GDPR

ON THE RIGHTS OF THE NATURAL PERSON CONCERNED
IN RELATION TO THE PROCESSING OF HIS PERSONAL DATA

INTRODUCTION

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (hereinafter referred to as the Regulation) requires that the Data Controller shall take appropriate measures to provide the data subject with any information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language, and that the Data Controller shall facilitate the exercise of the data subject’s rights.

The obligation to provide prior information to the data subject is also provided for in Act CXII of 2011 on the right to informational self-determination and freedom of information.

We comply with this legal obligation by providing the information below.

The information must be published on the company’s website or sent to the data subject upon request.

ENSURING THE LAWFULNESS OF DATA PROCESSING

Data processing based on the data subject’s consent

(1) If the Company intends to carry out data processing based on consent, the data subject’s consent to the processing of his or her personal data must be requested with the content and information specified in the data request form specified in the data processing regulations.

(2) Consent also includes ticking a relevant box when the data subject visits the Company’s website, making relevant technical settings when using information society services, and any other statement or action that clearly indicates the data subject’s consent to the planned processing of his or her personal data in the given context. Silence, a pre-ticked box or inaction therefore does not constitute consent.

(3) Consent shall apply to all processing operations carried out for the same purpose or purposes. If the processing is carried out for several purposes, consent shall be given for all purposes of the processing.

(4) Where the data subject gives his/her consent in a written statement which also applies to other matters – e.g. the conclusion of a sales or service contract – the request for consent shall be presented in a manner that is clearly distinguishable from those other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a statement containing the data subject’s consent which infringes the Regulation shall not be binding.

(5) The Company may not make the conclusion or performance of a contract conditional on the consent to the processing of personal data which is not necessary for the performance of the contract.

(6) The withdrawal of consent shall be made as easy as the provision of it.

(7) If personal data were collected with the consent of the data subject, the data controller may, unless otherwise provided by law, process the collected data without further consent for the purpose of fulfilling a legal obligation applicable to it, and even after the data subject's consent has been withdrawn.

Data processing based on the fulfillment of a legal obligation

(1) In the case of data processing based on a legal obligation, the scope of data to be processed, the purpose of data processing, the duration of data storage, and the recipients are governed by the provisions of the underlying legal provisions.

(2) Data processing based on the fulfillment of a legal obligation is independent of the data subject's consent, since data processing is determined by law. In this case, the data subject must be informed before the start of data processing that the data processing is mandatory, and the data subject must be clearly and in detail informed before the start of data processing about all facts related to the processing of his/her data, in particular about the purpose and legal basis of the data processing, the person authorized to process and process the data, the duration of the data processing, whether the data controller processes the data subject's personal data based on a legal obligation applicable to him/her, and who may have access to the data. The information must also include the data subject's rights and legal remedies in relation to data processing. In the case of mandatory data processing, the information may also be provided by publishing a reference to the legal provisions containing the aforementioned information.

Promoting the rights of the data subject

The Company is obliged to ensure the exercise of the data subject's rights during all data processing.

VISITOR DATA MANAGEMENT ON THE COMPANY'S WEBSITE - INFORMATION ON THE USE OF COOKIES

The visitor to the website must be informed on the website about the use of cookies and their consent must be requested - with the exception of technically necessary session cookies.

General information on cookies

2.1. A cookie is a piece of data that a website sends to the visitor's browser (in the form of a variable name-value pair) so that it can store and later be loaded by the same website. A cookie can be valid until the browser is closed, or for an unlimited period of time. In the future, the browser will also send this data to the server with every HTTP(S) request. This will modify the data on the user's computer.

2.2. The essence of a cookie is that, due to the nature of website services, it is necessary to identify a user (e.g., that they have entered the site) and to be able to handle it accordingly in the future. The danger lies in the fact that the user is not always aware of this and it may be possible for the website operator or other service provider whose content is integrated into the site (e.g. Facebook, Google Analytics) to track the user, thereby creating a profile about him/her, in which case the content of the cookie can be considered personal data.

2.3. Types of cookies:

2.3.1. Technically indispensable session cookies: without which the site simply would not function functionally, these are necessary to identify the user, e.g. to manage whether he/she is logged in, what he/she has put in the basket, etc. This is typically the storage of a session-id, the other data is stored on the server, which is thus more secure. There is a security aspect, if the session cookie value is not generated correctly, there is a risk of session-hijacking attacks, therefore it is absolutely necessary that these values are generated correctly. Other terminology calls all cookies that are deleted when you exit the browser session cookies (a session is a browser session from launch to exit).

2.3.2. User-friendly cookies: this is the name given to cookies that remember the user's choices, for example, how the user wants to see the page. These types of cookies essentially mean the settings data stored in the cookie.

2.3.3. Performance cookies: although they have little to do with "performance", this is usually the name given to cookies that collect information about the user's behavior within the visited website, the time spent, and clicks. These are typically third-party applications (e.g. Google Analytics, AdWords, or Yandex.ru cookies). These are suitable for creating visitor profiles.

You can find out more about Google Analytics cookies here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

You can find out more about Google AdWords cookies here:
https://support.google.com/adwords/answer/2407785?hl=hu

2.4. Accepting or enabling the use of cookies is not mandatory. You can reset your browser settings to refuse all cookies or to indicate when a cookie is being sent. Most browsers automatically accept cookies by default, but these can usually be changed to prevent automatic acceptance and offer you the option to choose each time.

You can find information about cookie settings of the most popular browsers at the following links

• Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
• Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
• Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8
• Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
• Safari: https://support.apple.com/hu-hu/HT201265

However, we would like to draw your attention to the fact that certain website functions or services may not function properly without cookies.

Information on the cookies used on the Company's website and the data generated during the visit

3.1. Data processed during the visit: Our Company's website may record and process the following data about the visitor and the device used for browsing when using the website:

• the IP address used by the visitor,
• the type of browser,
• the characteristics of the operating system of the device used for browsing (set language),
• time of visit,
• the (sub)page, function or service visited.
• click.

We retain this data for a maximum of 90 days and may primarily use it to investigate security incidents.

3.2. Cookies used on the website

3.2.1. Technically necessary session cookies

The purpose of data processing is to ensure the proper functioning of the website. These cookies are essential for are necessary for visitors to browse the website, to use its functions smoothly and fully, and to use the services available through the website, including - among others - in particular - to record the actions performed by the visitor on the given pages or to identify the logged-in user during a visit. The duration of data processing of these cookies applies only to the visitor's current visit, and this type of cookie is automatically deleted from the visitor's computer at the end of the session or when the browser is closed.

The legal basis for this data processing is Section 13/A. (3) of Act CVIII of 2001 on electronic commerce services and certain issues of information society services (Elkertv.), according to which the service provider may process personal data that are technically indispensable for the provision of the service for the purpose of providing the service. All other conditions being equal, the service provider must select and in all cases operate the means used in the provision of information society services in such a way that personal data are processed only if this is absolutely necessary for the provision of the service and for the fulfilment of other purposes specified in this Act, but even in this case only to the extent and for the period necessary.

3.2.1. Cookies facilitating use:

These remember the user's choices, for example in what form the user would like to see the site. These types of cookies essentially mean the setting data stored in the cookie.

The legal basis for data processing is the visitor's consent.

The purpose of data processing: Increasing the efficiency of the service, enhancing the user experience, making the use of the website more convenient.

This data is rather on the user's machine, the website only accesses and recognizes the visitor through it.

3.2.2. Performance cookies:

They collect information about the user's behavior within the visited website, the time spent, and clicks. These are typically third-party applications (e.g. Google Analytics, AdWords).

Legal basis for data processing: consent of the data subject.

Purpose of data processing: website analysis, sending advertising offers.

INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

The rights of the data subject in brief:

1. Transparent information, communication and facilitation of the exercise of rights
2. Right to prior information – if personal data are collected from the data subject
3. Information of the data subject and information to be provided to him/her if the personal data were not obtained from him/her
4. Right of access of the data subject
5. Right to rectification
6. Right to erasure (“right to be forgotten”)
7. Right to restriction of processing

Obligation to notify the rectification or erasure of personal data or restriction of processing

1. Right to data portability
2. Right to object
3. Automated decision-making in individual cases, including profiling
4. Restrictions
5. Information of the data subject about the data breach
6. Right to lodge a complaint with a supervisory authority (right to a judicial remedy)
7. Effective judicial remedy against the supervisory authority right to a remedy
8. Right to an effective judicial remedy against the controller or processor

Transparent information, communication and facilitation of the exercise of the data subject's rights

1.1. The controller shall provide the data subject with all information and any communication relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language, in particular for any information addressed to children. The information shall be provided in writing or by any other means, including, where appropriate, by electronic means. At the request of the data subject, oral information may also be provided, provided that the identity of the data subject has been otherwise verified.

1.2. The controller shall facilitate the exercise of the data subject's rights.

1.3. The controller shall inform the data subject without undue delay and in any event within one month of receipt of the request of the data subject of the measures taken in response to the request to exercise his or her rights. This period may be extended by a further two months under the conditions laid down in the Regulation. which the data subject must be informed of.

1.4. If the controller does not take action on the data subject's request, it shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for not taking action and of the fact that the data subject may lodge a complaint with a supervisory authority and exercise his or her right to a judicial remedy.

1.5. The controller shall provide the information and the information on the data subject's rights and the action free of charge, however, in the cases specified in the Regulation, a fee may be charged.

The detailed rules can be found under Article 12 of the Regulation.

Right to prior information – if personal data are collected from the data subject

2.1. The data subject has the right to receive information about the facts and information related to the data processing before the data processing begins. In this context, the data subject must be informed:

a) about the identity and contact details of the data controller and its representative,

b) about the contact details of the data protection officer (if any),

c) about the purpose of the intended processing of personal data and the legal basis for the processing,

d) in the case of data processing based on the exercise of legitimate interest, about the legitimate interests of the data controller or a third party,

e) about the recipients of the personal data – to whom the personal data are disclosed – and the categories of recipients, if any;

e) where applicable, about the fact that the data controller intends to transfer the personal data to a third country or to an international organisation.

2.2. In order to ensure fair and transparent data processing, the controller shall inform the data subject of the following additional information:

a) the period for which the personal data will be stored or, where that is not possible, the criteria for determining that period;

b) the data subject's right to request from the data controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data, as well as the data subject's right to data portability;

c) in the case of processing based on the data subject's consent, the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal;

d) the right to lodge a complaint with a supervisory authority;

e) whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for entering into a contract, and whether the data subject is obliged to provide the personal data, as well as the possible consequences of failure to provide the data;

f) the fact of automated decision-making, including profiling, and at least in such cases, the logic involved, and intelligible information on the significance of such processing and the foreseeable consequences for the data subject.

2.3. Where the controller intends to process personal data for purposes other than those for which they were collected, the data subject shall be informed of that purpose and of any relevant additional information prior to the further processing.

The detailed rules on the right to prior information are set out in Article 13 of the Regulation.

Information to be provided to the data subject and information to be made available to the data subject where the personal data were not obtained by the data controller

3.1. Where the data controller has not obtained the personal data from the data subject, the data subject shall be informed by the data controller of the personal data no later than one month after the personal data were obtained; where the personal data are used for the purpose of communicating with the data subject, at least at the time of the first contact with the data subject; or if the data are expected to be communicated to other recipients, at the latest when the personal data are communicated for the first time, the facts and information referred to in point 2 above, as well as the categories of personal data concerned, the source of the personal data and, where applicable, whether the data originate from publicly available sources.

3.2. The further rules are those set out in point 2 above (Right to prior information).

The detailed rules for this information are set out in Article 14 of the Regulation.

Right of access of the data subject

4.1. The data subject shall have the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed and, where such processing is taking place, access to the personal data and the related information referred to in points 2-3 above. (Article 15 of the Regulation).

4.2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer in accordance with Article 46 of the Regulation.

4.3. The controller shall provide the data subject with a copy of the personal data which are the subject of the processing. For further copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs.

The detailed rules on the data subject's right of access are set out in Article 15 of the Regulation.

Right to rectification

5.1. The data subject shall have the right to obtain from the controller, at his request, the rectification of inaccurate personal data concerning him or her without undue delay.

5.2. Taking into account the purposes of the processing, the data subject shall have the right to request that incomplete personal data be completed, including by means of a supplementary statement.

These rules are also contained in Article 16 of the Regulation.

Right to erasure (‘right to be forgotten’)

6.1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data concerning him or her without undue delay where

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws his or her consent to the processing and there is no other legal basis for the processing;

c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;

d) the personal data have been processed unlawfully;

e) the personal data must be erased for compliance with a legal obligation to which the controller is subject under Union or Member State law;

f) the personal data were collected in connection with the provision of information society services directly to a child.

6.2. The right to erasure may not be exercised if the processing is necessary

a) for the exercise of the right to freedom of expression and information;

b) for compliance with an obligation under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) for reasons of public interest in the field of public health;

d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, where the right to erasure would likely render impossible or seriously jeopardise such processing; or

e) for the establishment, exercise or defence of legal claims.

The detailed rules on the right to erasure are set out in Article 17 of the Regulation.

Right to restriction of processing

7.1. In the event of restriction of processing, such personal data may, with the exception of storage, only be processed with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interests of the Union or of a Member State.

7.2. The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the Controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead;

c) the Controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or

d) the data subject has objected to the processing; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the controller override those of the data subject.

7.3. The data subject shall be informed in advance of the lifting of the restriction of processing.

The relevant rules are set out in Article 18 of the Regulation.

Notification obligation in relation to the rectification or erasure of personal data or the restriction of processing

The controller shall inform any recipient to whom or to whom the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. Upon request, the data subject shall be informed of these recipients by the controller.

These rules can be found under Article 19 of the Regulation.

Right to data portability

9.1. Under the conditions set out in the Regulation, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where

a) the processing is based on consent or a contract; and

b) the processing is carried out by automated means.

9.2. The data subject may also request the direct transmission of personal data between controllers.

9.3. The exercise of the right to data portability shall be without prejudice to Article 17 of the Regulation (Right to erasure ("right to be forgotten"). The right to data portability shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right shall not adversely affect the rights and freedoms of others.

The detailed rules are set out in Article 20 of the Regulation.

Right to object

10.1. The data subject shall have the right to obtain, on grounds relating to his or her particular situation, the object at any time to processing of personal data concerning him or her based on public interest, performance of a public task (Article 6 (1) e)) or legitimate interest (Article 6 (f)), including profiling based on those provisions. In such a case, the controller shall no longer process the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

10.2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling where such processing is related to direct marketing. If the data subject objects to processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.

10.3. These rights must be expressly brought to the attention of the data subject at the latest when the data subject is first contacted and the information must be displayed clearly and separately from all other information.

10.4. The data subject may also exercise the right to object by automated means based on technical specifications.

10.5. Where personal data are processed for scientific and historical research purposes or for statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The relevant rules are set out in the Regulation.

Automated decision-making in individual cases, including profiling

11.1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

11.2. This right shall not apply where the decision:

a) is necessary for entering into, or the performance of, a contract between the data subject and the controller;

b) is permitted by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

c) is based on the data subject's explicit consent.

11.3. In the cases referred to in points a) and c) above, the controller shall implement suitable measures to safeguard the data subject's rights, freedoms and legitimate interests, including at least the right for the data subject to obtain human intervention on the part of the controller, to express his or her point of view and to object to the decision.

Further rules are set out in Article 22 of the Regulation.

Restrictions

Union or Member State law applicable to the controller or processor may, by means of legislative measures, restrict the scope of rights and obligations (Articles 12 to 22, Article 34, Article 5 of the Regulation) provided that the restriction respects the essence of the fundamental rights and freedoms.

The conditions for such restriction are set out in Article 23 of the Regulation.

Communication of the data subject to the personal data breach

13.1. Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication shall describe the nature of the personal data breach in a clear and intelligible manner and shall include at least the following:

a) the name and contact details of the data protection officer or other contact person who can provide further information;

c) the likely consequences of the personal data breach;

d) describe the measures taken or planned by the controller to remedy the personal data breach, including, where applicable, measures to mitigate the potential adverse consequences of the personal data breach.

13.2. The data subject does not need to be informed if any of the following conditions are met:

a) the controller has implemented appropriate technical and organisational security measures and those measures have been applied to the data affected by the personal data breach, in particular measures such as encryption that render the data unintelligible to persons not authorised to access the personal data;

b) the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialise;

c) providing information would involve a disproportionate effort. In such cases, the data subject shall be informed publicly shall be informed by means of information provided or a similar measure shall be taken which ensures that data subjects are informed in an equally effective manner.

Further rules are set out in Article 34 of the Regulation.

Right to lodge a complaint with a supervisory authority (right to a judicial remedy)

The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data concerning him or her infringes the Regulation. The supervisory authority to which the complaint has been lodged shall be obliged to inform the customer of the progress of the procedure and the outcome of the complaint, including the fact that the customer has the right to seek a judicial remedy.

These rules are set out in Article 77 of the Regulation.

Right to an effective judicial remedy against the supervisory authority

15.1. Without prejudice to other administrative or non-judicial remedies, every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.

15.2. Without prejudice to other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy where the competent supervisory authority does not deal with a complaint or does not inform the data subject of the progress or outcome of the complaint lodged within three months.

15.3. Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

15.4. Where proceedings are brought against a decision of a supervisory authority on which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority shall be obliged to transmit that opinion or decision to the court.

These rules are set out in Article 78 of the Regulation.

Right to an effective judicial remedy against the controller or processor

16.1. Without prejudice to any administrative or non-judicial remedies available to the data subject, including the right to lodge a complaint with a supervisory authority, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of personal data concerning him or her not complying with this Regulation.

16.2. Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its official authority.

These rules are set out in Article 79 of the Regulation.

Dated, Tápiószőlős, May 25, 2018.