Privacy Policy

Introduction

The Mobilredfox korlátolt felelősségű társaság (hereinafter referred to as the controller) attaches great importance to respecting the right of informational self-determination of its partners, customers and visitors. the controller processes personal data confidentially, in accordance with the applicable european union and national legislation and relevant data protection (authority) practice, and takes all security and organizational measures to ensure the security, confidentiality, integrity and availability of the data.

Taking into account the provisions of regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (hereinafter referred to as GDPR) and act cxii of 2011 on the right of informational self-determination and freedom of information (hereinafter referred to as “infotv.), the following notice (hereinafter referred to as”** notice**") is published in order to protect the personal data processed.

The notice is effective from 1 may 2022 until its revocation with regard to the processing of personal data of data subjects concerned by the activities of the controller.

The controller reserves the right to unilaterally amend this notice at any time. in the event of any modification of this notice, the controller shall inform the data subjects thereof.

Budapest, 01 may 2022. ## the controller

Name of the controller: Mobilredfox korlátolt felelősségű társaság registered office: 3300 Eger, Kistályai út 5. tax number: 25540998-2-10 company registration number: 10-09-035724 e-mail address: info@mobilfox.hu

Represented by Kevin Diller executive director

Processing in the context of a request for a proposal

The controller processes personal data in connection with requests for proposals (first contact) received by it as a result of its core business. requests for proposal can be made at the controller’s registered office, by phone, e-mail or via the social media platforms operated by the controller. the controller shall endeavour to process only the personal data necessary for the effective preparation of the offer. the controller shall process the personal data it receives in connection with requests for proposals, regardless of the channel through which they are received, as follows:

Scope of personal data processed: surname and first name, title, e-mail address, phone number and other personal data provided by the applicant.

Categories of data subjects: data subjects intending to establish a business relationship with the controller.

Source of the personal data processed: the data subject.

Purpose of processing: prior consultation, request for proposal.

Legal ground for processing: in the case of a preliminary consultation or request for proposal, to take steps between the controller and the data subject at the request of the data subject prior to the conclusion of the contract, pursuant to article 6(1)(b) GDPR. for the processing of data of contact persons of legal persons in the exercise of a right or claim and for the processing of data of contact persons of legal persons, the legitimate interest of the controller pursuant to article 6(1)(f) GDPR.

Duration of data processing: 5 years after the contractual or business relationship or the existence of the data subject’s capacity as a representative (general limitation period for legal action). upon expiry of the general limitation period for legal action or a longer retention period provided for by law, the personal data, including contact details, are erased immediately and irretrievably. exceptions to this are possible legal or other claims enforcement, court, public prosecutor’s office, investigative authority, infringement authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Access: the controller has primary access to the personal data processed in connection with offers received by the controller.

Data transfer: personal data will not be transferred to third parties, unless otherwise provided for in the contract between the data subject and the controller or in the event of legal action or claims, proceedings before a court, prosecutor’s office, investigative authority, criminal authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Processing technique: the controller processes the personal data of the data subject manually (on paper) and electronically.

Profiling: the controller does not take a decision based solely on automated processing in the context of the data subject and does not profile the data subject on the basis of the available personal data.

Data subject rights: in the context of processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing, data portability and objection.

Processing in the context of the performance of a contract

The controller processes personal data in connection with products ordered as a result of its online product sales activities and in the course of providing a warranty claim under chapter xxiv of the civil code. the controller shall endeavour to process only personal data necessary for the performance of the contract. the controller shall process personal data obtained in the course of the performance of the contract as described below:

Scope of personal data processed: for the purposes of the performance of the contract, the controller shall process the following data of the natural person and individual entrepreneur contracted with it: surname and first name, title, surname and first name at birth, place and date of birth, mother’s name, home address, personal identity card number, driving licence number, tax number, the registration number of the self-individual entrepreneur, the address of the registered office, site or home address the address of the property covered by the contract, phone number, e-mail address, bank account number. for the purposes of the performance of the contract and for communication purposes, the controller shall process the following data of the contact person of the legal person to whom the contract is concluded surname and first name, title, place of work, position, job, the address of the registered office, site or home address the address of the property covered by the contract, phone number, e-mail address.

Categories of data subjects: data subjects intending to enter into a business relationship with the controller or already in a contractual relationship.

Source of the personal data processed: the data subject.

Purpose of processing: performance of the contract.

Legal ground for processing: performance of a contract between the controller and the data subject under article 6(1)(b) GDPR. for the processing of data of contact persons of legal persons in the exercise of a right or claim and for the processing of data of contact persons of legal persons, the legitimate interest of the controller pursuant to article 6(1)(f) GDPR.

Duration of processing: 5 years after the contractual or business relationship or the data subject’s capacity as a representative (general limitation period for legal action). upon expiry of the general limitation period for legal action or a longer retention period provided for by law, the personal data, including contact details, are erased immediately and irretrievably. exceptions to this are possible legal or claims enforcement, court, public prosecutor’s office, investigative authority, infringement authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Access: the controller has primary access to the personal data processed in connection with the performance of a contract with the controller.

Processing technique: the controller processes the personal data of the data subject manually (on paper) and electronically.

Data subject rights: in the context of processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing, data portability and objection.

Processing in the context of a transfer declaration

The controller processes personal data in connection with a transfer in the course of its core business as follows:

Personal data processed: surname and first name, title, place and date of birth, mother’s name, id card number, driving licence number, e-mail address, phone number, vehicle registration number, additional vehicle data.

Categories of data subjects: data subjects who have a contractual relationship with the controller.

Source of the personal data processed: the data subject.

Purpose of the processing: to ensure the transfer of the data within the scope of the core business of the controller

Legal ground for processing: to take steps between the controller and the data subject, at the request of the data subject, in relation to the transfer of the data in the course of the controller’s core business, pursuant to article 6(1)(b GDPR, prior to the conclusion of the contract, and to perform the contract. for the processing of data of contact persons of legal persons in the exercise of a right or claim and for the processing of data of contact persons of legal persons, the legitimate interest of the controller pursuant to article 6(1)(f) GDPR.

Duration of data processing: 5 years after the contractual or business relationship or the existence of the data subject’s capacity as a representative (general limitation period for legal action). upon expiry of the general limitation period for legal action or a longer retention period provided for by law, the personal data, including contact details, are erased immediately and irretrievably. exceptions to this are possible legal or claims enforcement, court, public prosecutor’s office, investigative authority, infringement authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Access: the controller has primary access to the personal data processed.

Processing technique: the controller processes the personal data of the data subject manually (on paper) and electronically.

Data subject rights: in the context of processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing, data portability and objection.

Processing in the context of invoicing

The controller processes data in the course of its core business of invoicing as follows:

Scope of personal data processed: surname and first name, title, address

Categories of data subjects: data subjects who have a contractual relationship with the controller.

Source of the personal data processed: the data subject.

Purpose of the processing: invoicing in the course of the core business of the controller.

Legal ground for processing: in connection with the invoicing of the controller’s core business, the controller’s legal obligation under article 6(1)(c) GDPR to comply with the legal obligations of the controller under the applicable tax and accounting legislation, in particular the vat act and the accounting act. for the processing of data of contact persons of legal persons in the exercise of a right or claim and for the processing of data of contact persons of legal persons, the legitimate interest of the controller pursuant to article 6(1)(f) GDPR.

The duration of processing is 8 years from the date of invoice issue and the period specified in the tax and accounting legislation in force at the time, in particular the vat act and the accounting act. upon expiry of the longer retention period specified by law, personal data, including contact data, shall be erased immediately and irretrievably. exceptions to this are possible legal or claims enforcement, court, public prosecutor’s office, investigative authority, infringement authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Access: the controller has primary access to the personal data processed in connection with invoices issued.

Data transfer: the personal data are transmitted to a third party that has been pre-audited by the data controller, has a contractual relationship with the data controller and performs accounting, auditing or tax consulting services for the controller and the controller confirms the data transfer to the third party in a processing contract pursuant to article 28(3) GDPR. data may also be transferred to the aforementioned bodies in the event of legal action or claims, court proceedings, prosecution, investigation, infringement, administrative authority, the national authority for national authority for data protection and freedom of information or other bodies authorised by law.

Processing technique: the controller processes the personal data of the data subject manually (on paper) and electronically.

Data subject rights: in the context of processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing and objection.

Processing in the context of refund

The controller processes data in the course of its core business of refunding money as follows:

Scope of personal data processed: surname and first name, title, address, bank account number.

Categories of data subjects: data subjects who have a contractual relationship with the controller and who are legally entitled to a refund.

Source of the personal data processed: the data subject.

Purpose of processing: to perform refunds arising in the course of the core business of the controller.

Legal ground for processing: in connection with the refund of money arising in the course of the controller’s core business, the controller’s legal obligation under article 6(1)(c) GDPR to comply with the legal obligations of the controller under the tax and accounting legislation in force, in particular the vat act and the accounting act. for the processing of data of contact persons of legal persons in the exercise of a right or claim and for the processing of data of contact persons of legal persons, the legitimate interest of the controller pursuant to article 6(1)(f) GDPR.

The duration of processing is 8 years from the date of the transfer and the period specified in the tax and accounting legislation in force at the time, in particular the vat act, the accounting act. upon expiry of the longer retention period specified by law, personal data, including contact data, shall be erased immediately and irretrievably. exceptions to this are possible legal or claims enforcement, court, public prosecutor’s office, investigative authority, infringement authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Access: the controller has primary access to the personal data processed in connection with invoices issued.

Processing technique: the controller processes the personal data of the data subject manually (on paper) and electronically.

Data subject rights: in the context of processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing and objection.

Processing in the context of taking and publication of images and sound recordings

The controller may, in the course of its core business, make a mass recording and/or non-mass recording of images and/or sounds or a written summary. as a general rule, the processing is based on the data subject’s explicit consent following prior information. the controller shall endeavour to process only the personal data necessary. subject to the data subject’s consent, the controller may publish news, posts and image and/or sound recordings on its website https://mobilfox.com/hu-hu/ and on its social media platforms accessible from its website in order to inform and promote its services. during the period of processing, the data subject may at any time request the erasure of these personal data and acknowledges that their removal may take place at any time at the unilateral decision of the controller. the controller shall process the personal data as set out below:

Scope of personal data processed: surname and first name, title, image recording, image and sound recording, place of stay.

Categories of data subjects: data subjects who have a contractual relationship with the controller.

Source of the personal data processed: the data subject.

Purpose of processing: publication of images and sound recordings (video) made in the course of the controller’s core business.

Legal ground for processing: pursuant to article 6(1)(a) of the GDPR, and pursuant to article 9(2)(a) GDPR, the explicit consent of the data subject. legitimate interest of the controller in the exercise of a right or claim and in the processing of contact details pursuant to article 6(1)(f) GDPR.

Duration of processing: following the investigation of the data subject’s or their representative’s request to the controller to erase their personal data, if the request is justified, the data subject’s personal data shall be erased - immediately and irretrievably. exceptions to this rule are image and sound recordings classified as mass recordings, as well as any legal or claims enforcement, court, prosecution, investigative authority, criminal authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Access: the controller has primary access to the personal data processed.

Processing technique: the controller processes the personal data of the data subject electronically.

Profiling: the controller does not take a decision based solely on automated processing in relation to the data subject and does not profile the data subject on the basis of the available personal data.

Data subjects’ rights: in the context of processing, data subjects may exercise their rights to withdraw consent, access, rectification, erasure, restriction of processing, data portability.

Processing in the context of prize draws

The controller may organise prize draws to promote its services. the data subject may subscribe to the prize draws on the website of the controller or electronically on the website or social media platform specified by the controller in the sweepstakes policy, subject to the condition of having read and accepted this privacy notice. the controller shall not be liable in any way for any errors or damages resulting from incorrect or false data provided, and the subscriber shall bear all resulting liability. the controller is obliged to delete subscriptions made with incorrect or false data immediately after becoming aware of them. the controller shall ensure that the data subject may unsubscribe from the prize draw at any time free of charge. the controller shall process the personal data as set out below:

Personal data processed: title, surname and first name, e-mail address, phone number, address.

Categories of data subjects :data subjects involved in the prize draw

Source of the personal data processed: the data subject.

Purpose of the processing: organising prize draw, lottery.

Legal ground for processing: consent of the data subject pursuant to article 6(1)(a) GDPR. legitimate interest of the controller in the exercise of a right or claim and in the processing of contact details pursuant to article 6(1)(f) GDPR.

Duration of processing: the controller processes the data of the winning player for 5 years from the date of delivery of the prizes. the controller shall keep the data of players who participated but did not win in the prize draw for 30 days after the prize has been awarded, after which it shall be erased. following the investigation of the request for the erasure of personal data (unsubscribe) made to the controller by the data subject or their representative, if their request is justified, the personal data of the data subject shall be erased - immediately and irretrievably. exceptions to this are possible legal or claims enforcement, court, public prosecutor’s office, investigative authority, infringement authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Access: the controller has primary access to the personal data processed.

Processing technique: the controller processes the personal data of the data subject electronically.

Data subjects’ rights: in the context of processing, data subjects may exercise their rights to withdraw consent, access, rectification, erasure, restriction of processing, data portability.

Processing in the course of sending a newsletter

On the basis of their prior, unambiguous and explicit consent, the controller will send to the data subject newsletters by e-mail and sms about its activities, its most important news, its services, its discounts and promotional offers. the data subject may subscribe to the newsletter in electronic form on the website of the controller https://mobilfox.com/hu-hu/ and on social media platforms operated by the controller, on condition that this privacy notice has been read. the controller shall not be liable in any way for any errors or damages resulting from incorrect or false data provided, and the subscriber shall bear all resulting liability. the controller is obliged to delete subscriptions made with incorrect or false data immediately after becoming aware of them. the controller shall ensure that the data subject may unsubscribe from the newsletters at any time free of charge. the controller shall process the personal data as set out below:

Personal data processed: title, surname and first name, e-mail address, phone number, address.

Categories of data subjects: data subjects who subscribe to the newsletter.

Source of the personal data processed: the data subject.

Purpose of processing: sending newsletters.

Duration of processing: following the investigation of the data subject’s or their representative’s request to the controller to erase their personal data (unsubscribe), if their request is justified, the data subject’s personal data will be erased - immediately and irretrievably. exceptions to this are possible legal or claims enforcement, court, public prosecutor’s office, investigative authority, infringement authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Access: the controller has primary access to the personal data processed.

The company responsible for data transmission, to which the telephone numbers of the data subjects are transmitted for the technical processing of the sms newsletter: company name: infobip limited head office: 35-38 new bridge street, fifth floor, london ec4v 6bw, united kingdom company registration number: 7085757

Processing technique: the controller processes the personal data of the data subject electronically.

Data subjects’ rights: in the context of processing, data subjects may exercise their rights to withdraw consent, access, rectification, erasure, restriction of processing, data portability.

Processing in the course of providing information in the public interest

The controller sends information about its activities, news, services, discounts and promotions to the data subject by e-mail and phone calls. the controller shall process the personal data as set out below:

The scope of personal data processed: title, surname and first name, e-mail address, phone number, address of the registered office or place of business of the company concerned

Categories of data subjects: natural persons, legal persons and unincorporated business entities, as well as representatives of non-governmental organisations in their capacity as natural persons, who have or may have direct or indirect (business) contact with the controller in the course of the controller’s core business and whose registered office address is affected by the route of the event or function.

Source of the personal data processed: the controller obtains the personal data from the business information records (e-company register, opten), which is publicly accessible to anyone, and in many cases the data subject may be the source of the data, given the existence or existence of a legal relationship between the controller and the data subject.

Purpose of the processing: communication and proper functioning of the communication between the controller and the data subject in relation to the provision of a new, ongoing or recurring, renewed or repeated service, the execution of an order or the provision of information in the public interest, the maintenance of contact and the provision of information in the public interest in relation to the event and function.

Legal ground for processing: legitimate interest of the controller pursuant to article 6(1)(f) GDPR. legitimate interest of the controller in the exercise of a right or claim and in the processing of contact details pursuant to article 6(1)(f) GDPR.

Duration of processing: the controller processes personal data until the data subject exercises their right to object, but for a maximum of 5 years after the contractual or business relationship or the person’s capacity as a representative has been established (general limitation period for legal action). exceptions to this are possible legal or claims enforcement, court, public prosecutor’s office, investigative authority, infringement authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Access: the controller has primary access to the personal data processed.

Processing technique: the controller processes the personal data of the data subject electronically in the gorgias system.

Data subject rights: in the context of processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing and objection.

Processing in the context of complaint handling

The controller receives complaints in writing (via its website, postal mail or email) in the context of its core business of providing services. in this context, the controller processes the personal data of the data subject as follows:

The scope of personal data processed: the surname and first name, title, contact details (e-mail address, phone number), address of the complainant, other personal data provided by the complainant in connection with the complaint, case number, signature, and, in case of the involvement of an authorised representative, the surname and first name, title, place and date of birth of the authorised representative, and mother’s name.

Categories of data subjects: data subjects who have lodged a complaint with the controller.

Source of the personal data processed: the data subject.

Purpose of processing: investigation of a complaint, remedy.

Legal ground for processing: legitimate interest of the controller pursuant to article 6(1)(f) GDPR.

Duration of processing: remedying the complaint, up to the time limit for bringing a claim (5 years general limitation period). exceptions to this are possible legal or claims enforcement, court, public prosecutor’s office, investigative authority, infringement authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Access: the controller has primary access to personal data processed for the purpose of complaint handling.

Processing technique: the controller processes the personal data of the data subject electronically in the gorgias system and manually (on paper).

Data subject rights: in the context of processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing and objection.

Processing in the context of requests, comments

The controller receives written requests and suggestions (via its website, postal mail or e-mail) in connection with the performance of its core business and the continuous improvement of its services. in this context, the controller processes the personal data of the data subject as follows:

The scope of the personal data processed: the surname and first name, title, contact details (e-mail address, phone number), address of the data subject, other personal data provided by the data subject, signature.

Categories of data subjects: data subjects submitting opinions, suggestions or comments to the controller.

Source of the personal data processed: the data subject.

Purpose of processing: service development, contact management.

Legal ground for processing: legitimate interest of the controller pursuant to article 6(1)(f) GDPR.

Duration of processing: 5 years general limitation period. exceptions to this are possible legal or claims enforcement, court, public prosecutor’s office, investigative authority, infringement authority, administrative authority, the national authority for data protection and freedom of information or other bodies authorised by law.

Access: the controller has primary access to the personal data processed.

Processing technique: the controller processes the personal data of the data subject electronically and manually (on paper).

Data subject rights: in the context of processing, data subjects may exercise their rights of access, rectification, erasure, restriction of processing and objection.

Information on the use of cookies

In accordance with general practice, the controller also uses cookies on its website. cookies are not in themselves capable of identifying the user.

Cookies are short data files that are placed on the user’s computer by the website visited.

The purpose of cookies is to ensure the continuous functioning of the given infocommunication, internet service, to make it easier, more convenient and to contribute to the further development of the website by means of anonymous statistics.

There are many types of cookies, but they can generally be divided into two broad categories: one is a temporary (strictly necessary) cookie, which is placed on the user’s device by the website only during a specific session (e.g. a single visit to the website); the other is a permanent cookie (e.g. a website language setting), which remains on the computer until the user deletes it. the controller uses only temporary cookies on its website, which are strictly necessary for its operation. their validity period is limited to the duration of the visit. the controller receives automatically generated information about visitors to its website for the duration of the visit: the internet protocol (ip) address of the visitor, the time of the visit, the pages viewed, the name of the browser program used.

The type of cookies used by the controller’s website can be checked on the following website: https://www.cookieserve.com/

Browser settings

Accepting or authorising the use of cookies is not compulsory. the browser settings can be reset to reject all cookies or to indicate when a cookie is being sent by the system, but some features or services may not function properly without cookies. most browsers automatically accept cookies by default, but these can usually be changed to prevent automatic acceptance and will offer the choice each time. the settings options are usually found in the ‘options’ or ‘settings’ menu of the browser, and it is recommended to use the ‘help’ menu of the browser to find the most suitable settings for the data subject.

Personal data processed: the internet protocol (ip) address of the visitor, the time of the visit, the pages viewed, the name of the browser program used.

Categories of data subjects: visitors to the controller’s website.

Source of the personal data processed: the data subject.

Purpose of processing: to ensure the highest possible quality of the website visit.

Legal ground for processing: consent of the data subject pursuant to article 6(1)(a) GDPR.

Duration of processing: duration of the visit.

Access: the controller has primary access to the personal data processed.

Data transfer: personal data of data subjects are not transferred by the controller.

Processing technique: the controller processes the personal data of the data subject electronically.

Data subjects’ rights: in the context of processing, data subjects may exercise their rights to withdraw consent, access, rectification, erasure, restriction of processing, data portability.

Processing on a website

The controller informs the data subjects that, in order to measure the traffic and to monitor the behaviour of its visitors and to compile statistics for all the services and sub-sites of the internet site domain name operated by it, it uses google analytics, the relevant codes of which are integrated into its own site.

These programs referred to place cookies on the user’s computer, which collect user data. visitors to the website (users) authorise the controller to use google analytics.

They also consent to the monitoring and tracking of their user behaviour and to the use of all services provided by the programs to the controller.

In addition, the user has the possibility to opt-out of the recording and storage of cookies at any time in the future.

Data subjects can find privacy notices on google analytics settings and use on the google website. https://policies.google.com/privacy?hl=hu

According to google’s information, google analytics mainly uses first-party cookies to report on visitor interactions on its website. these cookies record only information not suitable for the identification of a person.

Browsers do not share their own cookies between domains. for more information about cookies, see the google ads and privacy faq.

Google analytics. the controller uses google analytics primarily to generate statistics, including measuring the effectiveness of its website campaigns. by using the program, the controller mainly obtains information about the number of visitors to its website and the time spent on the website by 3 visitors. the program recognises the ip address of the visitor and can therefore track whether the visitor is a returning or new visitor, and can also track the path the visitor has taken on the website and where they have accessed.

Scope of personal data processed: ip address, clicks

Categories of data subjects: visitors to the controller’s website.

Source of the personal data processed: the data subject.

Purpose of processing: to promote the controller’s website and services, to measure the number of visits.

Legal ground for processing: consent of the data subject. article 6(1)(a) GDPR.

Duration of processing: 30 days.

Access: the personal data processed may be accessed by google.

Data transfer: personal data of the data subjects are not transferred by the controller.

Processing technique: the controller processes the personal data processed electronically.

Data subjects’ rights: in the context of processing, data subjects may exercise their rights to withdraw consent, access, rectification, erasure, restriction of processing, data portability.

Data security

The controller and data processors shall have access to the personal data of the data subject only to the extent necessary for the performance of their tasks.

The controller shall transfer personal data in a consistent, pre-audited and secure manner, with the information of the data subject, avoiding redundant data transfers or data transfers through different registration platforms.

To ensure data security, the controller shall assess and record all processing activities performed by the controller.

On the basis of the records of the processing activities, the controller shall conduct a risk analysis to assess the conditions under which each processing operation is performed and the risk factors that may cause a breach or a potential personal data breach during the processing. the risk analysis shall be conducted on the basis of the actual processing activity. the purpose of the risk analysis shall be to determine the security rules and measures that effectively ensure the adequate protection of personal data in accordance with the performance of the controller’s activities.

The controller shall implement appropriate technical and organisational measures to ensure and demonstrate that the processing of personal data is performed in accordance with the GDPR, taking into account the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons. including, where applicable: pseudonymisation and encryption of personal data; ensuring the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data; in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner; a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures taken to ensure the security of processing.

In determining the appropriate level of security, risks arising from data processing should be expressly taken into account, resulting in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transferred, stored or otherwise processed.

The controller shall implement appropriate technical and organisational measures to ensure that, by default, only personal data that are necessary for the specific purpose of the processing are processed. this obligation relates to the amount of personal data collected, the extent to which they are processed, the duration of their storage and their availability. these measures should in particular ensure that personal data cannot, by default, be made available to an indeterminate number of persons without the intervention of the natural person. in the event of damage to or destruction of personal data, attempts should be made to replace the damaged data as far as possible from other available data sources. the fact of the replacement shall be indicated on the replaced data.

The controller shall protect its internal network with multiple layers of firewall protection. in all cases, hardware firewalls (border protection devices) shall be installed at all access points to the public networks used. the controller stores data redundantly, i.e. in multiple locations, to protect them from destruction, loss, damage or unlawful destruction due to malfunctioning of the it equipment.

It protects its internal networks from external attacks with multi-layered, active, complex malware protection (e.g. antivirus protection).

The controller shall take the utmost care to ensure that its it tools and software are kept up to date with the technological solutions generally accepted in the market.

Rights of the data subject

It is important for the controller that its processing complies with the requirements of fairness, lawfulness and transparency. the data subject may, in relation to the processing, at any time: request information about the processing and access to the data processed concerning them, request access to the data processed, rectification of inaccurate data or the completion of incomplete data, request the erasure of data processed on the basis of their consent, object to the processing of their data, request the restriction of processing.

On the basis of a request for information, and unless it is subject to a restriction on grounds of legitimate interest, you may find out whether your personal data are being processed by the controller and you have the right to obtain information about the processing of your personal data concerning you, in particular the purposes for which it is processing them, what gives them the right to process the data (legal ground), from when and for how long it processes their data (duration), what data it processes and provides a copy of it to the data subject, the recipients of the personal data and the categories of recipients, transfers to third countries or international organisations, if not collected from the data subject, the source of the data, the characteristics of automated decision-making, if used by the controller, the data subject’s rights in relation to the processing, the legal remedies available to them.

The controller shall respond to requests for information and access within 25 days at the latest. the controller may charge a reasonable fee, based on administrative costs, for additional copies of personal data concerning the data subject which are requested.

In the event of a request for rectification (amendment) of data, the data subject shall substantiate the accuracy of the data requested to be amended and shall also certify that the person entitled to the amendment is the person who requests the amendment. only in this way can the controller assess whether the new data is accurate and, if so, whether it can amend the old data.

If it is not clear whether the data processed is correct or accurate, the controller will not correct the data, but only mark it, i.e. indicate that it has been objected to by the data subject, but not necessarily incorrect. the controller shall, without undue delay, correct inaccurate personal data or supplement the data concerned by the request, after confirming the authenticity of the request. the controller shall notify the data subject of the rectification or marking.

In the event of a request for erasure or blocking of data, the data subject may request the erasure of his or her data, which means that the controller is obliged to erase the data relating to the data subject without undue delay if: the personal data have been unlawfully processed the personal data are no longer necessary for the purposes for which they were processed, if the processing was based on the data subject’s consent and they have withdrawn it, and no other legal ground justifies the continued processing of the data, the controller is under a legal obligation to erase the data and has not yet done so.

They may request restriction of processing, which the controller will comply with if one of the following conditions is met: the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the controller to verify the accuracy of the personal data, the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use, the controller no longer needs the personal data for the purposes of the processing, but the data subject requests them for the establishment, exercise or defence of legal claims or opposes the processing concerning them.

If the data are subject to restriction, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims of another natural or legal person or of an important public interest of the union or of a member state. the controller shall inform the data subject in advance of the lifting of the restriction on processing.

If the data subject considers that the processing infringes the provisions of the GDPR or the GDPR or the infotv, or the way in which the controller processes their personal data is prejudicial, we recommend that they first contact the controller with a complaint. the complaint will always be investigated. if, despite their complaint, they still have a grievance about the way the controller is handling their data or they wish to contact the authority directly, they can lodge a complaint with the national authority for data protection and freedom of information (address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, P.O. box: 9. e-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu).

To protect their data, they have the right to apply to the courts, which will rule on the case out of turn. in this case, they are free to choose whether to bring their action before the court of their domicile (permanent address) or their place of stay (temporary address) (http://birosag.hu/torvenyszekek).

They can find the court of their domicile or residence at http://birosag.hu/ugyfelkapcsolati-portal/birosag-kereso.

** annex 1**

Relevant legislation

Regulation (eu) no 2016/679 of the european parliament and of the council of 27 april 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (GDPR);

Act cxii of 2011 on the right of informational self-determination and freedom of information;

Act v of 2013 on the civil code (civil code);

Act cxxx. of 2016 on the code of civil procedure (ccp).

Act c of 2000 on accounting (accounting act)

Act cxxvii of 2007 on value added tax (vat act) annex 2

Definitions relating to the processing of personal data

Controller: the legal person who determines the purposes and means of the processing of personal data; ‘processing’ means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transfer, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; data transfer: making data available to a specified third party; erasure: rendering data unrecognisable in such a way that their recovery is no longer possible; data marking: the marking of data with an identification mark to distinguish them; restriction of processing: marking of stored personal data with a view to limiting their future processing; data destruction: the total physical destruction of a storage medium containing data; data processor: a legal person who processes personal data on behalf of the controller; recipient: a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party; ‘data subject’ means a natural person who is identified or identifiable; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; third party: a natural or legal person, public authority, agency or any other body which is not the same as the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data; consent of the data subject: a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they signifies, by a statement or by an act unambiguously expressing their consent, that they signifies their agreement to the processing of personal data relating to them; personal data: any information relating to the data subject; objection: a statement by the data subject objecting to the processing of their personal data and requesting the cessation of the processing or the erasure of the processed data. annex 3 ### name and details of the data processors