Oldal Kiválasztása

Privacy Notice – Quarma360 Performance Evaluation Platform

Effective date: 12 November 2025 | Last updated: 25 June 2026 | Version: 2.1

1. General Provisions

1.1. Scope of this Notice

This Privacy Notice (hereinafter: the Notice) describes the data processing activities performed in connection with the use of the Quarma360 performance evaluation platform (hereinafter: the Platform) operated by NW Business Korlátolt Felelősségű Társaság (registered seat: 6500 Baja, Szabadság út 79. 2. emelet 9. ajtó, company registration number: 03-09-138461, tax number: 32576340-2-03; hereinafter: the Controller or Company).

1.2. Characteristics of the Platform

The Platform is a B2B (business-to-business) SaaS (Software as a Service) solution that enables organisations to carry out 360-degree, competency-based performance evaluations of their employees. The purpose of the Platform is to measure, monitor and document employee performance in an objective way, providing a basis for decisions on remuneration, promotion, development and other HR-related matters.

The Platform is available both as a web application (accessible through a browser) and as a native mobile application for iOS and Android devices, distributed via the Apple App Store and Google Play. The mobile application provides the same evaluation functionality as the web version and additionally processes a limited set of device-specific data (push notification tokens, on-device biometric authentication and login-approval data) described in Sections 4.2.6, 5.2, 7.1 and 11.6 of this Notice. The data-handling practices disclosed in the app stores' privacy labels (Apple "Privacy Nutrition Labels" and the Google Play "Data Safety" section) are consistent with this Notice.

1.3. Legal compliance

The Controller undertakes to ensure that all processing of personal data fully complies with the General Data Protection Regulation of the European Union (GDPR – Regulation (EU) 2016/679), Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.), and all other applicable data protection legislation.

1.4. Categories of data subjects

This Notice applies to the following categories of data subjects:

  • B2B client representatives and contact persons of organisations using the Platform,
  • employees taking part in performance evaluations,
  • visitors of the Platform’s public website.

2. Identification and Contact Details of the Controller

2.1. Details of the Controller

Data Details
Name NW Business Korlátolt Felelősségű Társaság
Registered seat 6500 Baja, Szabadság út 79. 2. emelet 9. ajtó
Postal address 6500 Baja, Szabadság út 79. 2. emelet 9. ajtó
Company registration number 03-09-138461
Tax number 32576340-2-03
EU VAT number HU32576340
Registering court Company Court of the Kecskemét Tribunal

2.2. Contact details of the person responsible for data protection

Data Details
Name Bálint Zeller (Managing Director)
E-mail address [email protected]
Phone number +36 70 265 2651

2.3. General contact options

Data Details
E-mail address [email protected]
Available languages Hungarian, English
Response deadline 30 days (may be extended by an additional 60 days in justified cases)

2.4. Data Protection Officer

The Controller is not obliged to appoint a separate Data Protection Officer (DPO) as the conditions set out in Article 37(1) of the GDPR are not met. Data protection responsibilities are performed by the Managing Director.

3. Clarification of Data Protection Roles

3.1. Definition of controller and processor

Controller (Article 4(7) GDPR): a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor (Article 4(8) GDPR): a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

3.2. Roles in the use of the Platform

In relation to employee performance evaluation:

  • Controller: the organisation (employer) using the Platform, which determines the purposes, data scope and methods of performance evaluation of its employees.
  • Processor: NW Business Kft. (Quarma360), which processes the employees’ personal data solely on behalf of and in accordance with the documented instructions of the employer, within the technical operation of the Platform.

In relation to the provision of the B2B service:

  • Controller: NW Business Kft., which independently determines the purposes and means of managing customer relationships.

3.3. Allocation of responsibilities

Based on the above roles, the employer is responsible for ensuring that the processing of employees’ personal data is based on an appropriate legal basis and complies with the applicable legislation. NW Business Kft., as processor, acts in accordance with the employer’s written instructions and does not independently determine the purposes of processing.

4. Categories of Personal Data Processed

4.1. Personal data of organisational contact persons

For the conclusion and performance of contracts relating to the use of the Platform, the Controller processes the following personal data of the contact persons of organisations:

Category Data processed Mandatory
Personal identification data full name, e-mail address, phone number Yes
Organisation data company name, registered seat, tax number, EU VAT number, company registration number Yes
Billing information billing address, bank account number Yes
Technical system data IP address, browser type and version, device identifiers Automatic

4.2. Personal data of employees

For the purpose of carrying out the performance evaluation process, the Controller, as processor, processes the following personal data of employees:

4.2.1. Basic personal and organisational identification data

Data type Content
Personal identification data full name, e-mail address (corporate or private)
Organisational data position/title, organisational level, organisational unit/department, name of line manager, names of subordinates, net salary (optional)

4.2.2. Performance evaluation data (data generated on the Platform)

  • competency scores (on a 0–100 scale),
  • self-assessment results,
  • peer evaluations (in anonymised form),
  • manager evaluations (in anonymised form),
  • subordinate evaluations (in anonymised form),
  • manager rankings (in anonymised form),
  • historical performance data per evaluation period,
  • performance category (Bonus/Malus classification) (M04–M01, A00, B01–B10 scale).

4.2.3. Bonus/Malus calculation data

  • performance category,
  • multipliers applied,
  • net monthly income (only if the employer uses the Platform’s automatic bonus calculation functionality).

4.2.4. Behavioural telemetry and trust data

If the employer has not disabled the Platform’s AI telemetry function, the following data may be collected:

  • time taken to complete evaluations,
  • number and frequency of answer changes,
  • length of breaks during completion,
  • trust score (0–20 scale),
  • trust index (0–100% scale),
  • flags indicating suspicious behaviour,
  • type of device used (desktop, mobile device).

4.2.5. Technical system data

  • IP addresses,
  • session identifiers,
  • cookie identifiers,
  • browser fingerprint data,
  • system log entries.

4.2.6. Mobile application data (native iOS/Android app only)

When an employee uses the native mobile application, the following additional data may be processed:

Data type Content / purpose
Push notification token A device-specific push token (Firebase Cloud Messaging token) together with the device platform (iOS/Android), used solely to deliver in-app and push notifications (e.g. evaluation reminders, login-approval requests, account-related alerts). The token contains no message content and does not identify the device owner outside the Platform.
Biometric login flag A flag indicating whether the user has enabled biometric unlock for the app on a given device. The biometric data itself (fingerprint, Face ID) is processed exclusively on the device by the operating system and is never transmitted to or stored by the Controller — see Section 11.6.
Login-approval data For two-factor login confirmation initiated from the app, a short-lived approval record containing a one-time code, the IP address and the browser/device identifier (user agent) of the login attempt, so that the user can verify and approve or reject the sign-in. These records expire automatically after a short period.
Sign in with Apple identifier Where the employee logs in using "Sign in with Apple", a pseudonymous Apple subject identifier and, where Apple's private e-mail relay ("Hide My Email") is used, a relay e-mail address, used solely to identify and authenticate the user account.

4.3. Strict anonymisation mode and disabling AI telemetry

4.3.1. Operation of strict anonymisation mode

The Platform allows the employer to enable a strict anonymisation mode at organisational level. Once enabled, the system does not store the identifier of the employee completing the evaluation in the database, not even for analytical purposes.

4.3.2. Automatic disabling of AI telemetry

Strict anonymisation mode automatically disables AI telemetry functionalities, as these require the storage and analysis of behavioural data.

4.3.3. Data not collected in strict anonymisation mode

When strict anonymisation mode is active, the processing of behavioural telemetry described in Section 4.2.4 does not take place; consequently, the system does not perform fraud detection activities.

4.3.4. Independent deactivation of AI telemetry

The AI telemetry function can also be deactivated independently of the strict anonymisation mode. In this case the user identifier is stored, but the behavioural data set out in Section 4.2.4 is not collected.

4.3.5. Responsibility for configuration

The above settings can be changed only by the employer’s administrator and are the employer’s responsibility. The Controller, acting as processor, only operates the Platform in accordance with the configuration set by the employer.

4.4. Data of website visitors

For visitors of the Platform’s website, the Controller collects the following data:

  • IP address,
  • browser type and version,
  • operating system type,
  • time stamps of visits,
  • URLs of pages viewed,
  • language preferences.

Marketing analytics data collection (e.g. Microsoft Clarity): takes place only with the explicit consent of the visitor and may include the recording of heatmaps, session replays and click patterns.

5. Purpose and Legal Basis of Processing

5.1. General principles

The Controller processes personal data only for specified, explicit and legitimate purposes. The legal basis for processing is one of the legal bases listed in Article 6(1) of the GDPR.

5.2. Processing purposes, legal bases and retention periods

Purpose of processing Legal basis (Article 6 GDPR) Retention period
Carrying out 360-degree performance evaluations (f) – legitimate interest of the employer duration of the employment relationship + 3 years, then anonymisation
Measuring and monitoring competencies (f) – legitimate interest of the employer duration of the employment relationship + 3 years, then anonymisation
Bonus and malus calculation (b) – performance of a contract, or (f) – legitimate interest duration of the employment relationship + 3 years, then anonymisation
Detection of abuse (fraud detection) (f) – integrity of the evaluation system end of evaluation period + 1 year
Provision of SaaS services to organisations (b) – performance of a contract for the duration of the contract + 30 days
Invoicing and payment handling (b) – performance of a contract; (c) – legal obligation 8 years (accounting obligations)
Customer support and technical assistance (b) – performance of a contract for the duration of resolving the issue + 1 year
System security and prevention of abuse (f) – legitimate interest; (c) – legal obligation 1 year
Marketing analytics (a) – consent until withdrawal of consent, but no longer than 2 years
Sending push and in-app notifications (mobile app) (b) – performance of a contract; (f) – legitimate interest in operating the service until logout, app uninstallation or token invalidation
Biometric and app-based login, two-factor login approval (mobile app) (b) – performance of a contract; (f) – legitimate interest in account security biometric flag/device registration: until the device is removed or logout; login-approval records: short-lived (until expiry)

5.3. Legitimate interest assessment

Where the legal basis for processing is legitimate interest (Article 6(1)(f) GDPR), the Controller has carried out a Legitimate Interest Assessment (LIA). The results can be summarised as follows:

  • Legitimate interest of the employer: measuring and improving employee performance, creating an objective and transparent remuneration system, and ensuring the efficient functioning of the organisation.
  • Reasonable expectations: employees can reasonably expect to be subject to performance evaluations in the context of their employment, provided that they receive adequate prior information about such evaluations.
  • Proportionality: data collection is necessary and proportionate to the purpose, limited to work-related performance, and appropriate technical and organisational measures protect the data, while data subjects can exercise their rights.
  • Legitimate interest in fraud detection: protecting the reliability and integrity of the evaluation system is in the common interest of both the employer and employees.

5.4. Employer’s responsibility for providing a legal basis

5.4.1. Legal bases to be ensured by the employer

With regard to employee performance evaluation, it is the employer’s responsibility to ensure that an appropriate legal basis exists. This may, in particular, be:

  • Article 6(1)(b) – performance of the employment contract, where performance evaluation forms an integral part of the contract or is necessary for determining remuneration,
  • Article 6(1)(f) – legitimate interest of the employer, supported by a legitimate interest assessment,
  • Article 6(1)(c) – compliance with a legal obligation, where performance evaluation is required by law or a collective agreement.

5.4.2. Prohibited legal basis – consent

The Controller draws attention to the fact that, as a general rule, consent under Article 6(1)(a) GDPR is not an appropriate legal basis for data processing in the context of employment, in view of the imbalance of power between employer and employee.

6. Automated Decision-Making and Use of Artificial Intelligence

6.1. General provisions

6.1.1. Use of AI-based systems

The Platform uses artificial intelligence (AI)-based analysis to support the performance evaluation process. The AI features are built on specially configured language models operating within the Microsoft Azure OpenAI Service (EU region).

6.1.2. Application of Article 22 GDPR

The AI-based processing falls within the scope of Article 22 of the GDPR, which regulates automated decision-making, including profiling.

6.2. Content of AI-based automated decision-making

6.2.1. Calculation of trust score

The AI-based system automatically assigns a trust score (0–20 scale; trust index: 0–100%) to certain evaluations based on the analysis of completion behaviour. The calculation takes into account, among other things:

  • completion times and timing patterns,
  • number and frequency of answer changes,
  • consistency of answers,
  • statistical outliers.

6.2.2. Automatic determination of performance thresholds

The system uses an AI-based algorithm to suggest thresholds for performance categories (bonus/malus levels) based on the statistical distribution of scores. In doing so, the system considers:

  • the distribution of scores of the employees evaluated,
  • the organisation’s historical evaluation data,
  • configuration parameters defined by the employer.

6.2.3. Characteristics of automated decision-making

  • the decision-making is based on deterministic algorithms,
  • decisions are made according to strict, predefined rules and mathematical formulas,
  • the algorithms are documented and auditable,
  • the logic of decision-making can be explained to the employer.

6.3. Limitation of automated decision-making and human review

6.3.1. No “solely automated” decision-making

The AI-based automated decision-making does not qualify as “solely automated decision-making” within the meaning of Article 22(1) GDPR, because:

  • the employer’s administrator or manager can review, modify or disregard the AI-generated results at any time,
  • no employee may suffer adverse employment consequences solely on the basis of an AI-generated trust score,
  • the final decision is always taken by a human (administrator or manager).

6.3.2. Data subject rights related to automated decision-making

The employee, as data subject, has the right to:

  • request human intervention in respect of automated decision-making,
  • express their point of view regarding the automated decision,
  • contest the automated decision,
  • request an explanation of the logic and main criteria underlying the automated decision-making.

6.4. Pseudonymisation and data protection during AI processing

6.4.1. Data minimisation towards Azure OpenAI Service

Data transmitted to the Microsoft Azure OpenAI Service is pseudonymised. The AI model does not receive access to the following data:

  • name of the data subject,
  • e-mail address,
  • specific job title or position,
  • net income,
  • any other data that directly identifies the individual.

6.4.2. Types of data transmitted to Azure OpenAI Service

In general, the following data is transmitted to the Azure OpenAI Service:

  • pseudonymised user identifiers (e.g. “user_123”),
  • numeric competency scores,
  • timing data (in seconds),
  • behavioural metrics in numeric form,
  • aggregated statistical data.

6.4.3. Data retention within Azure OpenAI Service

Azure OpenAI Service does not use the data for model training purposes. Request log data is retained only for a limited period (generally no longer than 30 days) for operational, security and abuse prevention purposes.

6.5. Options for disabling AI functionalities

6.5.1. Employer’s rights

The employer’s administrator may at any time:

  • disable the AI-based trust score calculation,
  • disable telemetry data collection,
  • enable strict anonymisation mode, which automatically disables all AI telemetry functions.

6.5.2. Functionality without AI

Disabling AI functions does not render the core evaluation features of the Platform unusable. The performance evaluation process can be fully carried out without AI.

6.6. Data Protection Impact Assessment (DPIA)

6.6.1. Conducting a DPIA

The Controller has carried out a Data Protection Impact Assessment (DPIA) under Article 35 GDPR for the AI-based functionalities of the Platform.

6.6.2. DPIA result

The DPIA concluded that, with the implementation of appropriate technical and organisational measures (pseudonymisation, option for human review, opt-out options, limited retention periods), the residual risk can be reduced to an acceptable level.

7. Processors and International Data Transfers

7.1. List of processors

In accordance with Article 28 GDPR, the Controller enters into Data Processing Agreements (DPAs) with the following processors:

Processor Registered seat Activity DPA status
Microsoft Ireland Operations Ltd. (Azure OpenAI Service) Dublin, Ireland AI-based analysis, support for trust score calculation Available
Barion Payment Zrt. Budapest, Hungary online payment transaction processing Available
Billingo Technologies Zrt. Budapest, Hungary automatic invoicing Available
Amazon Web Services EMEA SARL EU region (Frankfurt) encrypted backups (AWS S3) Available
Websupport Magyarország Kft. Budapest, Hungary VPS hosting, server infrastructure Contract in place
Cloudflare, Inc. USA (with EU servers) DNS, CDN, DDoS protection Available
Google Ireland Ltd. Dublin, Ireland OAuth login, related Google services Available
Microsoft Ireland Operations Ltd. Dublin, Ireland OAuth login, Microsoft Clarity Available
Google Ireland Ltd. / Google LLC (Firebase Cloud Messaging) Dublin, Ireland / USA delivery of push notifications to mobile devices Available
Apple Inc. USA "Sign in with Apple" authentication; distribution of the iOS application via the App Store Available
SÁMÁN & SÁMÁN Bt. 6500 Baja, Hungary accounting services Contract in place
Raiffeisen Bank Zrt. Budapest, Hungary banking services, payment transactions Contract in place

7.2. International data transfers (third countries)

7.2.1. General provision

In some cases, personal data may be transferred to countries outside the European Economic Area (EEA), in particular to the United States of America. Such international data transfers take place only in compliance with Articles 44–49 GDPR and subject to appropriate safeguards.

7.2.2. Microsoft Azure OpenAI Service

For Azure OpenAI Service, data processing generally takes place within the EU region (e.g. Frankfurt). The service is used in such a way that AI processing remains, as far as possible, within the EEA. Where a transfer to a third country is nevertheless required (for example, in the context of Microsoft support), the legal basis relies on Standard Contractual Clauses (SCCs) and additional safeguards provided by Microsoft.

7.2.3. Google, Microsoft (Clarity), Cloudflare, Apple and other providers

For Google Ireland Ltd. / Google LLC (including Firebase Cloud Messaging), Microsoft Ireland Operations Ltd., Cloudflare Inc. and Apple Inc., personal data may also be transferred outside the EEA, in particular to the United States. This applies, for the mobile application, to the transmission of push notification tokens to Firebase Cloud Messaging and to "Sign in with Apple" authentication data. In these cases:

  • Standard Contractual Clauses (SCCs) are used as the primary safeguard,
  • providers may hold an EU–US Data Privacy Framework (DPF) certification where applicable,
  • the principle of data minimisation applies: only the minimum data necessary for the service is transferred (for push notifications, only a device token and the notification content; no evaluation data is sent to the notification provider).

7.2.4. DPAs and SCCs

Upon request, the Controller will provide data subjects with a summary of the main content of the data processing agreements and the Standard Contractual Clauses used.

8. Retention Periods and Anonymisation

8.1. General retention principles

The Controller retains personal data only for as long as necessary to achieve the purposes of processing, taking into account legal requirements, limitation periods and the legitimate interests of data subjects and the Controller.

8.2. Detailed retention periods

Category Retention period Legal basis
Data relating to active organisational contracts for the duration of the contract Article 6(1)(b) GDPR
Data relating to closed organisational contracts (excluding invoices) 30 days from termination of the contract Article 5(1)(e) GDPR
Employee data from closed evaluation periods duration of the employment + 3 years, then anonymisation Article 6(1)(f) GDPR
Anonymised performance data indefinitely (no longer personal data) Recital 26 GDPR
Invoices and accounting documents 8 years Section 169 of Act C of 2000 on Accounting
Payment transaction data 5 years Section 6:22 of the Hungarian Civil Code
Audit logs and security logs 1 year Article 6(1)(f) GDPR
Customer support communication duration of resolving the issue + 1 year Article 6(1)(b) GDPR
Marketing cookie data until consent is withdrawn, but no longer than 2 years Article 6(1)(a) GDPR
Mobile device push tokens and device registrations until logout, app uninstallation or token invalidation Article 6(1)(b) and (f) GDPR
Login-approval records (mobile two-factor confirmation) short-lived; deleted/expired shortly after the login attempt Article 6(1)(f) GDPR
Backups (AWS S3) 15 days rolling retention Article 6(1)(f) GDPR

8.3. Anonymisation process

8.3.1. Triggering anonymisation

Three years after the end of an employment relationship, the Controller carries out irreversible anonymisation of the former employee’s performance evaluation data.

8.3.2. Personal data to be deleted

  • full name,
  • e-mail address,
  • phone number,
  • position/title,
  • net income,
  • name of organisational unit/department.

8.3.3. Data remaining in anonymised form

  • pseudonymised user identifier (e.g. “user_789”),
  • numeric competency scores,
  • dates of evaluation periods,
  • general category of organisational level (manager/middle manager/employee) without name,
  • aggregated statistical data.

8.3.4. Legal status after anonymisation

After anonymisation, data no longer falls within the scope of the GDPR, as the data subject cannot be identified from it and cannot be made identifiable by reasonable means.

8.4. Backups and deletion of data

8.4.1. Operation of the backup system

The Controller creates full database backups twice a day, stored in a 15-day rolling cycle.

8.4.2. No deletion flags in backups

The backup system does not use separate deletion flags. If personal data is deleted from the live database, it may remain in older backups for up to 15 days, after which the oldest backup is overwritten and the data is permanently removed.

8.4.3. Execution of erasure requests

Upon a request for erasure, the data subject’s personal data is deleted from the live system without undue delay. Copies remaining in backups are retained for no longer than 15 days solely for disaster recovery purposes.

8.4.4. Compliance with Article 17 GDPR

This mechanism does not prevent the exercise of the right to erasure under Article 17 GDPR, as backup data is not subject to active processing and is used only for IT security purposes.

9. Rights of Data Subjects

9.1. General provisions

Data subjects have extensive rights regarding the processing of their personal data under Articles 15–22 GDPR. The Controller takes all necessary measures to ensure that these rights can be exercised easily, transparently and within a reasonable time.

9.1.1. Free of charge

Exercising data subject rights is generally free of charge. The Controller may charge a reasonable fee or refuse to act on the request only in the case of manifestly unfounded or excessive requests, in particular due to their repetitive character.

9.1.2. Response deadline

The Controller responds to data subject requests without undue delay and in any event within one month. In justified cases this period may be extended by a further two months, in which case the data subject will be informed of the reasons for the delay.

9.2. Right of access (Article 15 GDPR)

The data subject has the right to obtain confirmation as to whether personal data concerning them is being processed and, if so, access to the personal data and certain supplementary information (purposes, categories, recipients, retention periods, rights, source of data, existence of automated decision-making, guarantees for third-country transfers).

Upon request, the Controller provides a copy of the personal data being processed in PDF, JSON or Excel format. The first copy is provided free of charge; for additional copies, a reasonable fee based on administrative costs may be charged.

9.3. Right to rectification (Article 16 GDPR)

The data subject has the right to obtain the rectification of inaccurate personal data and the completion of incomplete personal data. The Controller will act on such requests without undue delay.

9.4. Right to erasure – “right to be forgotten” (Article 17 GDPR)

The data subject has the right to obtain the erasure of personal data concerning them where, among other things, the data is no longer necessary for the purposes for which it was collected, consent is withdrawn and there is no other legal basis, the data subject objects to processing and there are no overriding legitimate grounds, the processing is unlawful, or erasure is required by law. The right to erasure is not absolute; in particular, the Controller may retain certain data to comply with legal obligations, accounting rules or for the establishment, exercise or defence of legal claims.

During the employment relationship, performance evaluation data is generally not subject to erasure at the request of the employee, as processing is based on the employer’s legitimate interest. However, three years after the termination of employment, the data is automatically anonymised.

9.5. Right to restriction of processing (Article 18 GDPR)

The data subject has the right to obtain restriction of processing where they contest the accuracy of the data, the processing is unlawful and the data subject opposes erasure, the Controller no longer needs the data but the data subject requires it for legal claims, or the data subject has objected to processing and the verification of legitimate grounds is pending. During restriction, personal data may, apart from storage, be processed only with the data subject’s consent or for legal claims or for the protection of the rights of another person or important public interest.

9.6. Right to data portability (Article 20 GDPR)

The data subject has the right to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format, and to transmit those data to another controller where processing is based on consent or contract and carried out by automated means. The Controller currently provides data portability in CSV and JSON formats; the automated export function is under development. Until then, the requested data is provided manually within 30 days.

9.7. Right to object (Article 21 GDPR)

The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data based on legitimate interests. In such a case, the Controller will no longer process the data unless it demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the data subject, or for legal claims.

The data subject may object at any time to processing of personal data for direct marketing purposes, including profiling related to such direct marketing.

9.8. Rights related to automated decision-making (Article 22 GDPR)

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. In relation to the Platform’s AI functionalities, decisions are not solely automated: the final decisions are always made by humans, and the data subject can request human review.

9.9. Right to lodge a complaint (Article 77 GDPR)

The data subject has the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes the GDPR.

Supervisory authority in Hungary:

Data Details
Name National Authority for Data Protection and Freedom of Information (NAIH)
Postal address 1530 Budapest, Pf.: 5.
Address 1055 Budapest, Falk Miksa utca 9–11.
Phone +36 (1) 391-1400, +36 30 683 5969
E-mail [email protected]
Website https://naih.hu

The Controller encourages data subjects to contact the Controller first (at [email protected]) before lodging a complaint so that issues can be resolved amicably where possible.

9.10. Right to an effective judicial remedy (Article 79 GDPR)

The data subject has the right to an effective judicial remedy where they consider that their rights under the GDPR have been infringed as a result of the processing of their personal data. Proceedings may be brought before the courts of the Member State where the Controller or processor has an establishment or where the data subject has their habitual residence.

10. Employer’s Responsibilities and Obligations

10.1. Employer as controller

With regard to the performance evaluation of employees, the organisation using the Platform (employer) is the controller within the meaning of Article 4(7) GDPR. The employer is responsible for the legal basis of processing, for the provision of adequate information and for ensuring data subject rights.

10.2. Obligations before starting to use the Platform

10.2.1. Prior information (Articles 13–14 GDPR)

Before using the Platform, the employer must inform employees in writing about, among other things, the purpose and legal basis of performance evaluations, the categories of data processed, retention periods, the identity and role of NW Business Kft. as processor, the rights of data subjects, the possibilities for lodging complaints, and the use, configuration and opt-out options of AI analysis and telemetry.

10.2.2. Internal policy

The employer should adopt a performance evaluation policy or amend existing internal policies to describe the purpose, frequency and process of evaluations, the competencies assessed, how results are used (bonuses, promotions, development plans), and the possibilities for employee feedback and appeal.

10.2.3. Determining the legal basis

The employer must decide on which legal basis performance evaluations are carried out (performance of employment contract, legitimate interest or legal obligation). If legitimate interest is used, a legitimate interest assessment must be performed.

10.2.4. Prohibited legal basis – consent

The employer may not rely, as a general rule, on employee consent as the legal basis for performance evaluation, since the imbalance of power between employer and employee means consent is typically not considered freely given.

10.2.5. Prohibition of processing certain categories of data and age limits

  • the employer must ensure that persons under 16 years of age are not entered into the system (Article 8 GDPR),
  • processing of special categories of personal data under Article 9 GDPR (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sexual orientation) for performance evaluation purposes is prohibited,
  • net income data is required only if the employer activates the Platform’s automatic bonus calculation function.

10.2.6. Procedures for handling data subject rights

The employer must establish internal procedures for handling employees’ requests to exercise their rights (access, rectification, erasure, restriction, objection) and for cooperation with the Controller in responding to such requests.

10.3. Technical and data protection configuration decisions

The employer’s administrator decides, during configuration of the Platform, on the following:

  • whether AI telemetry is enabled or disabled,
  • whether strict anonymisation mode is enabled,
  • whether the bonus/malus system is used and how net salary data is processed,
  • whether the multi-level organisational structure (departments, units) is used.

The employer is responsible for informing employees in advance about these decisions.

10.4. Continuous data protection obligations

The employer must ensure that data provided by the Platform is used only in a lawful and proportionate manner, is not shared with unauthorised third parties, and that data retention and anonymisation rules are respected. AI-generated results must not be used as the sole basis for adverse employment decisions, and employees must be enabled to exercise their data protection rights.

11. Data Security Measures

11.1. General principles

In accordance with Article 32 GDPR, the Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the risks to the rights and freedoms of data subjects.

11.2. Technical security measures

11.2.1. Network and transmission security

  • all data transmission is protected by SSL/TLS encryption (HTTPS, TLS 1.2 or higher),
  • Cloudflare DDoS protection,
  • rate limiting for API and web requests,
  • IP whitelisting for certain administrative functions,
  • Fail2Ban or similar IP blocking mechanism after repeated failed login attempts.

11.2.2. Data storage and encryption

  • passwords stored using strong hashing algorithms (e.g. bcrypt),
  • backups encrypted with AES-256 on AWS S3 storage,
  • outgoing e-mail traffic protected by TLS (mail.quarma360.com SMTP).

11.2.3. Access protection

  • two-factor authentication (2FA) via e-mail codes and, in the mobile app, via push-based login approval with one-time code matching,
  • OAuth 2.0 integration with Google and Microsoft identity providers, and "Sign in with Apple" in the mobile app,
  • optional biometric unlock (fingerprint / Face ID) in the mobile app, performed entirely on the device by the operating system,
  • automatic session timeouts,
  • CSRF protection on all forms,
  • strong password requirements (minimum 8 characters, upper and lower case letters, numbers).

11.2.4. Application-level security

  • validation and sanitisation of all user inputs,
  • protection against XSS attacks,
  • protection against SQL injection (prepared statements, use of ORM),
  • role-based access control (RBAC).

11.3. Organisational security measures

11.3.1. Restricted access rights

User level Access
NW Business Kft. full system-level access for technical maintenance and support; access to internal client organisation data only upon explicit client request for troubleshooting purposes
Admin (organisation) access limited to the organisation’s own data
Manager (department head) access limited to data of their own department (if multi-level department management is enabled)
CEO access to aggregated results; access to detailed individual evaluations depends on the organisation’s internal rules
Employee access limited to their own aggregated results (as configured by the employer)

11.3.2. Monitoring and auditing

  • audit trail: logging of key operations (logins, data changes, data exports) with user identifier and time stamp,
  • system logs retained for 1 year,
  • telemetry-based monitoring for suspicious behaviour (if telemetry is enabled).

11.3.3. Handling data breaches

  • person responsible for incident management: Bálint Zeller (Managing Director, responsible for data protection),
  • 72-hour notification to the NAIH where a breach is likely to result in a risk to the rights and freedoms of natural persons,
  • direct communication to data subjects in the event of high risk,
  • incident log, post-incident analysis and implementation of corrective measures.

11.3.4. Staff training

The Controller’s staff receive continuous training in data protection and information security and are bound by confidentiality obligations. Access rights are reviewed regularly.

11.4. Backups

The Controller uses the Laravel Spatie Backup package to perform automatic backups.

Parameter Details
Frequency twice daily
Retention period 15 days rolling backup
Storage location Amazon Web Services (AWS) S3, EU region (Frankfurt, eu-central-1)
Encryption AES-256 at rest
Restore testing at least quarterly

11.5. Cookies

11.5.1. Strictly necessary cookies (no consent required)

Cookie name Purpose Expiry
laravel_session maintaining the session, login state after 2 hours of inactivity
XSRF-TOKEN CSRF protection 2 hours
remember_web_* “Remember me” functionality 1 year
locale storing language preference 1 year
org_id storing organisational context end of session

11.5.2. Marketing cookies (consent required)

Cookie name Purpose Expiry
_clck Microsoft Clarity – user identification, session tracking 1 year
_clsk Microsoft Clarity – session data 1 day
CLID Microsoft Clarity – long-term user identification 1 year

Cookie settings can be managed via the “Cookie settings” menu in the website footer. Strictly necessary cookies do not require consent; marketing cookies are only used with the explicit consent of the visitor.

11.6. Mobile application (native iOS/Android app)

11.6.1. Device permissions used

The native mobile application requests only the device permissions strictly necessary for its functionality:

  • Notifications – to deliver push notifications (evaluation reminders, login-approval requests, account-related alerts). Notifications can be disabled at any time in the device settings.
  • Biometric authentication – where the user chooses to enable biometric unlock, the app uses the device's biometric API (Touch ID / Face ID / fingerprint).

The application does not access the device's camera, photos, microphone, contacts, location or files, and does not use any advertising identifier (IDFA / Android Advertising ID). The application does not perform third-party advertising or cross-app tracking.

11.6.2. On-device biometric processing

Biometric authentication is handled entirely by the device's operating system. The Controller never receives, sees or stores the user's biometric data (fingerprint or facial geometry); the app only receives a yes/no confirmation from the operating system and stores a flag indicating that biometric unlock is enabled for that device. Biometric unlock can be disabled at any time in the app or in the device settings.

11.6.3. Push notifications

Push notifications are delivered through Firebase Cloud Messaging (Google). Only a device-specific push token and the notification content (e.g. "You have a new evaluation to complete") are transmitted to the notification provider; no performance-evaluation data is sent to the provider. See Sections 4.2.6, 7.1 and 7.2.3.

11.6.4. App store distribution and privacy disclosures

The application is distributed via the Apple App Store and Google Play. The privacy disclosures provided in these stores (Apple "Privacy Nutrition Labels" and Google Play "Data Safety") are consistent with this Notice. Account deletion can be requested directly from within the application (profile / account settings) in accordance with the app stores' account-deletion requirements, in addition to the data subject rights described in Section 9.

12. Data Protection Impact Assessment (DPIA)

12.1. Obligation to perform a DPIA

The Controller has performed a Data Protection Impact Assessment under Article 35 GDPR, considering that the Platform involves large-scale processing of employee performance data, behavioural telemetry, AI-based profiling and elements of automated decision-making.

12.2. Identified risks and mitigating measures

Risk Likelihood Impact Mitigating measure
Data breach Low High HTTPS, encryption, 2FA, DDoS protection, access control
Azure OpenAI data processing Medium Low–medium pseudonymisation, EU region usage, SCCs, limited retention
Unfair automated decisions Low Medium human review, option to disable AI functionalities
Infringement of employee privacy Medium Medium focus on workplace performance only, access restrictions, anonymisation after 3 years
Unauthorised internal access Low High RBAC, audit trail, regular review of access rights
Data loss Very low High multiple daily backups, redundant storage, regular restore tests

12.3. Residual risk

Following the implementation of mitigating measures, the residual risk is assessed by the Controller as low to medium and acceptable. Prior consultation with the supervisory authority under Article 36 GDPR has not been required.

12.4. Review of the DPIA

The Controller undertakes to review the DPIA on a regular basis, in particular following major system changes, data breaches, legislative changes or upon recommendation by the supervisory authority, but at least every two years.

13. Amendments, Contact, Governing Law

13.1. Amendments to this Notice

The Controller reserves the right to amend this Notice at any time in line with changes in services, technologies, legal obligations or business practices.

In the case of material changes (e.g. engagement of a new processor, new functionality significantly affecting processing), the Controller will notify registered users at least 30 days before the changes take effect (by e-mail and/or in-platform notifications).

13.2. Contact

For data protection enquiries, requests or complaints, you can contact the Controller at the following contact details:

Data Details
Data protection responsible person Bálint Zeller (Managing Director)
E-mail [email protected]
Phone +36 70 265 2651
General support [email protected]
Postal address NW Business Kft., Data Protection Responsible,6500 Baja, Szabadság út 79. 2. emelet 9. ajtó, Hungary

13.3. Governing law and disputes

This Notice and the Controller’s data processing activities are governed by Hungarian law and directly applicable EU legislation, in particular the GDPR.

In the event of a dispute, the data subject should first attempt to settle the matter amicably with the Controller. If this is not successful, the data subject may lodge a complaint with the NAIH or bring an action before a court having jurisdiction according to their place of residence or habitual residence, or the Controller’s registered seat.

13.4. Final provisions

This Notice enters into force on 12 November 2025.

This Notice is drawn up in Hungarian and English. In the event of discrepancies between the language versions, the Hungarian version shall prevail.

14. Quick Reference Table

Question Answer
Controller NW Business Kft., 6500 Baja, Szabadság út 79. 2. emelet 9. ajtó
Contact [email protected], +36 70 265 2651
Location of data storage EU (Hungary, Slovakia, Frankfurt – AWS S3)
AI provider Microsoft Azure OpenAI Service (EU region, with pseudonymised data)
Third countries Google, Microsoft, Cloudflare – SCC + DPF, data minimisation
Retention (employee data) employment + 3 years, then anonymisation
Invoice retention 8 years (accounting law)
Net income storage yes, only if bonus calculation is enabled; encrypted, for HR purposes
Exercising data subject rights send request to [email protected] (30-day response period)
NAIH complaint [email protected], https://naih.hu
Cookie management “Cookie settings” menu in the website footer
Mobile apps native iOS and Android apps (Apple App Store, Google Play); same functionality as the web version
Push notifications via Firebase Cloud Messaging (Google); device token only, no evaluation data; can be disabled in device settings
Biometric login optional; processed on-device by the operating system; biometric data never transmitted or stored
AI usage automated analysis with deterministic algorithms, human review and opt-out options
Strict anonymisation mode available; disables all AI telemetry
Backup retention 15-day rolling backups; deleted data may remain in backups for up to 15 days
DPIA completed, last review: 12 November 2025

Thank you for reading our Privacy Notice. If you have any questions, please contact us at [email protected].

Download the official Quarma360 app.

GET IT ONGoogle Play Download on theApp Store Coming soon
Adatvédelmi áttekintés

Ez a weboldal sütiket használ, hogy a lehető legjobb felhasználói élményt nyújthassuk. A cookie-k információit tárolja a böngészőjében, és olyan funkciókat lát el, mint a felismerés, amikor visszatér a weboldalunkra, és segítjük a csapatunkat abban, hogy megértsék, hogy a weboldal mely részei érdekesek és hasznosak.

Feltétlenül szükséges sütik

A feltétlenül szükséges sütiket mindig engedélyezni kell, hogy elmenthessük a beállításokat a sütik további kezeléséhez.

Analitika

Ez a webhely a Google Analytics-et használja anonim információk gyűjtésére, mint például az oldal látogatóinak száma és a legnépszerűbb oldalak.

A cookie engedélyezése lehetővé teszi, hogy javítsuk honlapunkat.