Privacy Policy - Data Collection and Processing

Last updated: 7th June, 2023


CCLab Ltd is committed to protecting your privacy and the personal data collected and processed about you. CCLab Ltd manages the personal information obtained in the course of its activities, such as registering to use our services, providing your personal information to us at any events or in any other way agreed with us (hereinafter, collectively: “Services”) in accordance with the European Parliament and the Council (EU) on the protection of natural persons with regard to the processing of personal data on the free movement of such data and repealing Regulation (EK) No 95/46/EK (General Data Protection Regulation) regulation 2016/679 (hereinafter GDPR) and the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter referred to as the Infotv.) as specified in this Data Collection and Processing Policy (“Privacy Policy").

According to the GDPR Regulation, the Data Subject is the natural person whose data is processed by the Data Controller. By visiting our website or providing us with any personal information, you accept that you will be subject to the terms set in this Privacy Policy.


The purpose of this Privacy Policy is to provide an overview and specify the data protection and data management principles and policies applied by CCLab Ltd. CCLab Ltd recognizes the principles and policies set out here as binding. 

In addition, this Privacy Policy aims to provide information on the data processing carried out by CCLab Ltd., the rights related to data processing, and the legal remedies. This Privacy Policy does not apply to data processing in employment or other employment-related relationships. 

By publishing this Privacy Policy, CCLab Ltd, acting as Data Controller, informs the Data Subjects about the general information on processing personal data.

If you do not agree to the practices described in this Privacy Policy, you should not use our Services.

If you have any further questions about this Privacy Policy, or the processing of your personal data already provided, please contact us at any time at one of the following contact details detailed in Chapter III.


Regarding the data processing specified in this Privacy Policy, the Data Controller is:

CCLab Ltd. (seat: 1137 Budapest, Katona József utca 17., III. em. 2., company registry number: 01-09-171541, Court of Registry: Fővárosi Törvényszék Cégbírósága, tax number: 24314204-2-41) (hereinafter referred to: “CCLab”, „we”, or „our Company”).

Our contact details for queries relating to data processing:

postal address: 1134 Budapest, Váci út 49. 6. em.

e-mail address: 

phone: +36 20 212-1664 



Our processing of personal data is based on the following principles:

  • The processing of personal data by our Company, or in our Company’s systems, may only be carried out lawfully, in a fair and transparent manner. 
  • Data processing is lawful only if and to the extent if at least one of the legal grounds set out in Article 6 (1) of the GDPR is met.
  • The procedure is fair and transparent if the Data Subject receives adequate information in an easily accessible and comprehensible manner about how his or her data is collected, used, accessed, how and by whom or otherwise processed.
  • Personal data may be processed for clearly defined legitimate purposes. Personal data must not be processed in a manner incompatible with those purposes.
  • The data processing must be justified, having regard to the purpose, and limited to the minimum necessary extent.
  • The data processing must be accurate, the inaccurate data processing that does not fulfil the purpose must be corrected without delay, i.e., all reasonable measures must be taken to delete or correct personal data that are inaccurate for the purposes of the data processing. 
  • The personal data must be stored in a manner that permits identification of the Data Subjects only insofar as is necessary for the purpose.
  • Appropriate technical or organisational measures must be taken to ensure adequate security of personal data when processing the data, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage to the data.



This section applies to contracts concluded in the course of our business, i.e., contracts that we enter into with our customers or subcontractors, collaborators, and suppliers. This clause does not cover employment contracts and other employment relationships.

Concerning the contracts covered by this point, personal data processing may take place where our contracting partner is a sole proprietor, which necessarily involves processing personal data. In such a case, all data relating to, connected to or in connection with the contract which comes to our knowledge concerning our partner shall be considered as personal data of our partner.

If our contracting partner is a company (legal person), personal data are processed essentially concerning the contact person acting on behalf of the partner or designated by the partner.

Who is the Data Controller?

If we act as consortium members for a project, the consortium agreement will also cover the data processing issues. In general, personal data relating to the conclusion and performance of contracts related to consortium activities are treated as Joint Data Controllers with the consortium members. Indeed, the operation of the consortium, the performance of its tasks and the settlement of accounts are all objectives that require close cooperation and joint decision-making between the consortium members.

Also, as a Joint Data Controller, we maintain a HubSpot CRM system (hereinafter: CRM) together with the members of the QTICS Group, in which we also record contractual contact details and data relating to contracts. 

What is the purpose of data processing?

If our contracting partner is a sole proprietor, the purpose of the personal data processing is the establishment, registration and performance of the contract. The purposes of processing in the context of the performance of the contract also include the settlement of any warranty and guarantee claims and other disputes.

If the contract is subject to an obligation to issue an invoice and our contracting partner is a sole proprietor, the data relating to the invoice issued on the basis of the contract are considered personal data, and the purpose of the data processing is to fulfil our statutory accounting obligations (issuing invoices, keeping invoices).

If our contracting partner is a company or other organisation, the purpose of processing personal data of the person acting on its behalf or of the contact person is the smooth establishment, performance, or termination of the contract.

Which personal data do we process for the above purposes?

For a sole proprietor:

  • Name of the sole proprietor
  • Sole proprietor’s registration number
  • Tax number
  • Registered office
  • Signature in case of written contract
  • Contact details (telephone number, e-mail address)
  • Invoice data (invoice serial number and its date, date of completion, payment deadline, gross and net amount, VAT amount, discount rate and title.)
  • Order/ contract details:  name and identification of products or services, quantity, price, date of order, and status of order
  • Payment details (bank account number, date of payment, amount, method of payment, record of any debts)
  • Reported warranty and guarantee claims, the content of the report on the claim, the method and date of fulfilment of the claim 
  • Certificate of contract completion

For legal person contacts:

  • name, e-mail address, phone number, company name, title

Confirmation of performance 

  • place, date, and quantity of performance 
  • where relevant for the purpose of the accounts, the name of the person who carried out the activity
  • name and signature of the person issuing the record

On what legal basis and for how long do we process this personal data?

In the case of a contract with a sole proprietor, we need their personal and contact data in order to conclude and perform the contract. The legal basis for processing these data is the performance of the contract pursuant to Article 6(1)(b) of the GDPR.

In addition to the above, in the case of a sole proprietor, certain personal data are processed based on the following legal obligation (Article 6(1)(c) GDPR):

  • In the case of an obligation to issue or retain an invoice, we must process the invoicing data (invoicing name and address, invoice data) in accordance with Act C of 2000 on Accounting (Act on Accounting), and we are obliged to retain the documents issued in connection with the contract, together with the data contained therein, for eight (8) years in accordance with Section 169 of the Act on Accounting; 
  • If our client or customer is subject to VAT, we are obliged to indicate the tax number of the purchaser or service user on the invoice in accordance with Section 169 (d) (dc) of Act CXXVII of 2007 on Value Added Tax (hereinafter: VAT Act). The retention period of the tax number is aligned with the retention period of the invoice

In the case of a non-self-employed person, we process the contact data in our legitimate interest for the smooth performance of the contract pursuant to Article 6(1)(f) GDPR during the limitation period for the performance of the contract and the related claims. 

Given that the contracts and the related accounting documents, as well as the necessary contact data, form a logical unit for the existence and smooth performance of the contract, they share a legal fate in terms of their retention. The retention period is eight (8) years from the termination of the contract. After the expiry of the retention period (8+1 years), the documents will be deleted from all active records of our Company and will no longer be accessible to staff carrying out operational tasks. The deletion does not apply to data stored through a backup procedure created during a commonly accepted backup process.

Will data be transferred?

Data may be disclosed to the competent authority in order to fulfil a statutory obligation to provide information or in response to a request from a public authority. Data will be transferred to the accountant under a data processing contract. 


For newsletter and business offers, see section V.4 - V.5.

A separate, explicit subscription to a newsletter on the part of our Company is not understood.


What is the purpose of data processing?

If you contact us with a question or complaint (contact us), we will process the personal data you provide in a message, e-mail, postal letter, or telephone call in order to contact you and respond to your request.

This point covers enquiries of an informative nature and the request for quotation as well. If the correspondence relates to the preparation of a contract or a contract that is in progress or has been performed, the details of that type of personal data processing will apply to that contact.

What personal data do we process for the above purpose?

The personal data (name, telephone number, email address, company name) provided by email, telephone or postal enquiry and necessary for the purposes of contacting you.

In case of a request for quotation or other business and/or commercial (sales) enquiries, the data will be recorded in the CRM.

On what legal basis do we process the personal data?

The personal data of the data subject processed in accordance with this point shall be processed in accordance based on your voluntary consent to record and respond to enquiries.

Processing on the basis of consent is permitted under Article 6(1)(a) of the GDPR.

How long do we process your personal data?

The personal data processed in connection with a complaint delivered to will be deleted from our active systems 1 (one) year following the closure of the case.

For information on data stored in the CRM system, see section V.5.

Will data be transferred?

There will be no data transfer to third-party companies within this scope of processing.


Our Company does not organize offline events, so the processing of data for offline events is not covered by this Privacy Policy.


In the case of online events, the rules of data processing are as follows: 

What is the purpose of data processing?

The purpose of pre-registration is to indicate participation in the event and, where applicable, to provide information about the event to the person indicating their intention to participate and, if necessary, to contact them at short notice if required to provide information about the event.

The data provided during registration will be stored in the CRM system. Following the event, we is entitled to send newsletters, thematic articles, invitations to events, offers and other personal sales and marketing enquiries to the email address provided. Registration is subject to acceptance of this Privacy Policy.

What personal data do we process for the above purposes?

Name, company name, company e-mail address, title.

On what legal basis do we process this personal data?

The processing of personal data is based on the voluntary consent of the person registering given in possession of this Privacy Policy. Processing on the basis of consent is permitted under Article 6(1)(a) of the GDPR.

How long do we process your personal data?

The data will be deleted if no active communication has been made on the basis of the data and information recorded in the CRM for a period of five (5) years (active communication is defined as an email response, telephone call, question, website visit, form filling, downloading information material, etc.), or if the Data Subject withdraws consent.

Will data be transferred?

There will be no data transfer to third-party companies within this scope of data processing.


What is the purpose of data processing?

The purpose of data processing is to manage the human resources of our Company, to inform potential candidates in detail about open positions, to fill open positions with the best possible candidates and to contact the applicant.

What personal data do we process for the above purposes?

Personal data provided or uploaded by the candidate in his/her CV and documents during the registration process, which are suitable to identify him/her and relate to his/her education, training, professional experience, skills, and competencies. Providing data and information other than those requested in the specific job advertisement is at the Data Subject's discretion. At further stages of the selection process, additional information will be provided to the Recipients.

On what legal basis do we process these personal data?

The processing of personal data is based on the voluntary consent of the registrant. Processing on the basis of consent is permitted under Article 6(1)(a) of the GDPR.

How long do we keep your personal data?

The personal data processed will be deleted from our active systems 1 (one) year after registration.

Will data be transferred?

There will be no data transfer to third-party companies within this scope of data processing.


Our Company has a company profile on various social media platforms:

  • Facebook
  • LinkedIn
  • Google My Business

The operator of the social media platform essentially decides the operating principles of social media platforms and the functions available. However, as a user, our Company is given the opportunity (to a limited extent) to customise certain functions, thus, both our Company and the respective social media platform are involved in the data processing. Consequently, the company/organisation operating the social media platform and our Company are considered Joint Controllers in relation to data processing on the platform. However, we have no control over the decisions of the company/entity operating the social media platform, and we do not have any information about their data processing activities beyond what is provided in their privacy policy, and therefore we exclude our liability in this regard.

Before using a social media platform, please always read the privacy policy of the social media platform in question so that you, as a user, can also take advantage of the personalised privacy settings provided by the social media platform.

The operation of our social media pages is in the legitimate interest of our Company. It is in our legitimate interest to promote our Company on these platforms as well, to be accessible, and to enable people interested in our services and job opportunities to contact us and obtain information through these platforms.

On social networking sites, we may learn personal information, such as profile pictures, names, etc., about users who have joined our sites in accordance with the site's rules and the user's preferences. Users can also rate (like), vote, share and comment on our posts. Comments and postings will be moderated, and if we believe that they are illegal or infringe on the rights and interests of our Company or others, we have the right to remove them.

Considering that joining our social media platforms is entirely voluntary, the legal basis for processing will be your consent (Article 6(1)(a) GDPR).

With the deletion of the profile of the social networking site or our Company, the data processing on the social networking site will also disappear. It will also cease to be processed if your followers are "tracked" on our social media platform.

We have placed simple links to Facebook, LinkedIn, and Instagram on our website. In such cases, data will only be transferred to these social media operators when you click on the relevant icon (e.g., the "f" icon in the case of Facebook). When you click on that icon, you will be taken to our corporate interface on the social platform to which the link relates, where you can read our posts, write comments, and send us messages.

Will data be transferred?

There will be no data transfer to third-party companies within this scope of data processing.


What are cookies and what is the purpose of their use?

We use cookies on the website at A cookie is a file (small data file consisting of letters and numbers) that is placed on your computing device (computer, smartphone, tablet, etc.) when you visit the site. The cookie itself does not contain or collect information; it is only used to help identify users. This will help them provide a more convenient, user-friendly service.

Our Company uses the following cookies for the following purposes:

  • information about how you use the site
  • website development - improving the quality of service
  • to facilitate your navigation on the website
  • to serve targeted advertisements on other websites
  • to distinguish and identify browser users
  • to monitor your activity on the website so that we can send you offers and messages that are of interest or importance to you

In particular, the cookies necessary for the operation of the service:

  • cookies that store data recorded by users ("user-input cookies")
  • authentication session cookies ("authentication cookies").
  • user-centric security session cookies (user-centric security cookies)
  • multimedia player session cookies ("multimedia player session cookie")
  • load balancing session cookies
  • user interface customization session cookies

We may use your cookie data to compile and analyse statistics about your use of the website and to provide non-identifiable statistical information (e.g., number of visitors, most viewed topics, or content) to third parties or to disclose it in aggregate and anonymously.

The data collected by cookies cannot, in principle, be used to identify the user and will only be combined with other potentially identifiable data if the user explicitly consents to use of cookies to identify him or her.

In this case, the legal basis for processing will be your consent (Article 6(1)(a) GDPR).

How can you delete or disable cookies?

You can delete cookies from your device or set your browser to block cookies. It is also possible to disable all cookies, but this will significantly degrade your web browsing experience if you use services that use cookies.

We also use the services of Google Analytics in connection with the Website. The cookies managed by Google Analytics help us to measure website traffic and other web analytics data. The information collected by cookies is transmitted to and stored on external servers operated by Google. Google will use this information primarily to track website activity and compiling analytics about website activity for us. Google may transfer this information to third parties where required to do so by law. Google may also transfer this information to third parties, which it uses to process the data. Google Analytics can provide detailed information on data processing by Google Analytics. ( ).

You can disable Google's use of cookies by going to the Advertising settings (for more information: Users can also opt-out of cookies from third-party service providers by visiting the unsubscribe page of the Network Advertising Initiative ( ).

The processing of data by third-party service providers is governed by the privacy policies of those service providers and our company assumes no responsibility for such processing.

Will data be transferred?

There will be no data transfer to third-party companies within this scope of data processing.


Personal data will be treated confidentially. The personal data we process may be accessed by our employees who need to know it in order to perform their job duties. 

Also, your personal data may be disclosed and made available to third-party companies that provide specific services to CCLab, which will process your data ("Data Processors”) for the sole purpose of executing the contract of our Services. These third-party companies include:

  • third-party service providers (e.g., email service providers, delivery services, database management, web analytics, payment processing, organisations with financial and accounting functions etc.)
  • any subcontractor under a duty of confidentiality to CCLab agrees to keep the Personal Data strictly confidential.

The Data Processors and their employees, in connection with the tasks they perform, are required to treat the personal data they receive as confidential. The data access is limited in the course of their work, only to that extent which is strictly necessary to carry out their tasks.

Companies which shall be qualified as affiliated companies of CCLab according to Section 3 (2) Point 7 of Act No. C of 2000 on Accounting shall not be deemed as third parties. Affiliated companies to CClab are QTICS Group companies and QIMA Group companies.

We will disclose personal data to courts, prosecutors, and other authorities in the context of our legal obligations, to the extent and in the manner required by law.

In the event of a legal claim against you, your personal data may also be disclosed to the extent necessary for the enforcement of the claim by our respective legal cooperation partners and our claims management partners.


We are committed to taking the necessary data security measures. As part of this, we adopt and implement, and regularly review technical and organisational measures and procedures to ensure that the personal data we process is secure, and we will do our utmost to prevent the destruction, unauthorised use or alteration of the data, to ensure that the personal data we process is not accessible, disclosed, transmitted, modified or deleted by unauthorised persons. We remind all those to whom we transfer personal data to comply with data security requirements, and require our employees involved in data processing activities to do the same.

In the context of the above, we design and choose our information technology solutions in such a way as to ensure that those with access to the data have exclusive access to the data and that the data remain authentic and unchanged. Within this framework, we perform and use, among others, password-protected access systems, activity logging, and regular backups.

We monitor technological developments at any time and apply the available technical, technological, and organisational solutions that meet the level of protection justified by our data processing.

Based on the above, personal data is stored in our cloud storage (by a cloud service provider), on rented servers and the hard drive of our Company's computers. Access to each system is controlled by rights management - personal data can only be accessed by those whose work requires knowledge of the data is essential.

Our office computers are protected by hard drive encryption and password protection. The use of external storage devices is not allowed by default.

Our systems are protected against malicious software.

The data is saved in a daily backup. Only a limited set of authorised persons has access to the backups.


All cases are classified as personal data breach when an unauthorized person has access to personal data or the data is destroyed, lost, altered, for example, if the database is destroyed or the storage medium on which the data is stored is lost.

In the event of personal data breach, we assess its effects and risks (what data are affected, in what quantity, can they be restored, etc.) and take immediate action for remedy. We will notify a personal data breach to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.


Withdraw of consent: If the processing is based on your consent, you have the right to withdraw your consent at any time without giving any reason. Once consent has been withdrawn, the personal data of the data subject will no longer be processed and will be deleted from all our active systems. Withdrawal of consent does not affect the lawfulness of the prior processing.

Rights of access: At any time, you can use the contact details provided in Section III. to ask us whether we process your personal data and, if so, to provide you with further information about:

The purposes and the legal ground of the processing, the personal data processed by us and their categories, the recipients or categories of recipients (including data processors we use) to whom the personal data have been or will be disclosed (where personal data are transferred to a third country, you shall have the right to be informed of the appropriate safeguards relating to the transfer), the legal ground of the data transfer, period for which the personal data will be stored, the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing, the right to lodge a complaint with the Hungarian Data Protection Authority, the source of the data, the circumstances and effects of the possible data breach and the measures implemented for their prevention

You may also request a copy of your personal data held by our Company.

Our Company will respond to your request within the timeframe specified in Chapter X in a reply letter sent to the contact details provided in the request. If you have sent your request electronically, we will also send you our reply electronically.

Right to rectification and supplementation: If you become aware that any of your personal data is incorrect, inaccurate, or incomplete, please provide us with the correct or additional information as soon as possible so that we can make the correction or completion.

Right to erasure („Right to be forgotten”): You have the right to request the erasure of your personal data. Please note that we may refuse to erase your data, particularly, if we need or may need the data to comply with a legal obligation or to pursue a claim.

In the case of processing based on legitimate interest, objection to processing will entail the erasure of the data unless there are overriding reasons why the deletion cannot be complied with.

Furthermore, erasure takes place if

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the personal data have been unlawfully processed;
  3. the personal data have to be erased for compliance with a legal obligation out of EU law or national law.

Right to restriction of processing: You shall have the right to obtain from us restriction of processing where one of the following applies (i) the accuracy of the personal data is contested by you, in which case the restriction applies for the period enabling us to verify the accuracy of the personal data; (ii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; (iii) we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; (iv) you have objected to processing, in which case the restriction applies until it is established whether our legitimate grounds prevail over your legitimate grounds.

Where processing has been restricted, such personal data shall, except for storage, only be processed with your consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

In the event of a restriction of processing, you will be informed in advance of its lifting.

Right to object: Regarding data processing based on our legitimate interest, you may object to our data processing if you feel that the data processing is prejudical to you.

In the event of an objection, personal data will be deleted from our active systems unless there is an overriding reason to keep it. Such an overriding reason may be to pursue a claim against you.

Right to data portability: In relation to the processing of your personal data in connection with our contracts with you, you may request that the personal data you provide to us be provided to you or transmitted to another controller you designate in a commonly used and machine-readable format.


If you wish to exercise any of the above rights, please send your inquiry in writing by post to our address or by e-mail to our e-mail address as determined in Chapter III. In the letter, please also provide your identification data and mailing address. If we have any doubts about your identity or if the information provided is not sufficient to identify you, we are entitled to request additional identification data from you.

Your request will be fulfilled within one (1) month. If necessary, we are entitled to extend this deadline by a further two (2) months, about which we will send you a reasoned notification.

Reasonable requests will be handled free of charge. However, if the request is manifestly unfounded or excessive, in particular, because of its repetitive nature, we are entitled to charge a reasonable fee or even refuse to act on the request.

We will inform all those to whom we have disclosed the data about the rectification, erasure, or restriction of the data unless this proves impossible or requires a disproportionate effort. Upon your request, we will inform you of the recipients to whom we have communicated or disclosed as described above.


Suppose we cause any damage to you or a third person through unlawful or not secure processing of your personal data, you or the person who has suffered damage is entitled to receive compensation from us for the damage suffered. 

If, in this regard, we infringe on your privacy, you are entitled to claim restitution.

Please note that we are exempt from liability if the damage is proven to have been caused by an external cause beyond our control or if the damage comes from your deliberate or grossly negligent conduct, or if it proves that we are not in any way responsible for the event giving rise to the damage.


  1. Contacting the controller

If you consider that we are processing your personal data unlawfully, please first communicate your comment or request to us at any of our contact details listed in Chapter III so that we can process and handle the situation as quickly and efficiently as possible.

  1. Lodge a complaint with the data protection authority

In the event you consider that the processing of your personal data infringes the GDPR Regulations, you have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH). 

Contact details of the authority:


address: 1055 Budapest, Falk Miksa utca 9-11.

postal address: 1363 Budapest, Pf.: 9.


  1. Access to the Court of Justice

Please note that you are entitled to lodge a claim in court. You may file the lawsuit at the Regional Court having jurisdiction based on our seat or your permanent or temporary place of residence.


We may amend or update all or parts of this Privacy Policy when amendments are made to laws or regulations that govern the protection of personal data and your rights. Changes and updates to this Privacy Policy shall be binding once posted on our website in the section. Therefore we recommend you access this section regularly to check the most recent version of this Privacy Policy. You can check the "effective date" posted at the top to see when the Privacy Policy was last updated.