Privacy policy

Richard Peter Horváth ev.

 

Privacy Policy

 

Introduction

A/The Richard Peter Horváth ev. (1135 BUDAPEST XIII. DIST., SZEGEDI ÚT 58. 1st floor  Door 2, tax number:  58661941-1-41, company registration number/registration number: 57007742) (hereinafter: Service Provider, data controller) submits to the following regulations:

Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 2016. April 27) , we provide the following information.

This privacy policy regulates the data management of the following sites/mobile applications:

The privacy policy can be accessed at: https://pokeka.hu/policies/privacy-policy

Amendments to this policy shall enter into force upon publication at the above address.

The controller and its contact details

Name: Horváth Richárd Péter ev.

Székhely:  1135 BUDAPEST XIII. DIST., SZEGEDI ÚT 58. 1st floor Door 2

E-mail:  info@pokeka.hu

Telefon:  +36303333734

 

Definitions

 

1. 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. 'controller' means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
4. "processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
5. "recipient" means a natural or legal person, public authority, agency or any other body, to which personal data are disclosed, whether a third party or not. Public authorities which may have access to personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
6. 'consent of the data subject' means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
7. "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles governing the processing of personal data

Personal data:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency'
2. collected for specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purpose in accordance with Article 89(1) ('purpose limitation')
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation'
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; Personal data may only be stored for longer periods where personal data will be processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of data subjects ('storage limitation'
6. processed in such a way as to ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'

The controller is responsible for compliance with the above and must be able to demonstrate such compliance ('accountability'

The data controller declares that its data processing is carried out in accordance with the principles set out in this section.

Data processing related to webshop operation/service use

1. The fact of data collection, the scope of processed data and the purpose of data processing

Personal data	Purpose of data processing	Legal basis
User name	Identification, enabling registration.	Article 6 (1) (b) GDPR and the Elker Act. 13/A. § (3).
Password	It is used for secure login to the user account.
First and last name	It is necessary for contact, purchase, issuing a proper invoice, exercising the right of withdrawal.
E-mail address	Kapcsolattartás.
Telephone number	Keeping contact, coordinating issues related to billing or shipping more efficiently.
Billing name and address	Issuing a proper invoice, as well as establishing, defining, modifying, monitoring the performance of the contract, invoicing the resulting fees and enforcing related claims.	Article 6(1)(c) and Section 169(2) of Act C of 2000 on Accounting
Shipping name and address	Enabling home delivery.	Article 6 (1) (b) GDPR and the Elker Act. 13/A. § (3).
Date of purchase/registration	Performing a technical operation.
IP address at time of purchase/registration	Performing a technical operation.

2. Data subjects: All data subjects registered/purchased on the webshop website. Neither username nor email address need to contain personal data.

3. Duration of data processing, deadline for erasure of data: If one of the conditions set out in Article 17 (1) of the GDPR applies, it lasts until the data subject's request for erasure. The controller shall inform the data subject electronically of the erasure of any personal data provided by the data subject pursuant to Article 19 of the GDPR. If the data subject's request for deletion also covers the e-mail address provided by him, the data controller will also delete the e-mail address after being informed. Except in the case of accounting documents, since according to Section 169 (2) of Act C of 2000 on Accounting, these data must be kept for 8 years. The contractual data of the data subject may be deleted after the expiry of the civil law limitation period on the basis of the data subject's request for deletion.

The accounting documents (including general ledger accounts, analytical and detailed records) directly and indirectly supporting the accounting accounts shall be kept for at least 8 years in a legible form and retrievable by reference to the accounting records.

4. The Potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller and its authorized employees, respecting the above principles.

5. Az Description of data subjects' rights related to data processing

• The data subject may request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and
• The data subject has the right to data portability and the right to withdraw consent at any time.

6.  Access to, deletion, modification or restriction of processing of personal data and data portability can be initiated by the data subject in the following ways

• úton úton 1135 BUDAPEST XIII. DIST., SZEGEDI ÚT 58. 1st floor 2. door address,
• by e-mail at the  info@pokeka.hu  e-mail address,
• by phone at +36303333734  .

7. The Legal basis for data processing

1. Article 6 (1) (b) and (c) GDPR,

2. CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services Act (hereinafter: Elker Act) 13/A. § (3):

For the purpose of providing the service, the service provider may process personal data that are technically indispensable for the provision of the service. If other conditions are identical, the service provider shall choose and operate the means used in the provision of the information society service in such a way that personal data shall only be processed if this is strictly necessary for the provision of the service and the fulfilment of other purposes specified in this Act, but only to the extent and for the time necessary.

3. Article 6(1)(c) where accounts are drawn up in accordance with accounting legislation.

4. In case of enforcement of claims arising from the contract, Act V of 2013 on the Civil Code 6:22. § 5 years.

6:22.  § [Statute of limitations]

(1) Unless otherwise provided for in this Act, claims shall be time-barred within five years.

2. The limitation period shall begin to run when the claim becomes due.

3. Any agreement to change the limitation period shall be in writing.

4. An agreement excluding limitation shall be null and void.

8. Please note, that

• data processing is necessary for the performance of a contract and for the provision of an offer
• You are obliged to provide personal data so that we can fulfill your order.
• Failure  to provide data will result in us not being able to process your order.

Manage cookies

1. The use of so-called "password-protected session cookies", "shopping cart cookies", "security cookies", "necessary cookies", "functional cookies" and "cookies responsible for managing website statistics" does not require prior consent from the data subjects.

2. Fact of data processing, scope of processed data: Unique identification number, dates, times

3. Data subjects: All data subjects visiting the website.

4. Purpose of data processing: Identification of users and tracking of visitors.

5. Duration of data processing, deadline for erasure of data:

Type of cookie	Legal basis for data processing	Data management Duration
Munkamenet sütik (session)	CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services Act (Elkertv.) 13/A. § (3)	The relevant until the end of the visitor session Period
Persistent or saved cookies	CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services Act (Elkertv.) 13/A. § (3)	until the deletion of the data subject
Statistical, marketing cookies	CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services Act (Elkertv.) 13/A. § (3)	1 month - 2 years

6. Potential data controllers entitled to access the data: The data controller does not process personal data by using cookies.

7. Description of data subjects' rights related to data processing: The data subject has the option to delete cookies in the Tools/Settings menu of browsers, usually under the settings of the Privacy menu item.

8. Legal basis for data processing: The consent of the data subject is not required if the sole purpose of using cookies is the transmission of communications via electronic communications networks or if it is absolutely necessary for the service provider to provide an information society service expressly requested by the subscriber or user.

9. Most browsers used by our users allow you to set which cookies should be saved and allow (specific) cookies to be deleted again. If you restrict the storage of cookies on certain websites or do not allow third-party cookies, this may, under certain circumstances, lead to our website no longer being used in its entirety. Here you can find information on how to customize cookie settings for standard browsers:

Google Chrome 

Internet Explorer 

Firefox 

Safari 

Use Google Ads conversion tracking

1. The data controller uses the online advertising program called "Google Ads" and uses Google's conversion tracking service within its framework. Google conversion tracking is an analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google").
2. When the User accesses a website through a Google ad, a cookie necessary for conversion tracking is placed on his/her computer. These cookies have a limited validity and do not contain any personal data, so the User cannot be identified by them.
3. When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User clicked on the advertisement.
4. Each Google Ads customer receives a different cookie, so they cannot be tracked across Ads customers' websites.
5. The information obtained through conversion tracking cookies is used to compile conversion statistics for Ads customers who opt for conversion tracking. In this way, customers are informed about the number of users who clicked on their advertisement and were forwarded to a page with a conversion tracking tag. However, they do not receive any information that could be used to identify any user.
6. If you do not wish to participate in conversion tracking, you can opt out by disabling the option to install cookies in your browser. You will no longer be included in conversion tracking statistics.
7. Further information and Google's privacy statement are available at:  

Use of Google Analytics

1. This website uses Google Analytics, a web analysis service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are saved on your computer to help analyze the use of the website visited by the User.
2. The information generated by cookies related to the website used by the User is usually transferred to a Google server in the USA and stored. By activating IP anonymization on the website, Google shortens the User's IP address within member states of the European Union or in other states party to the Agreement on the European Economic Area beforehand.
3. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate how the User has used the website, to compile reports on website activity for the website operator and to provide other services related to website and internet usage.
4. The IP address transmitted by the User's browser within the framework of Google Analytics will not be merged with other Google data. The User may prevent the storage of cookies by setting his/her browser accordingly, however, please note that in this case not all functions of this website may be fully usable. You can also prevent Google from collecting and processing data generated by cookies about your use of the website (including your IP address) by downloading and installing the browser plug-in available at the following link. 

Newsletter, DM activity

1. Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities Pursuant to Section 6 of the Act, the User may give prior and express consent to be contacted by the Service Provider with its advertising offers and other mailings at the contact details provided during registration.

2. Furthermore, bearing in mind the provisions of this prospectus, the Customer may consent to the Service Provider processing his personal data necessary for sending advertising offers.

3. The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from sending offers free of charge without restriction or justification. In this case, the Service Provider deletes all personal data necessary for sending advertising messages from its records and does not contact the User with further advertising offers. The User may unsubscribe from advertisements by clicking on the link in the message.

4. The fact of data collection, the scope of processed data and the purpose of data processing

Personal data	Purpose of data processing	Legal basis
Name, email address.	Identification, enabling you to subscribe to newsletters/promotional coupons.	Consent of the data subject, Article 6(1)(a). Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities Section 6 (5) of the Act.
Date of subscription	Performing a technical operation.
IP address at the time of subscription	Performing a technical operation.

5. Data subjects: All data subjects subscribing to the newsletter.

6. Purpose of data processing : sending electronic messages containing advertising (e-mail, sms, push message) to the data subject, providing information about current information, products, promotions, new functions, etc.

7. Duration of data processing , deadline for deletion of data: data processing lasts until the withdrawal of the consent statement, i.e. until unsubscribing.

8. The Potential data controllers entitled to access data, recipients of personal data: Personal data may be processed by the data controller and its sales and marketing staff, respecting the above principles.

9. Az Description of data subjects' rights related to data processing

• The data subject may request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and
• object to the processing of your personal data, and
• The data subject has the right to data portability and the right to withdraw consent at any time.

10. A Access to, deletion, modification or restriction of processing of personal data, data portability or objection may be initiated by the data subject in the following ways

• úton úton 1135 BUDAPEST XIII. DIST., SZEGEDI ÚT 58. 1st floor 2. door address,
• by e-mail at the  info@pokeka.hu  e-mail address,
• by phone at +36303333734  .

11. The data subject may unsubscribe from the newsletter at any time, free of charge.

12. Please note that

• data processing is based on your consent and the legitimate interest of the service provider.
• You are obliged to provide personal data if you wish to receive newsletters from us.
• failure to provide data  will result in us not being able to send you newsletters.
• Please note that you can withdraw your consent at any time by clicking unsubscribe.
• The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Complaint handling

1. The fact of data collection, the scope of processed data and the purpose of data processing

Personal data	Purpose of data processing	Legal basis
First and last name	Identification, contact.	Article 6(1)(c) and CLV of 1997 on consumer protection. Act 17/A. § (7).
E-mail address	Kapcsolattartás.
Telephone number	Kapcsolattartás.
Billing name and address	Identification, handling quality complaints, questions and problems arising in connection with the ordered products/services.

2. Data subjects: All data subjects who make purchases on the website and make quality complaints or complaints.

3. Duration of data processing , deadline for erasure of data: Copies of the report, transcript and reply to the objection shall be provided in accordance with Act CLV of 1997 on Consumer Protection. Act 17/A. § (7) shall be kept for 3 years.

4. The Potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller and its authorized employees, respecting the above principles.

5. Az Description of data subjects' rights related to data processing

• The data subject may request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and
• The data subject has the right to data portability and the right to withdraw consent at any time

6. Access to, deletion, modification or restriction of processing of personal data and data portability can be initiated by the data subject in the following ways

• by post to 1135 BUDAPEST XIII. DIST., SZEGEDI ÚT 58. 1st floor 2. door address,
• by e-mail at the  info@pokeka.hu  e-mail address,
• by phone at +36303333734  .

7. Please note that

• The provision of personal data is based on a legal obligation.
• A prerequisite for entering into a contract is the processing of personal data.
• You are obliged to provide personal data so that we can handle your complaint.
• Failure  to provide data will result in us not being able to handle your complaint.

Recipients to whom personal data are disclosed

"recipient" means a natural or legal person, public authority, agency or any other body, to which personal data are disclosed, whether a third party or not.

1. Data processors (who process data on behalf of the controller)

The data controller uses data processors to facilitate its own data processing activities and to fulfil its contractual and legal obligations with the data subject.

The controller places great emphasis on using only processors that provide adequate guarantees to implement appropriate technical and organizational measures to ensure compliance of data processing with the requirements of the GDPR and the protection of the rights of data subjects.

The Processor and any person acting under the authority of the controller or processor who has access to personal data shall process the personal data contained in this policy only in accordance with instructions from the controller.

The controller shall be legally liable for the activities of the data processor. The processor shall only be liable for damages caused by data processing if it has not complied with the obligations set out in the GDPR specifically incumbent on processors or if it has ignored or acted contrary to lawful instructions of the controller.

The data processor does not have any substantive decision-making regarding the processing of data.

The data controller may use a hosting service provider to provide the IT background and a courier service as a data processor for the delivery of the ordered products.

2. Certain processors

Data processing activities	Name, address, contact details
Hosting service	Rackhost Zrt, 6722 Szeged, Tisza Lajos körút 41., +36 1 445 1200, info@rackhost.hu GoDaddy LLC, 2155 E. GoDaddy Way Tempe, AZ 85284, (480) 505-8800, HQ@godaddy.com easyname GmbH, Canettistraße 5/10, A-1100 Vienna, +43 (0)1 353 2222, office@easyname.com
Other data processor (eg. online invoicing, web development, marketing)	Billingo Billingo Technologies Zrt. Headquarters: 1133 Budapest, Árbóc utca 6. III. floor E-mail: hello@billingo.hu Shopify Inc. Székhely: 150 Elgin St, Suite 800, Ottawa, ON, K2P 1L4, Kanada Telefon: +1 888 746 7439 E-mail: support@shopify.com Honlap: shopify.com

 

"third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

3. Data transfer to third parties

Third party data controllers process the personal data we provide on their own behalf and in accordance with their own privacy policies.

Activities of the Data Controller	Name, address, contact details
Transport	GLS General Logistics Systems Hungary Kft: 2351 Alsónémedi GLS Európa u. 2., +36 29 88 66 70, info@gls-hungary.com MPL (Magyar Posta): Magyar Posta Private Limited Company: 1138 Budapest, Dunavirág utca 2-6, 06-1-767-828, ugyfelszolgalat@posta.hu Packeta: Packeta Hungary Kft: 1138 Budapest, 1044 Budapest, Ezred utca 1-3. B2/11. intact, 061-400-8806 , info@packeta.hu
Online payment	Stripe: 185 Berry St #550, San Francisco, CA 94107, USA, info@stripe.com

Social media

1. The fact of data collection, the scope of processed data: Meta/Twitter/Pinterest/Youtube/Instagram etc. social media name and user's public profile picture.
2. Data subjects: All data subjects who have registered for Meta/Twitter/Pinterest/Youtube/Instagram etc. on social media sites and "liked" the Service Provider's social media page or contacted the data controller through the social media site.
3. Purpose of data collection: To share, "like", follow and promote certain content elements, products, promotions of the website or the website itself on social media sites.
4. Duration of data processing, deadline for erasure of data, identity of potential data controllers entitled to access the data and description of the rights of data subjects related to data processing: The data subject may obtain information about the source of the data, their processing, as well as the method and legal basis of the transfer on the given social media site. Data processing takes place on social media sites, so the duration and method of data processing, as well as the possibilities of deleting and modifying data, are subject to the regulations of the respective social media site.
5. Legal basis for data processing: voluntary consent of the data subject to the processing of his or her personal data on social media sites.

Customer relations and other data processing

1. If the data subject has any questions or problems during the use of our data processing services, he or she may contact the data controller using the methods provided on the website (phone, e-mail, social media sites, etc.).
2. Data controller manages incoming emails, messages, phone, Meta, etc. The data provided, together with the name and e-mail address of the interested party and other voluntarily provided personal data, will be deleted after a maximum of 2 years from the date of disclosure.
3. Information on data processing not listed in this prospectus will be provided at the time of data collection.
4. At exceptional request from the authority or at the request of other bodies authorized by law, the Service Provider is obliged to provide information, disclose and transfer data and make documents available.
5. In these cases, the Service Provider shall provide personal data to the requester – provided that it has indicated the exact purpose and scope of the data – only to the extent and to the extent that is strictly necessary to achieve the purpose of the request.

Rights of data subjects

1. Right of access

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and the information listed in the Regulation.

2. Right to rectification

You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to erasure

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay under certain conditions.

4. Right to be forgotten

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure of any links to, or copy or replication of, those personal data.

5. Right to restriction of processing

You have the right to obtain from the controller restriction of processing where one of the following conditions is met:

• you contest the accuracy of the personal data, in which case the restriction applies for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
• you have objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate reasons of the controller override your legitimate reasons.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (...)

7. Right to object

In the case of processing based on legitimate interest or official authority as legal basis, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data (...), including profiling based on those provisions.

8. Objection in case of direct marketing

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing. If you object to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The preceding paragraph shall not apply where the decision:

• necessary for entering into, or performance of, a contract between you and the controller;
• is authorised by Union or Member State law to which the controller is subject and which also lays down appropriate measures to safeguard your rights and freedoms and legitimate interests; or
• It is based on your explicit consent.

Time limit for action

The controller shall inform you without undue delay and in any event within 1 month of receipt of the request of the measures taken in response to the above requests.

If necessary, it may be extended by 2 months The controller shall inform you of the extension of the deadline within 1 month of receipt of the request, indicating the reasons for the delay.

If the controller does not take action on your request, it shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Security of data processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia, where appropriate:

1. pseudonymisation and encryption of personal data;
2. ensuring the continued confidentiality, integrity, availability and resilience of systems and services used for processing personal data;
3. the ability to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident;
4. a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures taken to ensure the security of processing.
5. The processed data must be stored in such a way that unauthorized persons cannot access them. In the case of paper-based data carriers, by establishing the order of physical storage and archiving, in the case of data processed in electronic form, by using a central authorization management system.
6. The method of storing data using IT methods must be chosen in such a way that their deletion can be carried out at the end of the data deletion period or if it is necessary for other reasons, taking into account any different deletion deadline. The deletion must be irreversible.
7. Paper-based data carriers shall be deprived of personal data by means of shredders or by using an external organisation specialising in shredding. In the case of electronic data carriers, physical destruction and, where necessary, secure and irreversible deletion of data shall be ensured in accordance with the rules applicable to the disposal of electronic storage media.
8. The controller shall take the following specific data security measures:

In order to ensure the security of personal data processed on paper, the Service Provider applies the following measures (physical protection

1. Store documents in a secure, lockable dry room.
2. Where personal data processed on paper are digitised, the rules governing digitally stored documents should apply
3. In the course of his work, the Service Provider's employee performing data processing may only leave the room where data processing takes place by locking the data carriers entrusted to him or her or by closing the given room.
4. Personal data can only be accessed by authorized persons, and third parties cannot access them.
5. The Service Provider's building and premises are equipped with fire protection and property protection equipment.

 IT protection

1. The computers and mobile devices (other data carriers) used during data management are the property of the Service Provider.
2. The computer system containing the personal data used by the Service Provider is equipped with virus protection.
3. In order to ensure the security of digitally stored data, the Service Provider uses data backups and archiving.
4. The central server machine can only be accessed with appropriate authorization and only by designated persons.
5. You must have a user name and password to access data on your computer.

Communication of the personal data breach to the data subject

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate it to the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and indicate the name and contact details of the data protection officer or other contact person providing further information; describe the likely consequences of the personal data breach; describe the measures taken or planned by the controller to remedy the personal data breach, including, where appropriate, measures aimed at mitigating any adverse consequences resulting from the personal data breach.

The data subject need not be informed if any of the following conditions are met:

• the controller has implemented appropriate technical and organisational protection measures and those measures were applied to the data affected by the personal data breach, in particular those that render the personal data unintelligible to persons who are not authorised to access them, such as encryption;
• Following the personal data breach, the controller has taken further measures to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise
• the provision of information would require disproportionate effort In such cases, the data subjects shall be informed by means of publicly available information or a similar measure shall be taken to ensure that the data subjects are informed in an equally effective manner.

Where the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered whether the personal data breach is likely to result in a high risk, may order it to do so.

Report a personal data breach to the authority

The controller shall notify the personal data breach to the supervisory authority competent pursuant to Article 55 without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons justifying the delay.

Review in case of mandatory data processing

If the duration of mandatory data processing or the periodic review of its necessity is not specified by law, local government decree or binding legal act of the European Union, the controller shall review at least every three years from the commencement of data processing whether the processing of personal data processed by him or by a data processor acting on his behalf or on his instructions is necessary to achieve the purpose of data processing

The circumstances and outcome of this review shall be documented by the data controller , this documentation shall be kept for ten years after the completion of the review and shall be made available to the Authority upon request of the National Authority for Data Protection and Freedom of Information (hereinafter: the Authority).

Possibility to lodge a complaint

A complaint may be lodged against a possible infringement of the data controller with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

1055 Budapest, Falk Miksa utca 9-11.

Postal address: 1363 Budapest, Pf. 9.

Telefon: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Closing remarks

During the preparation of this prospectus, we took into account the following legal regulations:

• Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (GDPR) (2016) április 27.);
• 2011. évi CXII. Act on Informational Self-Determination and Freedom of Information (hereinafter: Privacy Act);
• 2001. évi CVIII. Act on Certain Issues of Electronic Commerce Services and Information Society Services (mainly Article 13/A). §a);
• 2008. évi XLVII. Act on the prohibition of unfair commercial practices against consumers;
• 2008. évi XLVIII. Act on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities (in particular Section 6);
• 2005. évi XC. Electronic Freedom of Information Act;
• Act C of 2003 on Electronic Communications (specifically Section 155);
• 16/2011. sh. Opinion on the EASA/IAB Recommendation on Good Practice in Online Behavioural Advertising;
• Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information.