Privacy Notice
Regarding personal data processing performed in connection with the website, the Partner Portal, and the iOS and Android mobile application of EB‑Csoport Zrt.
| Version | 2.0 |
| Effective date | 1 May 2026 |
| Previous version | 1.0 — in force from 1 September 2025 to 30 April 2026 |
| Hungarian original | This document is the English translation of the Hungarian „Adatkezelési tájékoztató” available at https://energiaborze.hu/adatvedelmi-nyilatkozat/. In case of any discrepancy between the language versions, the Hungarian original prevails. |
Introduction — scope of this Notice
This privacy notice (hereinafter: the „Notice„) applies jointly to all personal data processing carried out by EB‑Csoport Zrt. (hereinafter: the „Controller„) in connection with the following services:
- Website — the Controller’s publicly accessible website and its subdomains.
- Partner Portal — the closed, browser‑based platform made available to the Controller’s contractual partners.
- Mobile Application — the iOS and Android application that makes the services of the Partner Portal accessible on a mobile device, distributed exclusively through the official Apple App Store and Google Play Store channels.
The Mobile Application is functionally a mobile client of the Partner Portal; the data processing carried out through it is — save for the deviations set out in Section 3.7 — identical in substance to the rules applicable to the Partner Portal.
This Notice amends and consolidates the prior privacy notice that took effect on 1 September 2025, extending its scope to the Mobile Application. The substantive content of the prior provisions remains unchanged.
1. Identity and contact details of the Controller
| Company name | EB‑Csoport Zrt. (a Hungarian private limited company) |
| Registered seat | 2040 Budaörs, Sóvirág utca 2., Hungary |
| Mailing address | 1115 Budapest, Bartók Béla út 105–113. building 4, 2nd floor, Hungary |
| Company registration number | 13 10 042407 |
| Tax number | 32144374‑4‑13 |
| Group tax identifier | 17781956‑5‑13 |
| Representative (website) | Tamás Csonka, executive officer |
| Representative (Partner Portal and Mobile Application) | András Vinkovits, managing director |
| Telephone | +36 1 791 2040 |
| Email for data protection enquiries | adatvedelem@energiaborze.hu |
The Controller has not appointed a data protection officer, as such designation is not mandatory under Article 37 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the „GDPR„). Data protection enquiries may be submitted to the mailing address or the email address indicated above.
2. Definitions
The terms used in this Notice — in particular personal data, processing, controller, processor, data subject, consent and personal data breach — shall have the meanings ascribed to them by the GDPR.
In addition, for the purposes of this Notice:
- Service means any of the services listed in points 1–3 of the Introduction.
- Mobile Application means the iOS and Android applications referred to in point 3 of the Introduction, taken together.
- User means a natural person who uses any of the Services.
3. Processing activities
3.1 Processing in the course of establishing partner relations
| Purpose | Communication during the offer phase to facilitate the acquisition of business or other co‑operation; preparation of contracts. |
| Categories of data | Name of the partner company’s representative; name of the contact person; email address; telephone number; title; job role. In the case of a sole trader: registration number, tax number, identity card number, address. |
| Legal basis | Article 6(1)(a) GDPR — the data subject’s consent. |
| Retention period | Until withdrawal of consent (request for erasure), and at most five (5) years from the last contact. |
3.2 Processing during the contractual relationship and for any subsequent enforcement of claims
| Purpose | Communication necessary for the performance of the contract; provision of the contracted service; issuance of compliant invoices; enforcement of claims. |
| Categories of data | Name, position, email address and telephone number of the contact person; signatures of the persons authorising the financial transaction, approving the disbursement and confirming its execution; signatures of the recipient and the payer. |
| Legal basis | Article 6(1)(b) GDPR — processing necessary for the performance of a contract. |
| Retention period | For the duration of the contractual relationship and until the expiry of the limitation period applicable to the enforcement of claims. |
3.3 Processing for the maintenance of partner relations
| Purpose | Maintaining the business relationship after termination of the contractual relationship. |
| Categories of data | Name, email address, telephone number and position of the contact person. |
| Legal basis | Article 6(1)(a) GDPR — the data subject’s consent. |
| Retention period | Until withdrawal of consent, and at most one (1) year from the last contact (excluding accounting data). |
3.4 Processing for compliance with tax and accounting obligations
| Purpose | Compliance with tax and accounting obligations. |
| Categories of data | Name, address, tax status, tax identification number and tax number of the data subject; further identifiers appearing on the issued invoice. |
| Legal basis | Article 6(1)(c) GDPR — compliance with a legal obligation; pursuant to Sections 169 and 202 of Act CXXVII of 2017 on Value Added Tax, Section 167 of Act C of 2000 on Accounting, and Section 47 of Act XCII of 2003 on the Rules of Taxation. |
| Retention period | Eight (8) years from the termination of the legal relationship. |
3.5 Processing in connection with the use of the Partner Portal
| Purpose | Ensuring secure access to the Partner Portal; management of user sessions; secure provision of document downloads; receipt and management of maintenance reports; compliance with system‑security requirements; provision of an audit trail. |
| Categories of data | Data identifying the data subject and used for sign‑in (email address, user identifier); technical data related to the access (IP address, browser type, operating system, time of sign‑in); data on the use of the portal (time of use, pages viewed, list of documents downloaded); data related to maintenance reports; records of access rights. |
| Legal basis | As regards access necessary for the performance of the contract: Article 6(1)(b) GDPR. As regards processing for system security and logging purposes: Article 6(1)(f) GDPR — the legitimate interests of the Controller in ensuring system security and quality of service. |
| Retention period | Authentication and sign‑in data: three (3) years from the cessation of use of the portal. Maintenance reports: five (5) years from the closure of the report. Monitoring and audit data: three (3) years. Anonymised usage statistics: two (2) years. |
3.6 Monitoring of generation data
| Purpose | Real‑time display of the generation data of the power plants assigned to the partner. |
| Categories of data | Identifiers, site coordinates, installed and instantaneous capacity figures, generation time series, and balancing and maintenance data of the power plants assigned to the user, in so far as these can be linked to a natural person partner or sole trader. |
| Legal basis | Article 6(1)(b) GDPR — performance of a contract. |
| Retention period | For the duration of the contractual relationship and three (3) years thereafter. |
3.7 Processing in connection with the use of the Mobile Application
The Mobile Application is the mobile client of the Partner Portal; its purpose is to make the services available through the Partner Portal — in particular power‑plant monitoring, document download, and the submission of maintenance reports — accessible on a mobile device.
| Purpose | Ensuring secure access to the Mobile Application; making the services with content equivalent to that of the Partner Portal accessible on a mobile device. |
| Categories of data | Identifying data of the data subject as used on the Partner Portal; the authentication data temporarily stored on the data subject’s device for the purpose of sign‑in; and the data referred to in Sections 3.5 and 3.6 to the extent assigned to the user. The Mobile Application does not collect any further personal data; in particular, it does not collect any data relating to the precise or approximate geographic location of the data subject, the contacts, calendar entries, photographs, or audio recordings stored on the device, any device identifier, and it does not employ any advertising identifier or technique for tracking user behaviour. |
| Legal basis | As regards access necessary for the performance of the contract: Article 6(1)(b) GDPR. As regards authentication and logging: Article 6(1)(f) GDPR — the legitimate interests of the Controller in ensuring system security and quality of service. |
| Retention period | Authentication data stored on the data subject’s device are retained until the data subject signs out, the Mobile Application is uninstalled, or the relevant authentication data expires. Server‑side processing is governed by Section 3.5. |
Personal data transmitted through the Mobile Application are not transferred outside the European Economic Area.
4. Rights of the data subject and the exercise of informational self‑determination rights
4.1 Right of information and access
The data subject has the right to obtain knowledge of, and at any time request, the personal data held by the Controller and information relating to their processing, and to verify what data the Controller holds about him or her.
4.2 Right to rectification and completion
The Controller shall, without undue delay, rectify any inaccurate personal data identified in writing by the data subject and, on the basis of further personal data provided by the data subject, complete incomplete data.
4.3 Right to restriction of processing
The data subject may request restriction of processing where (a) the data subject contests the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes erasure of the data; (c) the Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or (d) the data subject has objected to the processing.
4.4 Right to erasure („right to be forgotten”)
The data subject may request the erasure of his or her personal data where (a) the personal data are no longer necessary in relation to the purposes for which they were collected; (b) the data subject withdraws consent; (c) the data subject objects to the processing and there are no overriding legitimate grounds for processing; or (d) the personal data have been processed unlawfully.
Erasure does not apply to the extent that processing is necessary for exercising the right of freedom of expression and information; for reasons of public interest in the area of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or for the establishment, exercise or defence of legal claims.
4.5 Right to data portability
The data subject has the right to receive, in a structured, commonly used and machine‑readable format, the personal data concerning him or her that are present in the Controller’s systems, and to request that those data be transmitted directly to another controller. This right is limited to the data the data subject has provided to the Controller; data falling outside that scope are not portable.
4.6 Right to object
The data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of his or her personal data based on legitimate interests. In such a case, the Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing is required for the establishment, exercise or defence of legal claims.
4.7 Time‑limit for handling requests
The Controller shall, without undue delay and in any event within one month of receipt of any request under Sections 4.1–4.6, inform the data subject of the action taken in response.
4.8 Exercise of rights in connection with the Mobile Application
In relation to the Mobile Application, the data subject may also delete the authentication data stored on his or her device by signing out of the application or by uninstalling the Mobile Application from the device. Requests concerning server‑side processing may be submitted to the contact details set out in Section 1.
5. Means of legal redress
The data subject may submit a complaint relating to processing to the Controller at adatvedelem@energiaborze.hu or at the mailing address set out in Section 1. In the event that his or her rights are infringed, the data subject may turn to the supervisory authority or to the court having jurisdiction and competence under Act CXXX of 2016 on the Code of Civil Procedure.
Contact details of the supervisory authority:
| Name | Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, „NAIH”) |
| Postal address | H‑1363 Budapest, P.O. Box 9, Hungary |
| Address | H‑1055 Budapest, Falk Miksa utca 9–11., Hungary |
| Telephone | +36 (1) 391‑1400 |
| ugyfelszolgalat@naih.hu | |
| Website | https://naih.hu |
6. Handling of personal data breaches
The Controller shall do everything reasonably expected of it to prevent personal data breaches. In the event that a personal data breach occurs, the Controller shall — in accordance with Articles 33 and 34 GDPR — notify the supervisory authority of the breach without undue delay and, where feasible, within 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the breach to the data subject without undue delay.
The Controller maintains a record of personal data breaches setting out the circumstances, effects and remedial measures relating thereto.
7. Data security
The Controller applies appropriate technical and organisational measures to protect the personal data of the data subject, taking into account the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include access controls, encryption of data and transmission channels, system‑security checks, data backup, and regular training of staff.
In relation to the Partner Portal and the Mobile Application, the Controller applies particular care to ensure authenticated access, the allocation of access rights based on roles, the regular review of such rights, the maintenance of audit logs, and the encrypted transmission of communications. The Mobile Application is distributed exclusively through the official channels of the Apple App Store and the Google Play Store.
8. Miscellaneous
The Controller reserves the right to amend this Notice unilaterally. The Controller shall inform the data subject of the date of entry into force and the substantive content of any amendment via its website and — in the event of a material amendment — via a notice displayed when the Mobile Application is launched.
Matters not regulated by this Notice are governed by the GDPR, by Act CXII of 2011 on the Right of Informational Self‑Determination and on Freedom of Information, and by other applicable Hungarian legislation.
Effective from 1 May 2026. Drafted and approved by EB‑Csoport Zrt.
