MITIGIA CARBONZrt.

Privacy Notice

Effective as of 23rd of September 2024

 

Mitigia Carbon Zrt. (hereinafter: "Data Controller") aims to help green investors in electromobility monetise their green investments on the Voluntary Carbon Market based on its proprietary know-how and related carbon credit generating and trading applications (hereinafter: “Mitigia Services’). This Privacy Notice outlines how the Data Controller collects and processes personal data to support this objective.

 

1. General Information

Data Controller: Mitigia Carbon Zrt. (registered office: Hungary 2800 Tatabánya, Szent Borbála tér 6./C.; registration number: 11-10-001772, tax number: 27964671-2-11).

Data Processor: means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Data Subject: Data Subject shall mean any natural person whose Personal Data is collected, stored, processed, or otherwise used by the Data Controller.

Personal Data: means any information relating to the Data Subject.

   1.1. The Data Controller acknowledges the contents of this Privacy Notice as binding. The Data Controller undertakes to ensure that any processing of data complies with the requirements set out in this Privacy Notice and the applicable law.

   1.2. The Personal Data of the Data Subject shall be processed exclusively by the Data Controller with the assistance of the data processors indicated in this Privacy Notice. The Personal Data will be processed exclusively in Hungary, in another EEA state or in another third country where an adequate level of protection of personal data is ensured. The Data Controller shall not transfer Personal Data processed to any person other than the Data Processor identified in this Privacy Notice.

   1.3. The Data Controller is committed to the protection of the Data Subject’s personal data. The Data Controller treats Personal Data confidentially and takes all security, technical and organisational measures to ensure the security of the data.

   1.4. Data Controller’s data processing principles are in harmony with the relevant data protection regulations as effective, including but not limited to the following:

  • The Constitution of Hungary (Freedom and Responsibility, Article VI);

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”);

  • Act No. CXII of 2011 on the right to informational self-determination and on informational freedom (“Info Act”);

  • Act No. V of 2013 on the Civil Code.

   1.5. The Data Controller reserves the right to change the Privacy Notice, which will be communicated in accordance with the legislation in force.

   1.6. In case of any question regarding the Privacy Notice or the Data Controller’s data processing, the Data Subject should contact the Data Controller at the info@mitigia.com email address or in person at the Data Controller’s above-mentioned seat.

 

2. Data Processing

   2.1. The Data Controller strives to limit its Personal Data processing activity to what is absolutely necessary. Nonetheless, the processing of some Personal Data is inevitable. The Data Controller processes the Personal Data that the Data Subject provides. The Data Controller processes the following Personal Data for the purposes and on the legal basis detailed below:

  • Purpose of the data processing: Collecting Personal Data to contact the Data Subjects.

  • List of processed Personal Data: Name, email address, telephone number, written communication.

  • Legal basis for the data processing: Data Subject’s consent.

  • Duration of data processing: Data will be deleted 365 days after receiving it.

 

3. Other data processing

   3.1. The Data Controller may occasionally perform other Personal Data processing. Information about any data processing not mentioned in this Privacy Notice will be supplied on the data collection.

   3.2. The Data Subject is informed that the court, the public prosecutor, the criminal investigation authority, the infringements authority, the public administration authority, the National Data Protection and Informational Freedom Authority of Hungary (“NAIH”), as well as other authorities authorised by legal regulation may request information, data and documents from the Data Controller, who will grant such requests to the extent it is required by the relevant legal regulations. The Data Controller will disclose Personal Data to the authorities only to the extent it is indispensable for the fulfilment of the authorities’ meticulously detailed request for information as regards the scope and purpose of information.

 

4. Processing of third parties’ data

   4.1. If the Data Subject provides personal data from third parties, the Data Subject must have the required consent or other legal basis to share the personal data with the Data Controller and inform the Data Controller of any change or update relating to them. All Data Subjects should refrain from providing third parties’ data unless it is necessary to comply with the contract with the Data Controller. Data Subject is fully liable for these third parties’ personal data processing.

 

5. Data Processors

   5.1. The Data Controller assigns the following Data Processor during its data processing activity:

  • HubSpot Inc. (seat: 2 Canal Park, Cambridge MA 02141, registration number: 254900T33M22DDVUKY52): providing hosting for the Data Controller’s webpage https://mitigia.com

  • Amazon Web Services EMEA Sarl (seat: 38 Avenue John F. Kennedy L-1855 Luxembourg, registration number: B186284): provision of the Data Controller’s IT environment necessary for the cloud-based operations of Mitigia Services available at https://app.mitigia.com/login, through which the necessary customer data can be stored and displayed

  • Microsoft Ireland Operations Limited (seat: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, registration number: 549300WCLFVEBTBNRF7): provision of the Data Controller's office IT environment and, in this context, cloud-based storage of electronic mail and collaborative space on SharePoint that may contain customer data

  • Atlassian Pty Ltd (seat: Level 6, 341 George St, Sydney NSW 2000, Australia, registration number: ABN53102443916): customer data may also be displayed in connection with the provision of JIRA and Confluence cloud-based project and IT development documentation systems provided to the Data Controller

  • Meta Ireland Limited (seat: Dublin Ballsbridge Campus, Dublin 4, Ireland, registration number: BQ4BKCS1HXDV9HN80Z93): records, processes and transmits customer data to the Data Controller through its marketing communication platforms

  • LinkedIn Ireland Unlimited Company (seat: Wilton Place, Dublin 2, Ireland, registration number: 549300RZ6VN2Y8WIYZ07): records, processes and transmits customer data to the Data Controller through a marketing communication platform

  • Google Ireland Limited (seat: Gordon House, Barrow Street, Dublin 4, Ireland, registration number: YYPPRNO5HB304LHFVG31): records, processes and transmits customer data to the Data Controller through a marketing communication platform

  • OurOffset Nonprofit Kft. (seat: 9600 Sárvár, Alkotmány utca 69. 1. em. 8., registration number: 18-09-114028) customer data may also be displayed in connection with the provision of Carbon Credit Registry services provided to the Data Controller for registration of carbon credits on the Voluntary Carbon Market

  • Green Cross Hungary Association (seat: 1023 Budapest, Frankel Leó út 42-44., registration number: 01-02-0006012) customer data may also be displayed in connection with the provision of Validation and Verification services provided to the Data Controller for verification of carbon credits on the Voluntary Carbon Market.

 

6. Data Security

   6.1. The Data Controller treats the Data Subject’s Personal Data confidentially, therefore Data Controller has adopted the technical and organisational measures necessary to ensure the security of Personal Data and avoid their accidental or unlawful destruction, loss, alteration, processing or unauthorised access, given the state of the technology, the nature of the stored data and the risks to which they are exposed, whether they come from human action or from the physical or natural environment. The Data Controller selects and/or operates the IT equipment and IT background used to process personal data with respect to the contractual relationship in such a way that the processed data:

  • is available to authorised persons (availability);

  • authenticity and authentication are ensured (authenticity of data processing);

  • integrity can be proven (integrity of data); and

  • is protected against unauthorised access (confidentiality of data).

 

7. Rights and remedies

   7.1. The Data Subject has a right to:

  • access the personal data: Upon the Data Subject’s request, the Data Controller supplies information about the Data Subject’s data processed by the Data Controller as data controller and/or processed by a data processor on the Data Controller’s behalf if any of the conditions stipulated in Article 15 of GDPR is fulfilled.

  • request the rectification of the personal data: The Data Controller rectifies the Data Subject’s personal data if such data is inaccurate or incomplete while the correct personal data is available to the Data Controller.

  • request the erasure of the personal data (right to be forgotten): The Data Controller erases any and all personal data if any of the conditions stipulated in Article 17 of GDPR is fulfilled.

  • restriction of processing: The Data Subject obtains from the Data Controller the limitation of the data processing if any of the conditions stipulated in Article 18 of GDPR is fulfilled.

  • data portability: The Data Subject receives the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format, if the processing is based on a consent or contract and it is carried out by automated means.

   7.2. The Data Controller provides information on action taken on the Data Subject’s request sent to the contact person specified in Section 6. without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, considering the complexity and number of the requests. The Data Controller informs the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic means, the information will be provided by electronic means where possible, unless otherwise requested by the Data Subject. If the Data Controller does not act on the Data Subject’s request, the Data Controller will inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

   7.3. Data Subject’s right to remedy:

  • filing a complaint with the authority: Without prejudice to any other administrative or judicial remedy, Data Subject may, in the event of an infringement of his or her rights, file a complaint with the data protection authority (NAIH: address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.; Tel.: +36 1 391 1400, Fax: +36 1 391 1410, email: ugyfelszolgalat@naih.hu; website: https://naih.hu/index.html).

  • filing a complaint with the court: Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, Data Subjects have the right to an effective judicial remedy where he or she considers that his or her rights have been infringed as a result of the processing of his or her Personal Data in non-compliance with the data protection regulation. The Data Controller is liable for any loss or damage caused by the unlawful processing of the Data Subject’s data or by any violation of applicable data-security requirements. The Data Controller will be exempted from such liability if the loss or damage was caused by circumstances beyond its control and outside the scope of data processing. No compensation shall be paid to the extent that the loss or damage was caused by the Data Subject’s willful or grossly negligent conduct.