1. Name, data and contact information of the operator

• Company name: ABT Hungária Tanácsadó Kft. (hereinafter referred to as “ABT”)
• registered office: HU-1037 Budapest, Montevideo utca 3/A
• company registration number: 01-09-267969
• VAT number: 10884223-2-41
• e-mail address: [email protected]
• postal address: HU-1037 Budapest, Montevideo utca 3/A

2. Subject-matter of the GTC; general provisions

These General Terms and Conditions (hereinafter referred to as “GTC”) regulate all legal relationships created in connection with the Customer’s use of the DIA invoice management software/system and related services provided by ABT.

A detailed description of the software and related services (hereinafter collectively as “Service”) is available in Annex 1 to these General Terms and Conditions.

The Service includes the provision of software updates in order to ensure compliance with applicable laws, as well as development, troubleshooting, and upgrading of the same. Updated versions required due to legislative amendment(s) shall be provided by ABT within the deadline specified in the legislation, or, where this is not reasonably possible due to the provisions giving effect to the specific legislation, then within the shortest possible deadline that is reasonably feasible.

The Service (i.e. the “DIA” invoice management software/system) is a virtual financial assistant developed and operated by ABT, a new approach invoice management system integrating all aspects of invoice management:

• filing (invoices issued in Hungary are automatically fed into the system through data exchange with the tax authority’s “NAV-Online” interface),
• authorisation (invoice verification and approval),
• preparation for payment (preparation of “transfer packages”), as well as
• preparation for accounting (DIA can be connected to accounting systems)

The Service can be used by any economic operator resident for tax purposes in Hungary (hereinafter referred to as “Customer”) within the framework of its business activities.

ABT hereby expressly excludes the application of the Customer’s own general terms and conditions.

The Parties may deviate from the provisions of these GTC in their individual written agreement.

By placing an order and accepting the price quote, the Customer declares and acknowledges to have read the provisions of these General Terms and Conditions on ABT’s website and to accept to be bound by these GTC. If the Customer does not accept the provisions of these GTC, it will not be entitled to use the services provided by ABT.

The contract will not be filed in a hard copy; by accepting these GTC, an electronic contract is created between the Parties.

These General Terms and Conditions are established by ABT in advance, unilaterally, for the purpose of concluding multiple contracts with several customers, without the involvement of the other party. The GTC are not negotiated individually by the parties, and therefore they shall be governed by the relevant provisions of the Hungarian Civil Code (Ptk.).

These GTC are valid for an indefinite period of time. The current version of the GTC can be downloaded at https://digitalinvoice.hu/aszf/ .

3. Contract conclusion 

A contract is concluded between ABT and the Customer upon ABT’s confirmation of the order placed by the Customer.

The Customer can order the Service by sending an email to ABT’s e-mail address or by clicking on the Subscribe button on the website. For orders placed by e-mail, ABT shall send an order confirmation to the e-mail address provided by the Customer, as well as the invoice for the first monthly service fee. After payment of the invoice, ABT will send instructions on how to download the Software to the Customer’s e-mail address.

The purchase order shall contain the following information of the Customer:

• name and registered office,
• company registration number and taxpayer ID number,
• details of the contact person (name, phone number, e-mail address),
• e-mail address (also for the receipt of e-invoices),
• the package ordered and a request for using the extra banking module, where applicable.

The Customer shall notify ABT of any changes in the data provided during the ordering process immediately, but no later than within 5 working days of the change, and to provide credible evidence of the change. ABT may not be held liable for any damages resulting from Customer’s failure to do so.

Statements made by the person acting on behalf of the Customer shall be binding on the Customer under all circumstances. ABT is not obliged to examine the power of representation of the person acting on behalf of the Customer or the scope of their power of representation. ABT may not be held liable for any statement made by the person acting on behalf of the Customer.

By sending the purchase order, the Customer orders the Service from ABT. A contract is concluded between the Parties upon ABT’s written order confirmation. If the Parties enter into a separate contract, it shall only be considered concluded once signed by both of them.

By placing an order or by signing a separate contract, the Customer accepts these GTC. By placing an order, the Customer expressly consents to the conclusion of a distance contract.

4. Conditions for use of the Service

The Service is available through the website https://dia.abt.hu/login.

A substantive condition for using the Service is that the Customer has Internet access and a working e-mail account, as well as an IT system (operating system and browser) that allows it to visit websites. Due to its nature as a web service, the Service can be used with the latest official version of well-known browsers.

Another condition for starting to use the Service is that the Customer pays the first monthly service fee to ABT.

After the entry into force of the contract, access to the Service requires authentication at all times. Users can log into their accounts using the combination of a username and a password. It is the Customer’s obligation and responsibility to keep the username and password confidential.

5. Fee; payment terms 

Service fees are specified in Annex 2 to these General Terms and Conditions.

Given the continuous nature of the Service, the fee is invoiced periodically, every calendar month.

ABT may issue electronic invoices, to which the Customer hereby consents.

Invoices shall be paid within 8 days after the invoice date, without any deduction or offsetting. For first orders by new customers, ABT reserves the right to make fulfilment dependent on the provision of a security deposit or advance payment.

Any complaint relating to an invoice does not entitle the Customer to delay payment of the invoice concerned.

Payment is considered to have taken place when the consideration is credited to ABT’s bank account.

In the event of late payment by the Customer, ABT is entitled to charge the late payment interest applicable to B2B transactions according to the laws currently in force. ABT is entitled to claim compensation for damages exceeding the late payment interest, and the Customer shall also reimburse ABT for any administrative, legal and other related costs incurred in connection with the enforcement of the claim.

ABT may suspend the performance of the Service with immediate effect if the Customer does not fulfil its payment obligation by the extended deadline specified in ABT’s payment reminder. In the meantime, the Customer will not be allowed to use the Software or download updates. Suspension of the service does not affect the Customer’s fee payment obligation. ABT may not be deemed as being in default during the period of suspension, and the Customer may not assert any claims against ABT in this regard.

In the event of a payment delay of more than 30 days by the Customer, ABT is entitled to terminate this contract with immediate effect and enforce its rightful claim in court (even by initiating liquidation proceedings against the Customer).

The Customer acknowledges that if liquidation proceedings are initiated against the Customer, its outstanding debt to ABT shall fall due and payable on the date of publication in the Hungarian Business Gazette (“Cégközlöny”) of the final court order ordering the initiation of liquidation proceedings (Section 35(1) of the Hungarian Bankruptcy and Liquidation Proceedings Act, Cstv.)

This also applies in the case where bankruptcy proceedings are initiated against the Customer.

ABT is entitled to change the service fee, subject to prior notification of the Customer in writing (at least 30 days in advance). If the Customer does not make a written statement regarding the change before it takes effect, the failure to make a statement shall be deemed to be the Customer’s express acceptance of the new fee.

ABT is entitled to unilaterally change the service fee once a year, with effect from February 1, based on the consumer price index of the previous year published by the Central Statistical Office.

6. Terms of Use

By purchasing the Software, the Customer acquires rights of use, but does not acquire ownership of the Software.

With this contract, the Customer acquires an unlimited and non-exclusive, non-transferable, limited right to use the Software for the duration of the contract and within the scope of the Customer’s business activities. This right of use is not unlimited, because it is only granted to a number of users determined by the Parties. The right of use is not exclusive, because the Customer may not transfer the ownership, possession or use right of the Software to another person on any grounds, may not rent or lend it to a third party, is not entitled to pledge it, either for consideration or without consideration, and is not allowed to copy, duplicate, change or otherwise alter it without a special permission of ABT. The Customer is not entitled to copy, duplicate, analyse, reverse engineer, change or otherwise alter the Software.

The right of use covers the following:

• display on a screen during proper use,
• installing, running and operating the Software.

Any use by additional users in excess of the number of users specified by the Parties is subject to the prior written consent of ABT.

Any unauthorised use of the Software is prohibited. The Customer is not entitled to copy the Software or its individual parts or license or transfer it to third parties or make it available to third parties.

The Software, together with all the accompanying documentation and the name of the Software, is proprietary to ABT, and ABT is the owner of all moral and property rights related to it. During the validity of the contract, ABT shall also have the copyrights to any updated/new versions of the Software created as a result of ABT’s software maintenance activities.

ABT reserves all rights in and to the Software.

The erasure, cancellation or modification of any mark indicating property or copyrights in the provided Software shall be prohibited.

Use of the Software is permitted only under the conditions provided in these GTC and to the extent specified herein.

7. Liability

The Software can only be used in a way and for a purpose that meet the requirements of the applicable legislation, in particular, those of the tax, accounting, labour law and social security legislation in force at all times.

The Customer acknowledges that it uses the Software solely at its own risk, and ABT is not responsible for any damages resulting from the use of the Software. ABT may not be held liable for the legality, correctness, completeness, adequacy and use of the data entered into the Software. ABT may not be held liable for errors resulting from illegal or incorrect data, or from illegal or incorrect data entry and for the resulting damage to the Customer.

ABT shall not be liable for the substantive correctness of invoices, receipts, lists and other documents uploaded to or generated in the Software, or for the veracity of the underlying individual economic events. A comprehensive verification of the correctness of these documents shall always be the sole responsibility and duty of the Customer.

With the exception of damages caused intentionally and harm or damage to life, health, physical integrity, ABT may not be held liable for any indirect or consequential damages resulting from the use or possible limited functioning of the Software, in particular, but not exclusively, for any loss of profit, loss of income, loss of data, downtime, or interruption of business activity. ABT shall not be liable for the above even if it was notified in advance of the possibility of such damages.

ABT’s liability for damages is limited to the amount of the annual service fee, with the exception of those damages for which the limitation of liability is excluded by the laws in force at all times. The Customer acknowledges all of the foregoing, and the Parties declare that the service fee has been determined taking this circumstance into account. The Customer’s possible claim for damages against ABT expires within 1 year from the date of the damage.

When asserting any claim for damages, the Customer shall immediately provide ABT with the documents proving the existence of liability for damages and shall make reasonable efforts to mitigate the damages. Failing this, ABT may not be held liable for the damage caused.

8. Warranty

The Customer is aware that, due to its complex nature, completely error-free and seamless functioning of the Software cannot be warranted. Due to the complex nature of the Software and IT systems, ABT assumes no liability for the error-free and seamless operation of the Software, neither for its compatibility with all IT systems and devices. In order to ensure safe operation, it is important that the Customer familiarises itself with all available information before starting to use and when managing the Software and complies with all instructions and advice. In view of the above, ABT does not warrant that the Software satisfies the unique needs of the Customer’s business, and that it meets all the expectations of the Customer’s users. In the case of unique needs and expectations related to the Software, it is possible to order custom developments against remuneration and only under a separate contract and individual assessment. If the Customer wishes to use the Software via a VPN network, such network shall be entirely designed and maintained by the Customer. ABT does not test the Software on a VPN network, and thus it assumes no liability for its error-free functioning via a VPN network. ABT investigates and corrects any possible issues arising from the use of a VPN network only under a separate contract, against remuneration.

The Customer is entitled to an implied warranty (“kellékszavatosság”) for a period of one (1) year from the date of contractual performance or from the date of each software update that the software and its subsequent updated/new versions made available as part of software maintenance will function in accordance with the product description.

The above warranty is limited and also includes that ABT provides “debugged and fixed” versions to the Customer during the warranty period free of charge. “Limitation of warranty” means that in the event of defective performance by ABT regarding the Software and its subsequent updated/new versions (i.e. occurrence of a “bug”), the Customer may primarily request debugging and fixing of the Software (or of the updated versions) from ABT, and the Customer may exercise other warranty rights set out in Section 6:159 of the Hungarian Civil Code (Ptk.) only in the event that ABT does not comply with its bug fixing obligation.

The Customer acknowledges that it is also considered bug fixing if ABT submits written recommendations on bug fixing or on a solution/workaround, on the basis of which the Customer is able to eliminate the bug exercising the reasonable expertise to be expected of the Customer. The Parties agree that the data sets managed by the Customer during the use of the Software is not covered by ABT’s implied warranty of fitness for a particular purpose (“kellékszavatosság”); the warranty does not apply to the restoration or rectification of damaged or deleted data, and ABT may not be obliged to reimburse the costs of restoring damaged or deleted data.

This warranty does not cover the following cases:

• improper or unauthorised use of the Software,
• the error occurs during the data recording process,
• the Customer did not comply with the instructions included in the product description of the Software and/or with the applicable laws,
• data loss or data errors not caused by a program error (but, for example, by failure of the Customer’s device),
• the Software was run in an inappropriate software environment,
• the Customer’s device was infected with a virus, or the Customer failed to download any update/upgrade,
• changes in the software components and the software environment caused by applications installed by the Customer or other parties; errors of such applications or errors caused by them,
• force majeure events,
• other events that may hinder the operation of the Customer or ABT and thus the provision of the Service (e.g. power outages, epidemiological, health or travel restrictions, shutdown of computer systems, measures of state bodies).

9. Termination; termination with immediate effect

The contract was concluded between the Parties for an indefinite period.

Either Party is entitled to terminate the contract with 30 days’ notice.

ABT is entitled to terminate the contract with immediate effect in the case of a material breach of contract by the Customer, especially in the following cases:

• liquidation, bankruptcy or liquidation proceedings are initiated against the Customer by a third party or by the Customer itself;
• if, due to the Customer’s financial situation, payment discipline or business conduct, payment of the service fee cannot be taken for granted;
• the Customer failed to comply with its obligation to provide information regarding a material circumstance affecting the contract, or breached any of its obligations and did not remedy it within 5 days after being invited to do so by ABT;
• the Customer exhibits such market behaviour towards ABT that may result in a damage to ABT’s reputation.

If any of the above occurs, ABT is entitled to suspend further performance of the contract.

Termination of the contract in any way shall not affect the Customer’s obligation to fulfil its existing payment obligations or settle other debts towards ABT.

10. Data protection; data processing

Personal data provided in connection with the Service are processed and transferred in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), as well as Hungarian Act CXII of 2011 on the right to information self-determination and freedom of information.

Annex 3 sets out detailed conditions for the processing of personal data related to the Service that is the subject-matter of these GTC.

11. Confidentiality

The Parties undertake to treat all information in their possession as strictly confidential, as a business secret, during the term of the contract concluded between them, and also thereafter, and not to publish it, disclose it to a third party or make it available to a third party in any way, or use it in any other way without the prior written permission of the other Party. When defining the terms “business secret”, the Parties use the definition set out in Act LIV of 2018 on the protection of business secrets and apply the legal sanctions applicable in the event of its violation.

The Parties shall also oblige their own employees and any third parties having a contractual relationship with them to observe the confidentiality obligation set out in this clause.

12. Miscellaneous provisions

ABT is entitled to unilaterally amend these GTC at any time, subject to prior information of the Customer. ABT shall inform the Customer about such amendments via the Website. The amended provisions shall become effective for the Customer when the Customer uses the Software for the first time after the provisions’ entry into effect.

The Customer may submit objections and complaints related to ABT’s activities and the Software, depending on their nature, using the contact details indicated on the Website. ABT shall respond to objections and complaints electronically within 30 days at the latest.

These GTC are governed by the laws of Hungary. Any matters not regulated in these GTC shall be governed by the provisions of Hungarian laws, in particular, Act V of 2013 on the Civil Code.

If some provisions of these GTC are or held invalid, this shall not affect the validity of the rest of these GTC.

These GTC enter into effect on 01.09.2022.

Annex 1

Description of the DIA service

The Digital Invoice Assistance (DIA) is a new approach invoice management system, in which the automation enabled by IT developments has been coupled with ABT’s almost 30 years of accounting, financial and customer-side experience.

The service is accessible for subscribers via a web browser at https://dia.abt.hu/login.

After the initial settings (connection to the NAV Online interface, creation of user accounts, definition of views and approval levels), the DIA queries incoming and outgoing invoices at regular intervals using the NAV XML 3.0 protocol and displays them through an interface.

It is possible to add further information and attach documents to invoices and send them for approval.

The DIA is able to manage invoices up to the preparation of bank transfers and entry into the books.

Summary of the DIA’s functions:

• Automatic query of invoices issued in Hungary from the database of the tax authority (NAV)
• Comprehensive invoice management
• One- or two-tier approval
• Automatic generation of supplier master data based on incoming invoices
• Supplier master data management
• Displaying changes in supplier master data
• Manual recording of foreign invoices and other documents
• Uploading scanned or pdf documents as attachments
• Sending messages, adding comments to invoices
• Entering cost centres and cost objects
• One or two-step invoice approval
• Access right management
• Delegation
• Substitution
• Customisable views
• Filtering option for all invoice data
• Displaying outgoing Hungarian invoices using data from the tax authority’s database
• Complete invoice history
• Exporting reports in Excel format (incoming and outgoing invoices, suppliers)
• Bookkeeper’s access, designation of accounting status.
• Auditor’s access. (Read only)

The banking module creates “transfer packages” from the invoices approved for payment and makes them available for download. After that, it is enough to import the downloaded file into the banking software, and the transfer data will be populated automatically. The bank transfer takes place when the authorised signatories sign the transfer within the banking system. (This is no longer done in the DIA software.)

In addition, the DIA can combine items to be transferred to the same bank account and indicates if intra-bank transfer is possible.

A list of banks whose systems are suitable for importing transfer packages is available here: https://digitalinvoice.hu/.

 Annex 2

 DIA service fees

DIA subscription packages	Start	Premium
Number of users	5	5+
Number of companies	1	1+
Subscription fee (HUF/month)	19 900	Ask for an individual offer!
Additional fee for banking module	Part of the package	Part of the package

The above fees apply in the case of an annual subscription and annual billing.
The banking module is included in all plans.
The number of processed documents is unlimited in all plans.
The above prices are exclusive of VAT.

Annex 3

Terms and Conditions for data processing related to the DIA Service

1. Preamble

1.1 Subject to the General Terms and Conditions (hereinafter referred to as “GTC”), the Parties, i.e. Customer (hereinafter referred to as “Controller I”) and ABT Hungária Tanácsadó Kft. (hereinafter referred to as “Controller II”), enter into a service contract that covers the processing of personal data as defined in Section A of this Annex. During the processing of personal data, both Controller I and Controller II act as a data controller. In accordance with Section 3 of the General Terms and Conditions, the date of ordering the DIA service shall be considered the contract conclusion date.

1.2 To protect the personal data of data subjects and to effectively comply with the data protection requirements, the Parties set out the obligations relating to the processing of personal data below.

2. General provisions regarding data processing activities

2.1 The Parties undertake that in the course of data processing activities covered by this Annex, personal data will only be processed to the extent absolutely necessary to achieve the purposes defined in the General Terms and Conditions and in Section A of this Annex.

2.2 The Parties are not entitled to reimbursement of their costs and expenses incurred during the fulfilment of their obligations under this Annex, apart from the consideration specified in Annex 2 to the General Terms and Conditions depending on the selected DIA subscription package.

3. Definition of terms

3.1 The terms defined in this Annex shall have the meanings set forth below or in the GTC, unless the context in which they are used clearly requires a different meaning.

• “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• “Processing” means any operation or set of operations which is performed on personal data, regardless of the procedures used, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• “GDPR” means Regulation No (EU) 2016/679 (General Data Protection Regulation)
• “NAIH” means the Hungarian Data Protection and Freedom of Information Authority.
• “GTC” means the general terms and conditions applicable to the Parties, during the implementation of which the Parties process personal data.
• “Mandatory safeguards” means technical and organisational measures, the implementation of which is undertaken by the Parties in accordance with Section D of this Annex.

3.2 Other concepts used in this Annex shall be interpreted based on the definitions of the GDPR.

4. Data processing and liability in accordance with the legislation

4.1 The Parties undertake to comply with all applicable data protection legislation, in particular the GDPR, regarding the data processing activities regulated in this Annex.

 5. Required safeguards

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing carried out in the course of the GTC’s implementation, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Parties shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Parties shall implement the minimum safeguards listed in Section D of this Annex.

5.2 When determining the appropriate level of security, the Parties shall specifically take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

5.3 Where required pursuant to Sections 5.1 and 5.2 of this Annex, the Parties shall provide the following:

• pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• a procedure for regularly testing, assessing, and evaluating the effectiveness of the technical and organisational measures taken to guarantee the security of processing.

6. Confidentiality; training

6.1 The Parties shall ensure that personal data are accessed only by those persons who absolutely need it for the performance of their tasks set out in the General Terms and Conditions and Section A of this Annex.

6.2 The Parties shall take appropriate measures to ensure that natural persons acting on their behalf of or under their direction and having access to personal data can process such data only in accordance with their instructions.

6.3 The Parties also undertake to provide access to personal data only to persons who made a written declaration concerning confidentiality in advance or are subject to an appropriate confidentiality obligation based on legislation.

6.4 The Parties shall provide an adequate level of training for the persons participating in data processing operations and to keep these persons’ data protection knowledge up to date.

7. Use of processors

7.1 The Parties undertake to notify each other in writing if they use a processor in connection with the data processing covered by this Annex. Accordingly, Controller II hereby informs Controller I that it uses the processors indicated in Section B herein. If either Party wishes to use a new or an additional processor, it shall notify the other Party in writing.

7.2. If either Party uses the services of a processor for its data processing activities, it shall enter into a written contract compliant with the GDPR with that processor. The processor shall provide adequate safeguards that it has implemented appropriate technical and organisational measures and thereby ensure that the processing complies with the requirements of this Annex. If a processor fails to fulfil its data protection obligations, the controller that engaged it shall be fully responsible for the fulfilment of the processor’s obligations.

 8. Cooperation of the Parties

8.1 The Parties shall notify each other immediately, but no later than within five (5) working days, in writing, if there is a change in any essential information specified in Section A of this Annex.

9. Data transfer outside the European Economic Area (EEA)

9.1 The Parties undertake to notify each other in advance in writing before transferring personal data outside the European Economic Area. In the notification, they shall indicate the mechanism as per Chapter V of the GDPR under which the data is transferred outside the EEA.

9.2 In accordance with Section 9.1 of this Annex, in this section, Controller II informs Controller I that personal data may be transferred outside the European Economic Area in the use of Microsoft applications (e.g. Outlook) used in order to fulfil its tasks under the General Terms and Conditions. Depending on the specific place of data transfer, out of the mechanisms according to Chapter V of the GDPR, data are transferred based on an adequacy decision adopted by the European Commission or standard contractual clauses.

10. Exercise of the rights of data subjects

10.1 Each Party shall evaluate the requests received from data subjects, take action on them and inform the data subjects of the action taken. The Party/Controller whose processor has the personal data concerned shall take action on the implementation of the given request from a data subject, i.e. erasure, data portability, restriction of processing, rectification.

10.2 In addition, the Parties shall cooperate in the exercise of the data subjects’ rights, and in that context, provide each other with all relevant information available to them within five (5) working days from the request of the other Party. If all relevant information is not available within 5 working days for the assessment and fulfilment of the given request by a data subject, the Parties shall inform each other about this and the time required to provide the information at the following contact details:

• Controller I at the e-mail address provided in the order process according to Section 3 of the General Terms and Conditions,
• Controller II at the e-mail address [email protected].

11. Handling of personal data breaches

11.1 In the absence of appropriate and timely measures, a personal data breach may result in physical, material or non-material damage to individuals such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymisation, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage to the individual concerned.

11.2 The Parties shall take appropriate organisational and technical measures in order to be able to avoid personal data breaches, detect personal data breaches that have occurred without delay, determine the severity of a detected personal data breach and notify each other of personal data breaches immediately, but no later than within 24 hours after having become aware of it:

• Controller I at the e-mail address provided in the order process according to Section 3 of the General Terms and Conditions,
• Controller II at the e-mail address [email protected].

11.3 In the notification, the Parties shall at least:

• describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• describe the likely consequences of the personal data breach;
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;
• describe the measures that the data subjects themselves can take to mitigate the risks arising from the personal data breach.

If all the above data is not available within 24 hours, the Parties shall still notify each other, and this notification shall contain at least those provided for in Section 11.3, points (a) and (b). The Parties shall provide each other with additional information without undue delay.

11.4 The Parties agree that in the event of a personal data breach, if they deem it necessary, they shall consult with each other immediately after being informed to mitigate the consequences or, if possible, to eliminate the incident, including notification of the data subjects.

11.5 If a personal data breach covered by this Annex involves a risk for the data subjects, then the Party at whom the personal data breach occurred shall report it to the NAIH.

12. Erasure of data; return of data to Controller I

12.1 After the expiration of the retention period prescribed by the applicable legislation, or after the termination of the General Terms and Conditions, Controller II shall delete all personal data immediately or return them to Controller I at the latter’s request, unless after the expiration of that period Controller II processes the data for another specific purpose based on a suitable legal basis.

A. Records of processing activities

To be interpreted together with the relevant provisions on records of processing activities (Article 30 of GDPR).

Digital Invoice Assistance Service

I. Subject of the processing

To perform accounting activities as quickly and efficiently as possible, Controller II provides Controller I with the possibility to use the former’s proprietary software named Digital Invoice Assistance (hereinafter referred to as “DIA”). Data relating to reported supplier invoices can be downloaded automatically, in real time, from the tax authority’s system. Building on this possibility, the essence of the DIA service is to provide the Parties with access to the invoice data available in the tax authority’s database as quickly as possible, as well as to simplify and speed up accounting-related tasks and communication.

Accordingly, DIA consists of three modules. The first is an invoice approval module, where invoice data are administered, processed and verified. The second is a bank transfer preparation module, which aims to facilitate the management of payments. The third is a accounting preparation module, which supports the faster and simpler performance of accounting activities.

II. Nature and purpose of data processing

1. Processing carried out in connection with the DIA service:

• Invoice Approval Module: On the one hand, the invoice data of Controller I as available in the tax authority’s database (so-called invoice images, basically company data), and on the other hand, other documents associated with those invoices (invoice attachments), which are required to be managed based on Controller I’s practice, are recorded here. The so-called “invoice images” managed here, however, are not considered official invoices. Essentially, company data are recorded in this module. The personal data of the employees of Controller I, i.e. the users of the module, who administer, verify, accept, correct, delete, or approve invoice data from a content and financial point of view, are recorded. Therefore, this module collects, records, makes accessible, and stores personal data on user actions related to incoming invoice data for the purpose of transparent verification, finalisation and traceability of invoice data. Invoice data normally do not contain personal data, except in cases where the invoice is issued by or to a sole proprietor.
• Transfer Preparation Module: In this module, invoice-related payments are processed and company information that facilitates the processing of payments is managed. The data related to payments normally do not contain personal data, except in cases where the payee is a sole proprietor. In this case, personal data are also collected, recorded, used and stored here to facilitate and enable the fulfilment of payment obligations. This module does not collect or record personal data about the employees of Controller I (i.e. users).
• Accounting Preparation Module: This module simplifies and speeds up the performance of accounting activities. The module is able to identify invoice data, the type of invoice and the issuing supplier, if an invoice has already been received from the given supplier. This module manages file-based data, that is, it generates a file that speeds up accounting. In this module, invoice data normally do not contain personal data either, except in cases where the invoice is issued by or to a sole proprietor. Therefore, no personal data are processed in this module either, unless an invoice contains personal data. In that case, such data are collected, recorded, used and stored for the purpose of performing accounting activities.

Furthermore, where necessary, information on accounting-related changes made by users may be recorded, used, and stored (who modified what, why and how) to ensure an appropriate level of data security and the traceability of changed made by users.

• Users can access the DIA application after proper authentication. In order to provide access for users authorised to log into the system, the user credentials required for logging in will be stored and used.
• Users are able to send comments to one another when using the DIA. Personal data related to comments are recorded and stored for the purpose of ensuring simple, fast and secure contacts related to invoice management and accounting activities.
• In order to provide the necessary technical background for the functioning of the DIA, Controller II uses a “cookie” (a small text file) which ensures that the user’s session does not expire even in the event of inactivity. In doing so, identifiers related to the user account are stored.
• Essentially, Controller II does not process personal data for the purpose of development of the DIA service, only technical and statistical data. Where the need arises to use personal data, Controller II shall only use them anonymously for development purposes.

2. Processing related to maintaining contact:

The Parties record, use and store the personal data of their contact persons for the purpose of maintaining contact.

3. Processing related to the lawful application of the GTC:

The Parties collect, record, use and store personal data for the purpose of lawfully concluding the GTC for the DIA service.

III. Type of personal data

1. Personal data arising during the use and operation of the DIA:

• User identification data (e.g. e-mail address)
• Financial information, invoice data

(if the invoice was issued by or to a sole proprietor)

• Content of other documents and invoice attachments associated with invoices

(if they contain personal data)

• User activities related to invoice transactions (e.g. approval, cancellation, correction, etc.)
• Content of users’ comments related to invoice management and accounting
• Major accounting-related changes made by users

(if this is necessary from a data security point of view)

• Identifiers associated with user accounts

2. Personal data processed for the purpose of maintaining contact:

• Identification and contact data of those involved (e.g. name, e-mail address, phone number)

3. Personal data processed for the purpose of lawfully concluding the GTC:

• Order data (e.g. name, e-mail address, selected package, acceptance of the GTC)

IV. Duration of the processing

• As the documents stored in the system are not considered official invoices, the retention period of personal data processed during the use and operation of the DIA is adjusted to the period during which the tax authority has a statutory right to inspect documents (statute of limitations to assess taxes).
• The retention period of personal data processed for the purpose of maintaining contact is determined taking into invoice the termination date of the General Terms and Conditions.
• The retention period for data processed for the purpose of lawfully concluding the GTC is determined by taking into account 5 years from the date of termination of the GTC.

V. Categories of data subjects

Employees (including DIA users), representatives, contacts, sole proprietors.

VI. Obligations of Controller I and Controller II

The Parties state that Controller I is responsible for observing the principle of data minimisation when using the DIA service, that is, for ensuring that the scope of documents and data uploaded to the DIA system is limited to the necessary extent. The Parties emphasise that Controller I is solely responsible for uploading documents and data, as invoice attachments, into the DIA system that are absolutely necessary for accounting. In addition, the Parties stipulate that Controller II is responsible for ensuring that the scope of data processed concerning DIA users complies with the principle of data minimisation, i.e. their scope is limited to the necessary extent.

Controller II shall be responsible for the maintenance and development tasks arising during the use of the DIA. In addition, Controller II shall be solely responsible for ensuring the appropriate security of personal data processed in the DIA, and in particular for the protection of personal data stored in DIA by implementing appropriate organisational and technical measures. Accordingly, where necessary, Controller II shall even conduct a vulnerability testing of the DIA.

Furthermore, Controller II undertakes not to use the personal data of Controller I’s employees for the purpose of developing the DIA service. In case Controller II nevertheless needs them for the purpose of developing the service, it shall ensure the anonymisation of such personal data taking into account the state of the art.

In addition to all this, the Parties shall have the following obligations to inform the data subjects according to Chapter III of GDPR: Controller I shall be responsible for informing data subjects of invoice data and other personal data contained in related documents. The information provided in this Annex facilitates the fulfilment of this obligation by Controller I. However, Controller II shall be responsible for providing and making information available to DIA users about the processing of their personal data.

In addition, each Party shall provide information on the processing of additional data related to the service (maintenance of contact and contract fulfilment) to its own employees. The Parties shall prepare an information material on their own data processing operations independently of each other and ensure the availability of that information material to the other Party. Accordingly, Controller II hereby notifies Controller I that information on its data processing operations related to the maintenance of contact and performance of the contract is available at the bottom of the www.abt.hu website, under the heading “Privacy Notice”.

The Parties specifically emphasise that the personal and invoice data processed in the DIA are not considered official invoices, and therefore accounting documents either. As a result, retention of the data processed in the DIA does not exempt or replace Controller I’s obligation to retain official invoices and accounting documents. Accordingly, as regards the data processed in the DIA, Controller II shall not be responsible for complying with the retention period defined by the relevant accounting legislation. This obligation rests with Controller I.

B. List of processors

Controller II. uses the following processors:

MPC Hardware Kft.

Petőfi Sándor utca 19.

Eger, HU-3300

Telephone: +36 46 331 411

FAX: +36 36 786 071

E-mail: [email protected]

Activity: Providing IT support and system administrator services.

Microsoft Corporation

One Microsoft Way

Redmond, Washington 98052 USA

Phone: +1 425-882-8080.

Activity: Providing Microsoft applications (e.g. the Outlook electronic mailing system).

C. Data relating to the data protection officer/person responsible for data protection

Controller I:

Controller I shall share the contact details of the data protection officer or the person responsible for data protection with Controller II, where necessary to fulfil the obligations detailed in Sections 10 and 11 of this Annex or the cooperation obligation according to Section 8.

Controller II:

Contact details of the person responsible for data protection:

Name: Mr. Ferenc SMOHAY

Telephone: +36 1 430 3400

E-mail: [email protected]

D. Mandatory safeguards – Minimum technical and organisational measures

The Parties agree to implement the following basic safeguards:

• Access to data is restricted.
• Access rights are regulated and restricted.
• The management of assets is regulated. For example, the use of private data carriers is prohibited.
• A “clean desk policy” is implemented.
• Physical security measures are in place. For example, use of lockable rooms, access cards, and alarms.
• Where there is a server room, it should be ensured that it meets high-level technical and security requirements.
• Virus protection and firewall are used.
• Strong password protection is implemented, regulating the complexity and length of the password, the reuse of previously used passwords, and the change of passwords.
• The use of backups is regulated.
• A secure encrypted connection (e.g. VPN) is used for remote access.
• Annual data security and data protection training is provided to their employees.