Data Processing Agreement

The subject of the processing is the operation, support, maintenance and secure storage of DVP Systems' SimpliFleet and SimpliTime software services on behalf of the Data Controller.

Prohibited data: The Data Controller may not upload special categories of personal data (Article 9 GDPR: health, biometric, trade-union membership or criminal-record data) to the Platform. The Data Processor provides no feature for this.

The Data Processor undertakes the following obligations under Article 28(3) GDPR:

1. Following instructions: It processes personal data solely on the Data Controller's documented instructions, including instructions on transfers to a third country. If an instruction would breach the law, it informs the Data Controller without delay.
2. Confidentiality: It ensures that persons authorised to process personal data are bound by confidentiality (under their employment contract or by law).
3. Data security: It applies the technical and organisational measures required by Article 32 GDPR (see Section 4).
4. Sub-processors: It may engage further processors under the Data Controller's general prior authorisation; it notifies the Data Controller at least 15 days before engaging a new sub-processor, and the Data Controller may object on reasonable data protection grounds.
5. Data subjects' rights: It provides technical and organisational assistance to the Data Controller in fulfilling data subjects' rights (access, rectification, erasure, restriction, objection).
6. Compliance assistance: It assists in meeting the obligations under Articles 32–36 GDPR (data security, breach handling, DPIA, prior consultation).
7. Erasure / return of data: On termination of the Agreement — at the Data Controller's choice — it returns or deletes the personal data (see Section 6).
8. Auditability: It makes available the information needed to demonstrate compliance and allows reasonable audits (on-site audits at most once a year, with 30 days' notice; remotely: by sharing security documentation and certificates).

The Data Controller gives general prior consent to using the following categories of sub-processors. The Data Processor must pass on to every sub-processor, in writing, data protection, confidentiality, security and breach-handling obligations equivalent to those in this Agreement (Article 28(4) GDPR):

The Data Processor keeps an up-to-date list of sub-processors and provides it on request. It notifies the Data Controller at least 15 days in advance before engaging a new sub-processor. The Data Controller may object on reasonable data protection grounds; if it objects, the Parties consult in good faith about an alternative.

The Data Processor applies the following technical and organisational measures, proportionate to the risks (Article 32 GDPR):

Personal data breach: any security event that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.

The Data Processor's 24-hour notification must include, as a minimum: the known nature of the breach; the data categories and processing operations affected; the processor systems affected; the likely consequences; the measures taken or proposed; and the contact details of the breach-handling contact. The Data Processor provides rolling updates until the full investigation is complete.

The Data Processor cooperates with the Data Controller in investigating, containing and documenting the breach, preparing the NAIH notification, and supporting the notification of data subjects (in cases under Article 34 GDPR).

On termination of the main service contract or this Agreement:

1. The Data Processor provides the Data Controller with a 30-day export window . During this period the Data Controller may download the data stored in the system (TIG documents, working-time records, reports) in standard, machine-readable formats (CSV, XLSX, JSON).
2. After the 30-day window expires, the Data Processor deletes or anonymises the Data Controller's personal data from the active systems.
3. Data remaining in backups is deleted gradually in line with the normal backup lifecycle; restoration is only possible for recovery purposes or to meet a legal obligation.
4. TIG/payroll data may be kept longer on the Data Controller's instruction and under the mandatory 8-year retention obligation in Section 169 of the Accounting Act.
5. On request, the Data Processor issues a deletion certificate confirming the deletion carried out from the active systems.

The Data Controller declares and warrantsthat, before using the time tracking and TIG functions, it:

Indemnity: The Data Controller undertakes to fully indemnify and hold the Data Processor harmless against any fine (including data protection fines imposed by the NAIH), penalty or third-party claim arising from the untruth of the Data Controller's warranty above or from an unlawful processing instruction given by the Data Controller. In a dispute, the Parties cooperate closely in the defence.

The Data Controller undertakes not to use working-time data for disproportionate employee monitoring, and to grant access only to authorised persons.

This Agreement is governed by the GDPR and Hungarian law. In a dispute, the Parties agree to the exclusive jurisdiction of the Budapest-Capital Regional Court, or, failing that, the Buda District Court .

This Agreement may only be amended in writing, signed by both parties. Any change to the Terms & Conditions automatically extends to the data-security provisions of this Agreement.