Privacy Notice concerning the market research and satisfaction survey conducted among wholesale customers

Global Czech Republic Czech Republic France Germany Hungary Italy Poland Romania Russia Serbia Slovakia Slovenia
Description and purpose of the data processing Legal basis of the data processing Scope and source of the processed personal data Duration of the data processing Recipient(s) of data transfers Data processor and its processing activity

Sending, by e-mail, a link where online questionnaires are available for the purposes of surveying customer satisfaction and performing general market research in order to improve the controllers’ products and services. as well as making inquiries by e-mail or telephone to schedule appointments for personal, telephone or Skype interviews.

Telephone market research for the purposes of surveying customer satisfaction and conducting general market research in order to improve the controllers’ products and services.

(Quantitative researches)
 

Article 6(1)(f) of GDPR (the processing is necessary to pursue the Company’s legitimate interest)
Legitimate interest: assessing the satisfaction of the Company’s customers, improving the Company’s corporate image, and thereby strengthening its economic performance and improving its products and services.

You can read the Balancing Test by clicking here.  


The completion of the questionnaire is the Company’s legitimate interest, however the Customers or their representatives can freely decide whether or not to complete the questionnaire.

For the data of the company’s contact person, Article 6(1)(f) of GDPR (the processing is necessary to pursue the Company’s legitimate interest).
 

The Customer’s name, for legal person customers: name, e-mail address, and telephone number of the contact person, answers to the questions

For corporate contact persons, until the data subject effectively exercises his or her right to objection.

Unless a data subject effectively exercises his or her right to objection, IPSOS will anonymise the data within 90 days of the completion of the questionnaire or of the telephone call, and thus the data will not be individualised (relating to an individual). 
 

The following MOL Group companies are involved in the market research and the satisfaction survey:

MOL Nyrt.

MOL IT & Digital GBS Magyarország Kft.  
(HU-1039 Budapest, Szent István utca 14) 

– providing IT and hosting services closely related to the processing.

 

IPSOS Média-, Reklám-, Piac és Véleménykutató Zrt. (HU-1139 Budapest, Pap Károly utca 4-6) – organising the satisfaction survey, including sending out questionnaires, evaluating responses and providing access to the aggregated results to MOL Nyrt.’s designated employees. Contacting Customers over the phone. Conducting personal interviews.

 

Data processed by IPSOS – the Customer’s name, for legal person customers: name, e-mail address, and telephone number of the contact person, answers to the questions

 

The aggregated results, which do not allow the identification of individual persons, are forwarded by MOL Nyrt. to other members of the MOL Group.

 

MOL uses the cloud based Microsoft 365 services (e.g.  Word, Excel, PowerPoint, Teams, Outlook) to store the personal data. – IPSOS using Microsoft Teams for making the online interviews. 

Completing a market research questionnaire during a telephone interview, online meeting or a personal meeting
for the purpose of improving the controllers’ products and services.

(Qualitative researches)

For the data of the company’s contact person, Article 6(1)(f) of GDPR (the processing is necessary to pursue the Company’s legitimate interest).

 

In case of voice recording Article 6(1)(a) of GDPR, the freely given consent of the data subject.

The data subject has the right to withdraw his or her consent at any time.

The withdrawal of consent shall not affect the lawfulness of the processing based on consent before the withdrawal.

Address and telephone number of the given contact person,
which company he or she represents,
answers to the questions in the questionnaire, or for personal interviews, the voice of the data subjects.

During a personal interview, the market researcher records the conversation and then prepares a transcript of the recordings.

Source of the data: 
Completed market survey questionnaire obtained from the data subjects
 

For corporate contact persons, until the data subject effectively exercises his or her right to objection.


Unless a data subject effectively exercises his or her right to objection, IPSOS will prepare a transcript from the voice records and delete the voice records within 30 days of the personal interview, In the transcript the data will not be individualised (relating to an individual). 
 

The following MOL Group companies are involved in the market research and the satisfaction survey:

MOL Nyrt.

MOL IT & Digital GBS Magyarország Kft.  
(HU-1039 Budapest, Szent István utca 14) 

– providing IT and hosting services closely related to the processing.

 

IPSOS Média-, Reklám-, Piac és Véleménykutató Zrt. (HU-1139 Budapest, Pap Károly utca 4-6) – organising the satisfaction survey, including sending out questionnaires, evaluating responses and providing access to the aggregated results to MOL Nyrt.’s designated employees. Contacting Customers over the phone. Conducting personal interviews.

 

Data processed by IPSOS – the Customer’s name, for legal person customers: name, e-mail address, and telephone number of the contact person, answers to the questions

 

The aggregated results, which do not allow the identification of individual persons, are forwarded by MOL Nyrt. to other members of the MOL Group.

 

MOL uses the cloud based Microsoft 365 services (e.g.  Word, Excel, PowerPoint, Teams, Outlook) to store the personal data. – IPSOS using Microsoft Teams for making the online interviews. 

   

Address and telephone number of the given contact person,
which company he or she represents,
answers to the questions in the questionnaire, or for personal interviews, the voice of the data subjects.

During a personal interview, the market researcher records the conversation and then prepares a transcript of the recordings.

Source of the data: 
Completed market survey questionnaire obtained from the data subjects
 

.

For corporate contact persons, until the data subject effectively exercises his or her right to objection.


Unless a data subject effectively exercises his or her right to objection, IPSOS will prepare a transcript from the voice records and delete the voice records within 30 days of the personal interview, In the transcript the data will not be individualised (relating to an individual). 
 

The following MOL Group companies are involved in the market research and the satisfaction survey:

 

MOL Nyrt.
 

MOL IT & Digital GBS Magyarország Kft.  
(HU-1039 Budapest, Szent István utca 14) 

– providing IT and hosting services closely related to the processing.

 

IPSOS Média-, Reklám-, Piac és Véleménykutató Zrt. (HU-1139 Budapest, Pap Károly utca 4-6) – organising the satisfaction survey, including sending out questionnaires, evaluating responses and providing access to the aggregated results to MOL Nyrt.’s designated employees. Contacting Customers over the phone. Conducting personal interviews.

 

Data processed by IPSOS – the Customer’s name, for legal person customers: name, e-mail address, and telephone number of the contact person, answers to the questions

 

The aggregated results, which do not allow the identification of individual persons, are forwarded by MOL Nyrt. to other members of the MOL Group.

 

MOL uses the cloud based Microsoft 365 services (e.g.  Word, Excel, PowerPoint, Teams, Outlook) to store the personal data. – IPSOS using Microsoft Teams for making the online interviews. 

 

Name, registered office, telephone number, website (where the privacy notices are available) and e-mail address of the controller(s):
MOL Nyrt.,
HU-1117 Budapest, Október huszonharmadika utca 18
+36 1 886 5000
www.mol.hu;
[email protected]
MOL Nyrt. and the MOL Group companies involved in the market research and the satisfaction survey are considered to be joint controllers, and in this context, they determine the purposes and framework of the data processing jointly and have joint responsibility for the processing. The controllers have a joint Privacy Notice.

 

Contact person(s) of the controller(s):
MOL Wholesale Customer Care
HU-1117 Budapest, Október huszonharmadika utca 18
+36 1 886 5000
[email protected]

Name and contact information of controller’s Data Protection Officer(s): [email protected]

Persons at the controller who are authorised to access the data (by data processing purpose):
Group Customer Care staff and Customer Care staff of individual subsidiaries.

Name, registered office, telephone number, website (where the privacy notices are available) and e-mail address of the processor(s) and other controller recipient(s):
IPSOS Média-, Reklám-, Piac és Véleménykutató Zrt.
HU-1139 Budapest, Pap Károly utca 4-6
Telephone number: +36-1-476-7600
https://www.ipsos.com/hu-hu
https://www.ipsos.com/hu-hu/contact

MOL IT & Digital GBS Magyarország Kft.
HU-1039 Budapest, Szent István utca 14
Telephone number: +36-70-373-2005
web: https://mol.hu/hu/molrol/mol-magyarorszag-szolgaltato-kozpont-kft/#it-szolgaltatasok
E-mail: [email protected]

 

The service providers that are operating the Microsoft 365 services are:

 

Microsoft Ireland Operations Ltd.
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18, D18 P521, Ireland

 

Microsoft Corporation

 

One Microsoft Way
Redmond, Washington 98052 USA

 

Online contact: Ask questions about Microsoft privacy – Microsoft privacy
During the use of the Microsoft 365 services, personal data may also be processed in non-EU countries that do not provide the appropriate level of data protection set by the GDPR. With respect to the collection, transfer and processing of personal data in non-EU member states, Microsoft Corporation provides for the personal data protection through standard contractual clauses approved by the EU Commission in decision 2021/914/EC, dated 4 June 2021.
Further information:
https://www.microsoft.com/en-us/trust-center/privacy/gdpr-overview
Microsoft’s commitment to GDPR, privacy and putting customers in control of their own data - Microsoft On the Issues
GDPR simplified A guide for your small business - Microsoft 365 admin | Microsoft Docs


Contact person(s) of the processor(s) and other controller recipient(s):
IPSOSMédia-, Reklám-, Piac és Véleménykutató Zrt.- annamaria.fö[email protected]

 

MOL IT & Digital GBS Magyarország Kft.  - [email protected]
Microsoft Ireland Operations Ltd. and Microsoft Corporation see above

Name and contact information of the processor’s Data Protection Officer(s):
IPSOSMédia-, Reklám-, Piac és Véleménykutató Zrt.
MOL IT & Digital GBS Magyarország Kft.  - [email protected]
Microsoft Ireland Operations Ltd. and Microsoft Corporation see above

 

Persons at the processor who are authorised to access personal data:
IPSOS Média-, Reklám-, Piac és Véleménykutató Zrt.
MOL IT & Digital GBS Magyarország Kft.  - Staff engaged in system operation
Microsoft Ireland Operations Ltd. and Microsoft Corporation see above

 

Processing of sensitive personal data for the purposes specified in this Privacy Notice:
No sensitive personal data (special categories of data) are processed. 

 

Transfer of personal data to a third country: –

 

Data security measures
 

Information Security Management System To ensure the confidentiality, integrity and availability of organizational information by implementing policies, processes, process descriptions, organizational structures, software and hardware functions.
Physical access To ensure physical asset protection containing MOL Group information.
Logical access To ensure that only approved and authorized users have access to data used by MOL Group Companies.
Data access To ensure that only authorized users of the systems have access to MOL Group Company data.
Data transfer/ storage/ erasure To ensure that MOL Group Company's corporate information is not transmitted, read, modified or erased by an unauthorized person while it is being transferred or stored. In addition, MOL Group company data must be deleted promptly when the purpose of processing ceases.
Confidentiality and integrity To ensure that MOL Group's corporate data is kept confidential and uptodate, also preserves integrity.
Availability To ensure that MOL Group Company data is protected against accidental destruction or loss and, in the event of such an event, access to, and recovery of, relevant MOL Group Company Data is on time.
Separation of data To ensure that MOL Group Company data is handled separately from other client data.
Incident management In the event of any breach of the MOL Group Corporate Information, the effect of the breach will be minimized and the owners of the MOL Group Company Information will be notified immediately.
Audit To ensure that the processor periodically tests, examines and evaluates the effectiveness of the technical and organizational measures outlined above.

 

Your data protection rights:


The GDPR contains in detail your data protection rights, your possibilities of seeking a legal remedy and the restrictions thereof (especially sections 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79 and 82 of the GDPR). You can request at any time information about your personal data processed, you can request the rectification and erasure of your personal data or the restriction of their processing, furthermore you can object to the data processing based on a legitimate interest and to the sending of direct marketing messages, and you have the right to data portability. We summarize the most important provisions below. 

 

Right to information:


If the data controller processes your personal data it must provide you information concerning the data relating to you – even without your special request thereof – including the main characteristics of the data processing just as the purpose, grounds and duration of control, the name and address of the data controller and its representative, the recipients of the personal data (in case of data transfer to third countries indicating also the adequate and appropriate guarantees), the legitimate interests of the data controller and/or third parties in case of a data processing based on a legitimate interest, furthermore  your data protection rights and your possibilities of seeking a legal remedy (including the right of lodging a complaint with the supervisory authority), in the case if you have not had yet all this information. In case of automated decision-making or profiling the data subject must be informed in an understandable way about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Data controller provides you the abovementioned information by making this privacy notice available to you.


Right of access:


You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain information related to the data processing such as the purpose of the data processing, the categories of the personal data processed, the recipients of the personal data, the (scheduled) duration of the data processing, the data subject’s data protection rights and possibilities of seeking a legal remedy (including the right of lodging a complaint with the supervisory authority), furthermore information on the source of the data where they are collected from the data subject. Upon your request the controller shall provide a copy of your personal data undergoing processing. For any further copies requested by you, the controller may charge a reasonable fee based on administrative costs. The right to obtain a copy shall not adversely affect the rights and freedoms of others. The data controller gives you information on the possibility, the procedure, the potential costs and other details of providing the copy after receiving your request. 
In case of automated decision-making and profiling the data subject has access to the following information: the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.


Right to rectification:


You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement


Right to erasure:


You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller has the obligation to erase personal data without undue delay where certain grounds or conditions are given. Among other grounds the data controller is obliged to erase your personal data upon your request for example if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; if you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing; if the personal data have been unlawfully processed; or if you object to the processing and there are no overriding legitimate grounds for the processing; if the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; or if the personal data have been collected in relation to the offer of information society services. 
If the data processing is based on your consent the consequence of the withdrawal of the consent: the data subject doesn’t have an opportunity to participate in the market research.
We inform you that the withdrawal of your consent does not affect the legality of the data processing carried out before the withdrawal, based on your consent. 


Right to restriction of processing:


You have the right to obtain from the controller restriction of processing where one of the following applies:
(a)     the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
(b)     the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(c)     the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
(d)     you have objected to processing, pending the verification whether the legitimate grounds of the controller override your legitimate grounds .
Where processing has been restricted according to the abovementioned reasons, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
 You shall be informed by the controller before the restriction of processing is lifted.


Right to data portability:


 You have the right to receive the personal data concerning you, which you provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a)     the processing is based on your consent or on the performance of a contract (to which you are a party); and
(b)    the processing is carried out by automated means.
In exercising your right to data portability, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Right to data portability shall be without prejudice to the provisions governing the right to erasure, furthermore it shall not adversely affect the rights and freedoms of others.


Right to object:


 You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on the legitimate interests of the data controller. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.


How to exercise your rights:


The controller shall provide information on action taken on a request based on your abovementioned rights without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.  If the controller does not take action on your request, the controller shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the competent data protection supervisory authority (In Hungary the Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information) briefly ‘NAIH’) and seeking a judicial remedy. Address, telephone number, fax number, e-mail address and website of the NAIH: 1055 Budapest, Falk Miksa utca 9-11., post address: 1373 Budapest, postal mailbox 9., Tel: +36 1 391 1400, +36 (30) 683-5969 vagy +36 (30) 549-6838 Fax: +36-1-391-1410, e-mail: [email protected], website: http://naih.hu/.
In the event of any infringement of your rights you may file for court action. The action falls within the jurisdiction of the Törvényszék (General Court). Upon the data subject’s request the action can be brought before the Court which is competent based on the domicile or the place of residence of the data subject. The court may order the data controller to provide the information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated data-processing systems, to honor the data subject’s objection. The court may order publication of its decision, indicating the identification of the data controller or any other data controllers and the committed infringement.
The data controller concerned shall be liable for any damage caused to a data subject as a result of unlawful processing or by any breach of data security requirements. Where any data controller violates the rights of the data subject relating to personality as a result of unlawful processing or by any breach of data security requirements, the data subject shall be entitled to demand restitution from the data controller concerned. Data controller may be exempted from liability for damages or for payment of restitution if he proves that the damage was caused by or the violation of the rights of the data subject relating to personality is attributable to inevitable reasons beyond his control.
No compensation shall be paid and no restitution may be demanded where the damage was caused by or the violation of rights relating to personality is attributable to intentional or negligent conduct on the part of the data subject.