics. The company processes the data collected by Google Analytics in an anonymized form and uses it solely to develop the website and improve its services.
GreenFormation Kft. is also present on various social media platforms. Personal data shared on these platforms is processed in accordance with the respective platform’s own privacy policy; the company assumes no responsibility for such data. The processing of content published on the company’s pages is governed by the provisions of the GDPR and this policy.
GreenFormation Kft. engages data processors to process personal data. Data processors may process personal data only in accordance with the Kft.’s instructions and are obligated to treat such data confidentially. The Kft. makes the current list of data processors available to data subjects.
GreenFormation Kft. selects and operates the IT systems and tools used in the processing of personal data in such a way that the processed data is accessible to authorized persons (availability), their authenticity and reliability are ensured (data processing authenticity), their integrity remains verifiable (data integrity), and they are protected against unauthorized access (data security).
GreenFormation Kft. ensures the security of data processing through technical, organizational, and administrative measures, providing a level of protection commensurate with the level of risk associated with data processing. In particular, data is protected against unauthorized access, alteration, disclosure, deletion, or destruction, as well as against accidental loss, damage, or inaccessibility resulting from defects in the technology used.
To protect the data files processed electronically by GreenFormation Kft., the company ensures that the data stored in its records (unless otherwise provided by law) cannot be directly linked to or traced back to the data subjects.
Data security measures ensure:
GreenFormation Kft. regularly reviews the effectiveness of these measures to maintain the security of personal data and updates them as necessary in line with technological advancements.
Pursuant to Chapter III of the GDPR, data subjects are entitled to the following rights: the right to information (prior to the commencement of data processing); the right of access (feedback and a copy of the processed data); the right to rectification (correction of inaccurate or incomplete data); the right to erasure (if the legal basis for data processing no longer applies); the right to restriction of processing (temporary suspension of data processing); the right to data portability; the right to object. Requests to exercise these rights may be submitted via email to [email protected]. GreenFormation Kft. will respond to the request and provide information within 30 days—or within a maximum of 90 days in justified cases.
Complaints regarding data processing may be sent to [email protected]. GreenFormation Kft. will investigate the complaint within 30 days and inform the data subject of the outcome. The data subject is also entitled to file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH, naih.hu) and to bring the matter before a court.
In the event of a data breach, if the breach is likely to pose a high risk to the rights and freedoms of the natural persons concerned, GreenFormation Kft. shall notify the data subjects without undue delay, but no later than within 72 hours, of the incident and its consequences, as well as the measures taken or planned.
If the data breach poses a risk to the rights and freedoms of data subjects, GreenFormation Kft. shall report the incident to the National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours of detection. The managing director shall maintain a record of the incidents and the measures taken.
This policy is effective as of July 1, 2026, and supersedes the original 2023 data protection policy. It is subject to annual review or review upon any amendment to the GDPR or the Infotv. The managing director is responsible for the review and for implementing any necessary amendments. The current version of the policy is available in the password-protected Google Drive folder under “Company Management/Policies.”
Dated: Budapest, June 23, 2026.
| Cookie | Duration | Description |
|---|---|---|
| cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |