Privacy Notice

Effective: from 2025.06.05.

  1. Introduction

SDM Service Kft. (hereinafter: the “Controller” or the “Service”) is committed to protecting the personal data of its customers and website visitors (hereinafter together: the “Data Subject”). The purpose of this Privacy Notice (hereinafter: the “Notice”) is to provide transparent and clear information about the data processing activities carried out by the Controller, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) and Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (Infotv.).

Please read this Notice carefully to understand how we process your personal data and what rights you have in this regard.

  1. Name and contact details of the Controller
  • Name: SDM Service Kft.
  • Registered office: 2096 Üröm, Szikla u. 21.
  • Company registration number/Trade register number: 13 09 237450
  • Tax number: 32459496-4-13
  • Group identifier: 17784306-5-13
  • Representative: Süle Dániel
  • Telephone: +36 70 392 0369
  • E-mail:daniel@sdmservice.hu
  • Website: sdmservice.hu
  1. Categories of personal data processed, purpose, legal basis and duration of processing

The Controller processes personal data in relation to the following activities:

3.1. Video surveillance

  • Purpose of processing: The purpose of operating the camera system placed on the Controller’s premises (customer waiting area, office, internal areas of the workshop, external areas of the workshop, parking lot) is the protection of human life, physical integrity, personal liberty, trade secrets, and property (protection of the property of both the Controller and the Data Subjects), as well as the prevention and detection of unlawful acts, apprehension of offenders, and the documentation of violations.
  • Legal basis of processing: The2 Controller’s legitimate interest (Article 6(1)(f) GDPR), which relates to the protection of the Controller’s and its customers’ property, maintaining a safe working environment, and the prevention and detection of unlawful acts. The Controller has carried out a legitimate interest assessment. Notice of the fact of video surveillance and the location of cameras (pictogram and text warning) has been placed in a clearly visible location.
  • Categories of personal data processed: The image and other recorded personal characteristics and behaviour of individuals within the cameras’ field of view, as well as vehicle licence plate numbers.
    Duration of processing: Recordings are retained for a maximum of 30 working days from the date of recording. If a recording is used as evidence in court or other authority proceedings, the retention period is extended until the final closure of the proceedings.
  • Data disclosure: Access to the recordings is restricted to authorised persons only. Upon official request from authorities, recordings may be released.

3.2. Invoicing

  • Purpose of processing: Issuing invoices for services provided and products sold by the Service, and fulfilling accounting and tax law obligations.
  • Legal basis of processing: Compliance with a legal obligation (Article 6(1)(c) GDPR), in particular pursuant to Act C of 2000 on Accounting and Act CXXVII of 2007 on Value Added Tax.
  • Categories of personal data processed:
    • For individual (natural person) customers: name, address, telephone number, e-mail address.
      For contact persons of legal entities or sole proprietors: contact person’s name, e-mail address, telephone number, address.
    • For legal entities or sole proprietors: company name, registered office, tax number, telephone number, e-mail address.
    • Details of the service/product listed on the invoice, quantities, value, payment method.
    • Duration of processing: Issued invoices must be retained for at least 8 years pursuant to Section 169(2) of Act C of 2000 on Accounting.

3.3. Website  (www.sdmservice.hu)

During the operation of the Controller’s website, the following data processing may occur:

3.3.1. Contact via the website (e.g. contact form, e-mail)

  • Purpose of processing: Enabling contact initiated by the Data Subject, answering questions, providing information, appointment scheduling.
  • Legal basis of processing: The Data Subject’s voluntary consent (Article 6(1)(a) GDPR), which is given by completing and submitting the contact form or by sending an e-mail; and steps taken at the request of the Data Subject prior to entering into a contract (Article 6(1)(b) GDPR).
  • Categories of personal data processed: Name, e-mail address, telephone number, subject and content of the message, and where relevant to the inquiry, basic vehicle data.
  • Duration of processing: Until the purpose of the inquiry is fulfilled or the question is answered, or until the Data Subject withdraws consent, or until the expiry of any claims arising from a potential contractual relationship.

3.3.2. Cookies management

  • Purpose of processing: Ensuring the proper functioning of the website, improving user experience, and analysing website usage.
  • Legal basis of processing: For strictly necessary cookies (essential session cookies), the Controller’s legitimate interest (Article 6(1)(f) GDPR) to ensure the proper functioning of the website. For all other cookies (e.g. statistical, marketing), the Data Subject’s voluntary consent (Article 6(1)(a) GDPR), which can be given via the cookie banner displayed on the website.
  • Categories of personal data processed: Browsing data, IP address (anonymised or full, depending on the cookie type), browser type, operating system, time of visit, pages viewed.
  • Duration of processing: Depending on the type of cookie: until the end of the session (session cookies) or for a longer, specified period.
  • Detailed information: For detailed information on the cookies used on the website, their function, retention period, and how to withdraw consent, please refer to the separate Cookie Notice available at [https://sdmservice.hu/suti-kezeles/].

3.4. Quotation

  • Purpose of processing: Preparing a personalised quotation at the Data Subject’s request for services to be provided or products to be sold by the Service.
  • Legal basis of processing: Steps taken at the request of the Data Subject prior to entering into a contract (Article 6(1)(b) GDPR).
  • Categories of personal data processed: Name, telephone number, e-mail address, home address (if necessary), data of the vehicle to be repaired/serviced (make, model, year, licence plate number, chassis number), description of the requested service.
  • Duration of processing: For the validity period of the quotation, and if the quotation is accepted, then as part of the contractual data according to the retention periods applicable to work orders and invoices. If the quotation is not accepted, for 1 year from the date of the request, in order to handle potential later inquiries or legal disputes.

3.5. Management of work orders

  • Purpose of processing: Documentation of ordered repair and maintenance services, tracking the workflow, recording the work performed and materials used, quality assurance, and preparation of documentation forming the basis for invoicing.
  • Legal basis of processing: Performance of a contract (Article 6(1)(b) GDPR) concluded between the Data Subject and the Controller for the use of the repair/servicing services.
  • Categories of personal data processed: Name, address, telephone number, e-mail address, data of the vehicle to be repaired/serviced (make, model, year, licence plate number, chassis/VIN, odometer reading), description of the fault, list of works performed and parts used, times of intake and handover, the Data Subject’s signature.
  • Duration of processing: Taking into account the general limitation period under Act V of 2013 on the Civil Code (5 years) and the period for enforcing warranty/guarantee claims. If the work order forms part of the accounting records, 8 years under the Accounting Act. (The longer period shall apply.)
  1. Use of processors

To perform its activities, the Controller may use data processors. The Controller engages only those processors who provide adequate guarantees of compliance with the GDPR requirements3 and implement appropriate technical and organisational measures to protect the rights of Data Subjects.4

Main processors engaged by the Controller:

  • Accounting services provider: VRG Varga&Varga Könyvelő és Tanácsadó Kft., address: 1074 Budapest, Dohány utca 12-14. 7th floor
    • with respect to invoicing and accounting data.
  • Web hosting provider: Euroszoft Informatikai Kft., address: 9081 Győrújbarát, Fő u. 35/7.
    • with respect to storage of data collected via the website.
  • Service software/CRM provider: Carsup Kft., address: 2120 Dunakeszi, Mikes Kelemen utca 12.
    • with respect to electronic management of work orders and customer data.
  • Camera system maintenance: Patent Biztonságtechnika Kft., address: 9024 Győr, Mécs László utca 7.
  • E-mail service / Mail system: Euroszoft Informatikai Kft., address: 9081 Győrújbarát, Fő u. 35/7.

Data is transferred to processors only to the extent necessary to achieve the above purposes. The Controller ensures that processors process data solely in accordance with the Controller’s instructions and apply appropriate data security measures.

Data transfers to third countries: Personal data are not transferred to third countries or international organisations.

  1. Data security measures

The Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk,5 including6 but not limited to:

  • Restricting access to personal data and managing access rights.
  • Protecting IT systems (e.g. firewalls, antivirus software, password protection).
  • Secure storage of paper-based records (e.g. lockable cabinets).
  • Strict regulation of access to camera recordings.
  • Procedures for preventing and handling data protection incidents.
  • Increasing employees’ awareness of data protection.
  1. Rights of Data Subjects

The Data Subject has the right to request from the Controller access to, rectification or erasure of personal data concerning them, or restriction of processing, and to object to such processing, as well as the right to data portability.7

  • Right of access: The Data Subject has the right to obtain confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and information related to their processing.
  • Right to rectification: The Data Subject has the right to obtain the rectification of inaccurate personal data concerning them and the completion of incomplete data.
  • Right to erasure (“right to be forgotten”): The Data Subject has the right to obtain the erasure of personal data where the processing no longer has a legal basis or where other statutory conditions apply.
  • Right to restriction of processing: The Data Subject has the right to obtain restriction of processing where they contest the accuracy of the data, the processing is unlawful, the Controller no longer needs the data, or the Data Subject has objected to processing.
  • Right to data portability: Where processing is based on consent or a contract and is carried out by automated means, the Data Subject has the right to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format, and to transmit those data to another controller.
  • Right to object: The8 Data Subject has the right to object to the processing of their personal data where the processing is based on the Controller’s legitimate interest (e.g. video surveillance). In such cases, the Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject, or for the establishment, exercise9 or defence of legal claims.
  • Right to withdraw consent: Where processing is based on consent (e.g. website contact, non-essential cookies), the Data Subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

The Data Subject may exercise the above rights via the contact details provided in Section 2. The Controller shall inform the Data Subject of the measures taken within one month of receipt of the request. Where necessary, this deadline may be extended by a further two months.

  1. Remedies

If the Data Subject considers that the Controller has infringed applicable data protection provisions in the processing of their personal data, they may lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH):

  • Name: Nemzeti Adatvédelmi és Információszabadság Hatóság
  • Address:10 1055 Budapest, Falk Miksa utca 9-11.
  • Postal address: 1363 Budapest, Pf. 9.
  • Telephone: +36 (1) 391-1400
  • E-mail: ugyfelszolgalat@naih.hu11
  • Website: https://naih.hu

The Data Subject also has the right to bring the matter before the courts in case of an infringement of their rights. Proceedings are governed by Act V of 2013 on the Civil Code and Act CXXX of 2016 on the Code of Civil Procedure.12 The action—at the choice of the Data Subject—may also be brought before the competent tribunal at the Data Subject’s place of residence or stay.

  1. Amendment of the Notice

The Controller reserves the right to unilaterally amend this Notice. The amended Notice will be published on the Controller’s website, and where necessary, Data Subjects will be informed by other means as well. We recommend that you regularly check the current version of the Notice.

  1. Entry into force

This Privacy Notice enters into force on 2025.06.05.