Privacy policy

Cromo Foundation

On 25 May 2018, the European Union's new data protection regulation (the GDPR) came into force.


The Cromo Foundation is committed to protecting your privacy. The processing of personal data provided by our clients is a key part of our work. We take privacy very seriously and are committed to respecting your personal data and privacy, as it is in our interest to put our clients at the centre of everything we do.

We want you to know that your personal data is safe with us.

We aim to be transparent with our customers.

We make sure that they are aware of how their personal data is used so that we can provide them with better and more personalised services. This will ensure that we can stay in touch with you after 25 May 2018.

1. The Cromo Foundation is committed to protecting the privacy of data subjects who contact it and to providing them with adequate information about the processing of their personal data (transparency of its personal data processing).

1.1. In our privacy notice we explain that,

  • what entitles the Cromo Foundation to process the data (legal basis),
  • what data we process,
  • for what purpose we process the data and for what we use it (purpose of processing),
  • for how long we process the data (duration of processing),
  • whether we use a data processor,
  • who can access the data,
  • what rights data subjects have in relation to their data,
  • what legal remedies are available to them.

This information may vary depending on the purpose for which the data subject provided it. At the Cromo Foundation, we process data for many purposes. Some of these purposes are defined by law, while without other purposes we would not be able to provide our services as our customers expect.

As data subjects contact the Cromo Foundation for a service, the different information in this notice is grouped by services and cases to help them understand what data we process when they contact us.

Data subjects are informed that information on the specific processing carried out by the Cromo Foundation can be found in the specific information made available at the time of or before the data collection (for example, in the Privacy Notice available on the website).

We consider it important to draw the attention of persons providing data to the Cromo Foundation (data providers) to the fact that if they do not provide their own personal data, the data provider is obliged to obtain the consent of the data subject.


The Cromo Foundation is the data controller in respect of all the data processing operations covered by this notice.


  • Name: Cromo Foundation
  • Mail: 1115 Budapest, Csóka 9.
  • Phone: +36 30 284 5332
  • In person: 1115 Budapest, Csóka utca 9.

The Privacy Notice is available online at under the Privacy section.


Cromo Foundation registration, contact by email, newsletter, form

3.1. What entitles the Cromo Foundation to process the data?

Cromo Foundation is entitled to process the personal data of the data subjects in the following ways when offering, selecting, ordering training courses and services, carrying out research and surveys in projects:

  • The consent of the data subject, which consists in providing his/her personal data to the Cromo Foundation in order to provide the service he/she has ordered, to receive the requested newsletters, to participate in the free programs, to receive system messages [with consent under GDPR)
  • If the personal data have been collected with the consent of the data subject, the controller shall, unless otherwise provided by law,
  • To comply with a legal obligation to which it is subject, or
  • It may be processed by the controller or by a third party for the purposes of the pursuit of a legitimate interest, where such interest is proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the data subject's consent.

3.2. What kind of data do we process?

  • Name of person concerned - For ordering services, contacting, database management, participation in events
  • Address of the person concerned - For ordering services, contacting, database management, participation in events
  • Age of the person concerned - For contacting, database management, participation in events
  • Billing address - To conclude a contract, attend events, make a purchase
  • Tax number - To conclude a contract, attend events, make a purchase
  • Business registration number - To conclude a contract
  • Bank account number - To conclude a contract
  • Name of representative - To conclude a contract
  • Email - For contacts, database management, participation in events, shopping
  • Phone number - For contacts, database management, participation in events, shopping
  • Municipality - Database construction, market research, statistics, event participation, shopping
  • Area of operation - Database construction, market research, statistics
  • Number of people employed - Database construction, market research, statistics
  • Annual revenue - Database construction, market research, statistics

3.3. For what purposes do we process the data?

  • Through website and email enquiries, ordering the selected service and reaching out to data subjects to discuss it, sending newsletters, sending offers. We need to process the data in order to deliver the ordered services to the customer.
  • To account for and subsequently verify the performance of the services ordered. The data are necessary to be able to confirm payments related to the fulfilment of orders and to verify the fulfilment.
  • To meet requests for data from various public authorities. Transmissions for reports to KSH, NAV.

3.4. For how long do we keep the data?

The duration of the processing of personal data is, on the one hand, for the case when you register as a data subject in our system, in which case the retention period is until the customer requests its deletion or until the company is operational. For personal data relating to invoices, the retention period is 8 years, as required by the Accounting Act.

3.5. Do we use a data processor?

The Cromo Foundation does not use a data processor to order its services.

3.6. Is there a data transfer?

There is no transfer of data in case of payment for the services of the Cromo Foundation.

3.7. Who has access to the data?

The Cromo Foundation processes personal data in such a way that only those who have access to it are allowed to do so in order to provide the service to you. The Cromo Foundation regularly monitors its internal operations and the regularity of its work through its designated departments, and therefore the data may also be accessed by the colleagues carrying out the monitoring (adult education manager, data protection expert), if it is necessary for the performance of the monitoring.

We have a legal obligation to provide data to the court, the prosecution, the investigating authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, or other bodies authorised by law (e.g. Pest County Government Office) upon their request or for the purpose of external (official) control, or to allow access to them. We are obliged to cooperate with bodies specialised in the prevention and detection of criminal offences and in the collection of confidential information.

The Cromo Foundation will provide or grant access to personal data to these bodies only to the extent and to the extent strictly necessary and appropriate for the purpose of the request, provided that the precise purpose and scope of the data have been specified.

4. Other data processing

Information on data processing not listed in this notice is provided at the time of collection.

5. Data security

The Cromo Foundation, through its organisational units, takes all security, technical and organisational measures to guarantee the security of the data.

5.1. Organisational arrangements

Within the Cromo Foundation, the functions of data protection, IT security, security and confidentiality, and the operation and development of IT systems are organisationally separate and independent.

When implementing IT developments at the Cromo Foundation, the opinions of the internal data protection officer and the IT security unit must be sought at the planning stage in order to ensure that IT security and data protection aspects are taken into account.

The Cromo Foundation grants access to its IT systems with rights that are linked to the individual. The principle of necessary and sufficient rights applies to the allocation of access, i.e. each user may use the Company's IT systems and services only to the extent necessary for the performance of his/her job, with the corresponding rights and for the necessary duration. Access to IT systems and services is restricted to persons who are not restricted for security or other reasons (e.g. conflict of interest) and who have the professional, business and information security skills necessary to use them safely. We follow internationally accepted practices and recommendations in the operation of our IT systems, in particular in incident management, change management and development. Cromo Foundation also organises its internal operations through internal policies. We seek the prior opinion of a data protection expert on the internal rules for processes involving the processing of personal data, both when they are established and when they are amended. All employees of the Cromo Foundation agree to strict confidentiality rules in a written declaration at the time of employment and are bound by these confidentiality rules in the course of their work. It is a requirement that documents containing personal data are not left on desks after work and are locked by employees to prevent unauthorised access.

5.2. Technical measures

The Cromo Foundation protects the buildings it uses, their premises and therefore the data handled, processed and stored there, with various security systems (alarms).

The Cromo Foundation stores the data, with the exception of data stored by its data processors, on its own equipment in a data centre. The Cromo Foundation stores the IT tools storing the data on a separate, locked server, protected by a multi-level access control system with authorisation control.

The Cromo Foundation protects its internal network with multiple layers of firewall protection. The entry points to the public networks used are always equipped with hardware firewalls (border protection devices). The Cromo Foundation stores data redundantly, i.e. in multiple locations, to protect it from destruction, loss, damage or unlawful destruction due to IT equipment failure.

We protect our internal networks from external attacks with multi-layered, active, complex malware protection (e.g. virus protection). We do our utmost to ensure that our IT tools and software are always in line with the technological solutions generally accepted in the market.

We are developing systems that use logging to control and monitor operations and detect incidents such as unauthorised access.

The Cromo Foundation also destroys data on paper at the end of the retention period in accordance with the data protection requirements.

6. What rights do you have over your data?

Your rights

It is important for us that you are aware of your data protection rights. To this end, we have set out below a non-exhaustive list of the data protection rights you have in relation to the data you entrust to us.

6.1. Right to withdraw consent: where you have given your consent to the use, processing or sharing of your personal data, you may withdraw your consent at any time, provided that the data is not necessary for the provision of the service.

6.2. Right of access to your data: you have the right at any time to be adequately informed by contacting us whether your personal data is being processed and, if so, you have the right to access and request a copy of your personal data held by us and to be informed of how we process your personal data.

6.3. The following information will be provided:

  • the purpose of the processing,
  • what personal data are concerned,
  • who are the recipients of the data transferred,
  • request the rectification, erasure or restriction of the data and object to the processing,
  • the storage period,
  • if the data have been obtained from a 3rd party, the right to receive all relevant information.

6.4. Right to rectification:

You have the right to have inaccurate data corrected or supplemented by the Cromo Foundation without undue delay at your request.

6.5. Right to erasure: You may request that we erase without undue delay certain of your personal data held by us where:

  • We no longer need that data;
  • You withdraw your consent to the processing of certain data;
  • You object to the processing of your personal data,
  • You withdraw your consent to the processing of personal data where you object to the processing of your personal data and we need to delete it to comply with a legal obligation imposed on us by law;
  • You have a concern about the legal basis for our processing of your data.

6.6. Right to restriction of processing: If you have questions or concerns about the accuracy, fairness or lawfulness of our processing of your personal data, you may request the restriction of certain of our processing activities.

You can also request a restriction if we no longer need your data but you, as the data subject, require it to establish, exercise or defend a legal claim. You may also request restriction if you contest the legal basis for processing based on legitimate interest. During the restriction, no processing operations may be carried out, only storage of the data. The Cromo Foundation will inform you in advance of the lifting of the restriction.

6.7. Legal remedies and complaints may be lodged with the National Authority for Data Protection and Freedom of Information: National Authority for Data Protection and Freedom of Information

  • Location: 1055 Budapest, Falk Miksa utca 9-11
  • Mailing address: 1363. Budapest, Pf.: 9.
  • Phone number: +36-1-391-1400
  • Fax: +36-1-391-1410
  • Email: 
  • Website:

6.8. Enforcement of court judgments

The controller must prove that the processing is in compliance with the law. It is for the recipient to prove the lawfulness of the transfer. It is for the courts to decide on the action. The action may also be brought before the courts for the place where the data subject resides or is domiciled, at the choice of the data subject. A person who does not otherwise have legal capacity may be a party to the proceedings. The Authority may intervene in the proceedings in order to ensure that the person concerned is successful. If the court upholds the application, the controller shall be ordered to provide the information, rectify, block or erase the data, annul the decision taken by automated processing, take account of the data subject's right to object or disclose the data requested by the data subject. If the court rejects the data subject's request, the controller shall erase the personal data of the data subject within 3 days of the notification of the judgment. The controller shall also be obliged to delete the data if the data subject does not apply to the court within the time limit. The court may order the publication of its judgment by publishing the controller's identification data if the interests of data protection and the protected rights of a large number of data subjects so require.

6.9. Compensation and damages

If the data controller causes damage to another person by unlawful processing of the data subject's data or by breaching data security requirements, the data controller must compensate the damage. If the controller infringes the data subject's right to privacy by unlawfully processing his or her data or by breaching data security requirements, the data subject may claim damages from the controller. The controller shall be liable to the data subject for the damage caused by the processor and the controller shall also pay the data subject the damages due to the data subject in the event of a personal data breach caused by the processor. The controller shall be exempted from liability for the damage caused and from the obligation to pay the damage fee if it proves that the damage or the infringement of the data subject's personality rights was caused by an unforeseeable cause outside the scope of the processing. No compensation or damages shall be payable where the damage or injury to the personality right of the data subject was caused by the intentional or grossly negligent conduct of the data subject.

6.10. Where can I contact the Cromo Foundation to exercise my rights?

Information, rectification, blocking, deletion or objection to the processing of personal data can be notified at any time to the following contact details:

  • Name: Cromo Foundation
  • Mail: 1115 Budapest, Csóka 9.
  • Email:
  • Phone: +36 30 284 5332
  • In person: 1115 Budapest, Csóka utca 9.

Budapest, 25 May 2018.

Ildikó Simon, Chair of the Board of Trustees