DATA PROCESSING OPERATIONS COVERED IN THIS NOTICE

The Data Controller is a business entity engaged in audit, accounting, payroll, and related financial, legal, and compliance services, and also organises trainings and conferences in its areas of operation. Its services are presented on its website, where various website functionalities are also operated. As personal data may be processed via or with the aid of the website, the Data Controller provides data subjects with information on such processing activities through this Privacy Notice. In drafting this Notice, particular emphasis was placed on clarity and transparency. Should you have any further queries, please do not hesitate to contact us.

KEY DATA PROTECTION TERMS

Below we define key terms that are essential for understanding this Privacy Notice. General definitions of data protection-related terms can be found in Chapter X of this Notice.

This Privacy Notice Covers the Following Data Processing Activities:

Below we provide a summary of the most important data processing activities. Should you have any further questions, please contact us via our data protection contact details.

I. WEB HOSTING SERVICE PROVIDER

Web hosting is an internet service in which the resources of a server are distributed among multiple users. Each user is allocated a dedicated space by the system, the publicly accessible content of which is available via a unique domain name. In this case, the domain name is: https://leprimore.hu. For the operation of the website https://www.bdo.hu, the Data Controller uses the services of a hosting provider.

Data Processor engaged by the Data Controller:

Microsoft Corporation
1 Microsoft Way, Redmond, WA 98052
Data Protection Officer: Jadzia Pierce
Email: dpoffice@microsoft.com

The Microsoft Azure cloud service qualifies as a third-country provider; however, it is a participant in the EU-U.S. Data Privacy Framework, ensuring the adequacy of data transfers.

Information on your data subject rights can be found in Chapter IX.

II. COOKIES USED ON THE WEBSITE

Anonymous visitor identifiers (cookies) are files or pieces of information stored on the user’s computer, internet-enabled device, smartphone, or tablet upon visiting the website.

Cookies serve the purpose of ensuring the operation of the website and its certain functions, as well as collecting statistical and other information regarding the user visiting the website (e.g., IP address, time of access, navigation patterns, referring website) to improve usability. Marketing cookies are used to display personalised advertisements. Based on their purpose, the following types of cookies are used:

The website allows users to accept or reject analytical (statistical) and marketing (advertising) cookies separately by purpose. Strictly necessary cookies are always active.

Detailed information on individual cookies can be found in the website’s Cookie Notice:
Cookie Management Notice – BDO Hungary – BDO

Cookies can be disabled or deleted at any time by the user via their browser settings.

Please note that certain cookies may transfer personal data to third countries (e.g., the United States). Third countries are countries outside the European Economic Area (EEA). If you do not wish for your data to be transferred to such countries, please do not enable these cookies when visiting our website. In the event of third-country transfers, the Data Controller must ensure an equivalent level of protection for the personal data of data subjects.

The following service providers are participants in the EU-U.S. Data Privacy Framework, ensuring the adequacy of such data transfers:

Google LLC
Danielle Romain, Chief Compliance Officer
1600 Amphitheatre Parkway
Mountain View, CA 94043
Email: dpf-core-team@google.com
Phone: +1 650 253 0000

Meta Platforms, Inc.
Michel Protti, Chief Privacy Officer, Product
1 Meta Way
Menlo Park, California 94025-1453
Email: dpfinquiry@support.facebook.com
Phone: (650) 543-4800

Microsoft Corporation
Jadzia Pierce, Data Protection Officer
1 Microsoft Way
Redmond, Washington 98052-8300
Email: dpoffice@microsoft.com
Phone: +353 1 706 3117

Other Third-Country-Linked Service Providers Used in Relation to Cookie Management:

• Apple Inc.
  One Apple Park Way
  Cupertino, CA 95014, United States
  Apple's Privacy Policy

• Intuit Limited
  (Cardinal Place, 80 Victoria Street, London, United Kingdom, SW1E 5JL, Intuit Data Protection Administration)
  Service provider of Mailchimp.

• Spotify AB
  (Parent company registered in the United States)
  Regeringsgatan 19
  SE-111 53 Stockholm, Sweden
  Company Reg. No.: 556703-7485
  Email: office@spotify.com
  Spotify GDPR Info

Cookie Consent Management Platform:

Cookiebot service is used for managing cookie settings.
Provider details:

Usercentrics A/S
Havnegade 39,
1058 Copenhagen, Denmark
Phone: +45 50 333 777
Email: mail@usercentrics.com
Company registration number: DK34624607

Their Privacy Policy is available here:
Privacy Policy – Your CMP Partner – Cookiebot™

We kindly ask that upon visiting our website, you review our Cookie Management Notice and make an informed decision about enabling or rejecting cookies accordingly. We also emphasise that cookies can be deleted from your devices (laptop, desktop computer, mobile phone) by you at any time.

Information on your data subject rights can be found in Chapter IX.

III. GENERAL ENQUIRIES

You may contact us via email at office@bdo.hu or through any of our other contact channels. Your enquiry and comments will be processed as described below. If you wish to request a quotation for any specific service or if you are already a contractual partner, please refer to the relevant data processing sections (e.g. request for quotation, processing related to contractual performance) set out in later chapters.

Where your enquiry is of a general nature, the following rules apply:

Further information on your data subject rights can be found in Chapter IX.

IV. REQUESTS FOR QUOTATION

You may submit a quotation request via our website by clicking on the “Kapcsolat” (Contact) tab, or by emailing the Data Controller. Please include the necessary personal data in your email. In such cases, we will process the personal data necessary to handle the quotation request, along with any data needed for contacting and maintaining communication with you.

Further information on your data subject rights can be found in Chapter IX.

V. PROFESSIONAL TRAININGS, COURSES, EVENTS

The Data Controller or one of its group companies organises professional trainings, courses (e.g. ESG Professional Training, Webinars, Pay Transparency Workshops, etc.) and events (e.g. business breakfasts) in connection with its services. Registration for such events may take place via email or through Microsoft Forms, as specified on the website. In some cases, registration is required but participation is free of charge, while in other cases, participation is subject to a fee. Please review the applicable terms and conditions.

While registration or application may be submitted online, any associated payment (where applicable) is not processed online. Details of such payments will be communicated by the organising Data Controller. Both natural persons and legal entities may register for the events. In the latter case, the legal entity registers one of its employees for participation in the training, course, or event. While all data relating to natural persons are considered personal data, in the case of legal entities, only the personal data of the participant, as well as those of the legal representative or designated contact person, are deemed personal data.

The processing of personal data is carried out as follows:

For information on your rights as a data subject, please refer to Section IX of this Privacy Notice.

VI. DOWNLOADABLE REPORTS FROM THE WEBSITE

Certain members of the Data Controller’s group prepare professional reports or analyses that may be accessed by interested parties through Google Forms. Access requires the provision of minimal personal data to enable the Data Controller to monitor the lawful use of its intellectual property. These data are not used for any other purpose.

Processing of personal data in connection with downloading such reports is carried out as follows:

For further details on your rights as a data subject, please refer to Section IX of this Privacy Notice.

VII. DATA PROCESSING RELATED TO CONTRACT PERFORMANCE

In connection with its operations, the Data Controller typically enters into contractual relationships with legal entities or sole proprietors. In the course of such engagements, the Data Controller processes the personal data of the legal entity’s authorized representative and contact person, as well as the personal data of the sole proprietor. In exceptional cases, contracts may also be concluded with natural persons. The data processing is carried out as described below and is further detailed in the relevant engagement contract.

For further details on your rights as a data subject, please refer to Section IX of this Privacy Notice.

VIII. OTHER DATA PROCESSING ACTIVITIES

The Data Controller may send newsletters and professional content to data subjects who have subscribed. Data processing activities related to these services are detailed in a separate privacy notice.

In addition, the Data Controller may publish job advertisements on its website and accept applications in accordance with the procedures outlined therein. The data processing related to job applications (e.g., registration process, submission of applications, etc.) is also governed by a separate privacy notice.

You can read more about your data subject rights in Section IX.

IX. RIGHTS OF DATA SUBJECTS

Below, we present the rights that a data subject, whose personal data is processed by the Data Controller, may exercise in relation to the data processing:

The data subject’s rights related to data processing include:

• The right to be informed about whether data processing is taking place;

• The right to access the above-mentioned information related to the data processing;

• The right to obtain a copy of the personal data processed;

• The right to data portability (if processing is based on consent or contractual necessity);

• The right to request rectification, erasure, or restriction of the processing of personal data;

• The right to object to the processing of personal data (in cases of legitimate interest);

• The right to lodge a complaint with the supervisory authority (National Authority for Data Protection and Freedom of Information, NAIH: mailing address: 1055 Budapest, Falk Miksa u. 9-11., H-1363 Budapest, P.O. Box: 9., phone: +36 (30) 683-5969, +36 (30) 549 6838, email: ugyfelszolgalat@naih.hu, website: www.naih.hu);

• The right to seek judicial remedy.

Explanation of the above rights:

Right to information:

You may request information from the Data Controller about the processing of your personal data.

The Data Controller must provide you with all the information related to the processing of your personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

The Data Controller shall provide the information without undue delay and at the latest within one month from receipt of the request, in writing. At your request, the information may also be provided orally, provided that your identity has been reliably verified beforehand.

If the request is complex or a high number of requests are received, this one-month deadline may be extended by an additional two months. You will be notified of such an extension within one month of the request, together with the reasons for the delay. If the request was submitted electronically, the information will be provided electronically, unless you request otherwise.

If the Data Controller does not take action on your request, it must inform you within one month of receipt of the request of the reasons for not taking action, and of your right to lodge a complaint with a supervisory authority and to seek judicial remedy.

Right of access to personal data and related information:

You have the right to receive confirmation from the Data Controller as to whether your personal data is being processed, and if so, to access the data and the following information:

• The purposes of the processing;

• The categories of personal data concerned;

• The recipients or categories of recipients to whom the personal data has been or will be disclosed;

• The intended duration of storage, or the criteria used to determine that period;

• Your rights to request rectification, erasure, or restriction of processing, and your right to object;

• Your right to lodge a complaint with the supervisory authority (NAIH);

• Where the data was not collected directly from you, any available information about its source;

• The existence of automated decision-making (including profiling), and in such cases, meaningful information about the logic involved and the potential consequences for you.

The Data Controller confirms that personal data will not be transferred to third countries or international organizations under any circumstances.

Right to obtain a copy:

Upon your request, the Data Controller will provide a copy of the personal data undergoing processing. For any additional copies requested, the Data Controller may charge a reasonable fee based on administrative costs.

If the request is submitted electronically, the information will be provided in a commonly used electronic format unless you request otherwise.

This right may not adversely affect the rights and freedoms of others.

Right to data portability:

You have the right to receive the personal data that you have provided to the Data Controller in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller without hindrance, provided that:

• The processing is based on your consent or on a contract; and

• The processing is carried out by automated means.

Where technically feasible, you also have the right to request direct transmission of the data from one controller to another.

This right may not adversely affect the rights and freedoms of others.

Right to rectification:

You have the right to request that the Data Controller correct inaccurate personal data about you without undue delay, or complete any incomplete personal data – including by means of providing a supplementary statement.

Right to erasure ("right to be forgotten"):

You have the right to request the erasure of your personal data without undue delay, and the Data Controller is obliged to erase your personal data without undue delay where one of the following grounds applies:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

• You withdraw your consent, and there is no other legal basis for the processing;

• You object to processing based on public interest or legitimate interest, and there are no overriding legitimate grounds for the processing, or you object to processing for direct marketing purposes;

• The personal data has been unlawfully processed;

• The personal data must be erased to comply with a legal obligation under Union or Member State law applicable to the Data Controller.

If the Data Controller has made the personal data public and is required to erase it, it will take reasonable steps (including technical measures), considering available technology and implementation costs, to inform other controllers processing the data that you have requested erasure of any links to, or copies or replications of, that personal data.

Exceptions – Data may not be erased if processing is necessary for:

• Exercising the right of freedom of expression and information;

• Compliance with a legal obligation under Union or Member State law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

• Reasons of public interest in the area of public health;

• Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, if erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;

• The establishment, exercise, or defense of legal claims.

Right to restriction of processing:

You have the right to request restriction of processing if any of the following conditions apply:

• You contest the accuracy of the personal data, for a period enabling the Data Controller to verify the accuracy of the data;

• The processing is unlawful, but you oppose the erasure of the data and request the restriction of its use instead;

• The Data Controller no longer needs the data for the purposes of the processing, but you require it for the establishment, exercise, or defense of legal claims;

• You have objected to processing pending the verification of whether the legitimate grounds of the controller override your interests.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed:

• With your consent;

• For the establishment, exercise or defense of legal claims;

• For the protection of the rights of another natural or legal person;

• Or for reasons of important public interest of the Union or of a Member State.

The Data Controller shall inform you before lifting any restriction on processing.

Right to object to data processing:

The data subject has the right to object, at any time, on grounds relating to their particular situation, to the processing of their personal data which is based on legitimate interests or the performance of a task carried out in the public interest or in the exercise of official authority.

If the data subject objects to the processing of their personal data for direct marketing purposes, the personal data can no longer be processed for such purposes.

In other cases, the controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Right to lodge a complaint:

If any of the above rights are infringed, the data subject is entitled to lodge a complaint with the supervisory authority.

The supervisory authority is the Hungarian National Authority for Data Protection and Freedom of Information (mailing address: H-1055 Budapest, Falk Miksa utca 9-11., H-1363 Budapest, P.O. Box 9., phone: +36 (30) 683-5969, +36 (30) 549 6838, email: ugyfelszolgalat@naih.hu, website: www.naih.hu), where you can submit a complaint or initiate an investigation if you believe your personal data has been unlawfully processed or is at risk.

You are also informed that in case of a violation or imminent risk of violation of your rights related to the processing of your personal data, you may turn directly to the courts.

You may also submit any remarks, questions, or complaints to our data protection contact.

X. APPLICABLE LAWS, DEFINITIONS AND PRINCIPLES

KEY APPLICABLE LEGISLATION:

Below are the key pieces of legislation that define the way personal data is processed, as well as the rights and obligations of the parties involved.

• Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR)

For interpretive guidance, the following sources may be consulted:

• Opinions of the European Data Protection Board (https://edpb.europa.eu)

• Guidelines of the European Data Protection Supervisor (https://edps.europe.eu)

• Opinions, decisions, and case-law of the Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

• Judgments of the Court of Justice of the European Union (https://curia.europa.eu)

• Decisions of national supervisory authorities

Current legislation can be accessed free of charge at the Hungarian National Legislation Database (https://www.njt.hu) or the European Commission’s website (https://eur-lex.europa.eu/legal-content/HU/TXT/HTML/?uri=CELEX:32016R0679&from=HU)

DEFINITIONS

These definitions clarify the subjects and terms used in this policy:

“Personal data”: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, number, location data, online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

“Health data”: Personal data related to the physical or mental health of a natural person, including data revealing information about the individual’s health status resulting from healthcare services.

“Genetic data”: Personal data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health and which results from an analysis of a biological sample.

“Biometric data”: Personal data resulting from specific technical processing related to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that person, such as facial images or fingerprint data.

“Sensitive data”: A category of personal data recognized in data protection practices and case law as involving higher risk but not classified as special category or criminal data. Includes, for example, bank card information, data concerning children, location data, interests, reputation-damaging information, and large sets of combined data.

“Data processing”: Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Restriction of processing”: The marking of stored personal data with the aim of limiting their processing in the future.

“Data controller”: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data processor”: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Recipient”: A natural or legal person, public authority, agency or another body to which personal data are disclosed, whether a third party or not.

“Third party”: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

“Profiling”: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, such as to analyse or predict aspects concerning performance at work, economic situation, health, preferences, interests, reliability, behaviour, location or movements.

“Pseudonymisation”: The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such information is kept separately and is subject to technical and organisational measures to ensure non-attribution.

“Filing system”: Any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

“Consent of the data subject”: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them.

“Personal data breach”: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

“Enterprise”: A natural or legal person engaged in an economic activity, regardless of the legal form, including partnerships or associations regularly engaged in economic activity.

“Supervisory authority”: An independent public authority established by a Member State in accordance with Article 51 of the GDPR. In Hungary, this is the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

PRINCIPLES RELATING TO DATA PROCESSING

The processing of personal data shall be conducted according to the following principles:

a) Lawfulness, fairness, and transparency – Processed lawfully, fairly, and in a transparent manner.

b) Purpose limitation – Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.

c) Data minimisation – Adequate, relevant and limited to what is necessary in relation to the purposes.

d) Accuracy – Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay.

e) Storage limitation – Kept in a form which permits identification of data subjects for no longer than is necessary; extended storage is only permitted for archiving purposes in the public interest, scientific or historical research, or statistical purposes, subject to safeguards.

f) Integrity and confidentiality – Processed in a manner ensuring appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

The controller is responsible for compliance with these principles and must be able to demonstrate such compliance (accountability).

Last updated: August 1, 2025