Privacy Policy

Lungo Shop Ltd.

Headquarters: 1112 Budapest, Löveg Street 2. Building C. Ground floor, 1st door

Tax number: 32288539-2-43

Company registration number: 0109416250

Managing Director with independent representation rights: Gergő Borbás

I. PURPOSE OF THE RULES

Lungo Bolt Kft. (hereinafter: DATA CONTROLLER) carries out data processing necessary and mandatory for the purpose of a legal obligation pursuant to point (40) of the GDPR. The purpose of this regulation is to establish the internal rules setting out the data protection and data processing policy of the Data Controller in compliance with the data protection and data processing provisions set out in REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation), by enforcing which the Data Controller ensures respect for the right of data subjects to the protection of personal data in their relations with Customers and other persons during the processing and handling of their personal data.

The Data Controller hereby declares compliance with the principles regarding the processing of personal data set out in Article 5 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016) – hereinafter referred to as the “Regulation”.

II. SCOPE OF THE RULES

1. Personal scope

The scope of this regulation covers the Data Controller and the natural persons to whom its data processing activities apply. The data processing activities set out in this regulation are directed at the personal data of natural persons. The scope of the regulation does not cover the processing of personal data that concerns legal persons, or in particular, enterprises that have been established as legal persons, including the name and form of the legal person, as well as the contact details of the legal person. A legal person is an association, a business association, a cooperative, a union and a foundation. The data subjects include in particular the Customers as natural persons and natural persons acting on behalf of non-natural persons.

2. Temporal scope

The temporal effect of these regulations is from the date of their establishment until further notice or until the date of their revocation.

III. DEFINITIONS

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. "processing" means any operation or set of operations which is performed on personal data or on data files, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. "restriction of processing" : the marking of stored personal data with a view to restricting their future processing;

4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics relating to performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

5. ‘pseudonymisation’ means the processing of personal data in such a way that the personal data can no longer be identified without the use of additional information, provided that such additional information is stored separately and that technical and organisational measures are taken to ensure that the personal data cannot be attributed to an identified or identifiable natural person;

6. "filing system" : a file of personal data, structured in any way - centralized, decentralized or according to functional or geographical aspects - which is accessible on the basis of specific criteria;

7. “Data Controller” : the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the Data Controller or the specific criteria for the designation of the Data Controller may also be determined by Union or Member State law; for the purposes of this data protection policy, Lungo Bolt Kft. shall be deemed to be the Data Controller;

8. "data processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Data Controller;

9. ‘recipient’ means the natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether or not it is a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by such public authorities shall be in accordance with the applicable data protection rules in accordance with the purposes of the processing;

10. "third party" means a natural or legal person, public authority, agency or any other body other than the data subject, the Controller, the processor or the persons who, under the direct control of the Controller or the processor, are authorised to process personal data;

11. "consent of the data subject" means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

12. ‘data breach’ means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

13. ‘genetic data’ means any personal data relating to the inherited or acquired genetic characteristics of a natural person, which contain unique information concerning that person's physiology or state of health and which results primarily from the analysis of a biological sample taken from that natural person;

14. ‘biometric data’ means any personal data relating to the physical, physiological or behavioural characteristics of a natural person obtained by means of specific technical processes which allow or confirm the unique identification of that natural person, such as a facial image or dactyloscopic data;

15. "health data" means personal data relating to the physical or mental health of a natural person, including data relating to healthcare services provided to the natural person which contain information about the health status of the natural person;

16. “Regulation, or GDPR Regulation” : Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

IV. BASIC PRINCIPLES

  • Personal data may only be processed for specific purposes, to exercise rights and fulfill obligations.
  • All stages of data processing must comply with the purpose of data processing, and the collection and processing of data must be fair and lawful. Only personal data that is essential for the purpose of data processing and suitable for achieving the purpose may be processed.
  • Personal data may only be processed to the extent and for the period necessary to achieve the purpose.
  • The Data Controller states that the personal data it manages are stored at the Data Controller's registered office in electronic form or on paper-based documents, while complying with the legal requirements regarding data security. This provision applies to all data management and data processing activities carried out by the Data Controller.
  • Personal data must be stored in a form and for a period of time as permitted by law and/or the Data Controller's Data Protection Policy in force at all times, or as justified for other legally relevant purposes.

V. LEGAL BASIS FOR DATA PROCESSING

1. Consent of the data subject

(1) The lawfulness of the processing of personal data must be based on the consent of the data subject or on some other legitimate basis established by law.

(2) In the case of data processing based on the data subject's consent, the data subject may provide his/her consent to the processing of his/her personal data in the following form:

a) in writing, in the form of a declaration giving consent to the processing of personal data,

b) electronically or if he/she makes relevant technical settings when using information society services, as well as any other statement or act which, in the given context, clearly indicates the data subject's consent to the planned processing of his/her personal data.

(3) Silence, a pre-ticked box or inaction shall not constitute consent.

(4) Consent shall cover all processing activities carried out for the same purpose or purposes.

(5) Where data processing serves multiple purposes, consent shall be given for all purposes of data processing. Where the data subject gives his/her consent following an electronic request, the request shall be clear and concise and shall not unnecessarily hinder the use of the service for which consent is requested.

(6) The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal. The data subject shall be informed of this before consent is given. The withdrawal of consent shall be made as easy as the granting of consent.

2. Fulfillment of obligations and exercise of rights arising from the contract

  • The Data Controller's legal basis for the processing of personal data is provided by point (40) of the preamble to the GDPR and point (c) of Article 6(1) of the GDPR.
  • Data processing is also considered lawful if it is necessary for the performance of a contract to which the data subject is a party, or if it is necessary to take steps at the data subject's request prior to entering into a contract.
  • The data subject's consent to the processing of personal data that is not necessary for the performance of the contract cannot be a condition for concluding a contract.
  • One of the most important reasons for the Data Controller to register and process the personal data of the Customers is to be able to contact the Customers after placing the Order, to form a preliminary position regarding the Order, and to provide the Customers with an offer corresponding to the order. Another reason for data processing is to enable the Data Controller to fulfill its obligations arising from the contract in accordance with the contract.

3. Compliance with a legal obligation to which the Data Controller is subject or the protection of the vital interests of the data subject or another natural person

  • The legal basis for data processing is determined by law in the event of compliance with a legal obligation, so in this case, the consent of the data subject is not required for the processing of their personal data.
  • The Data Controller is obliged to inform the data subject about the purpose, legal basis, duration of data processing, the identity of the Data Controller, as well as their rights and legal remedies.
  • The Data Controller is entitled to process the data set necessary for the fulfillment of a legal obligation to which it is subject, after the withdrawal of the data subject's consent.
  • The Data Controller shall process the personal data of the data subjects in a manner that ensures an appropriate level of security and confidentiality, including in order to prevent unauthorized access to and use of the personal data and the means used to process the personal data. All reasonable steps shall be taken to correct or erase inaccurate personal data.

4. Performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or the legitimate interests of the Data Controller or a third party.

  • The legitimate interests of the Controller, including the Controller to whom the personal data may be disclosed, or of a third party, may constitute a legal basis for the processing, provided that the interests, fundamental rights and freedoms of the data subject are not overridden by them, taking into account the reasonable expectations of the data subject based on his or her relationship with the Controller. Such legitimate interests may exist, for example, where there is a relevant and appropriate relationship between the data subject and the Controller, for example where the data subject is a client (contractual partner) of the Controller or is employed by the Controller.
  • In order to determine the existence of a legitimate interest, it is necessary to carefully examine, among other things, whether the data subject can reasonably expect, at the time and in the context of the collection of personal data, that data processing may take place for the given purpose.
  • The interests and fundamental rights of the data subject may take precedence over the interests of the Data Controller if personal data are processed in circumstances in which the data subjects do not expect further processing.

VI. Scope of personal data subject to data processing and purpose of data processing

  • The Data Controller records data related to the contact details of persons in a legal relationship with it in order to facilitate contact, invoicing, settlement of technical or accident-related damage incidents, and to protect the vital interests of the Data Controller.
  • The purpose of the Data Controller's processing of the names, mother's names, addresses, place and time of birth, telephone numbers and e-mail addresses of the data subjects as personal data is to establish contact, issue and send the correct invoice, and enforce the Data Controller's claims against the data subjects.

VII. PERSONS ENTITLED TO ACCESS THE DATA

  • Personal data may be accessed by the Data Controller's employees with access rights related to the relevant data processing purpose, as well as by persons and organizations (especially accountants and lawyers) performing data processing activities for the Data Controller based on service contracts, to the extent determined by the Data Controller and to the extent necessary for the performance of their activities.

VIII. RIGHTS OF THE DATA SUBJECT

  1. Right to information

(1) The data subject has the right to receive information related to data processing prior to the commencement of activities aimed at processing his or her data.

(2) Information to be provided where personal data are collected from the data subject:

  1. the identity and contact details of the Data Controller;
  2. contact details of the data protection officer, if any;
  3. the purpose of the intended processing of personal data and the legal basis for the processing;
  4. in the case of data processing based on point (f) of Article 6(1) of the Regulation, the legitimate interests of the Data Controller or a third party;
  5. where applicable, the recipients of the personal data and the categories of recipients, if any;
  6. where applicable, the fact that the Controller intends to transfer the personal data to a third country or to an international organisation, the existence or absence of an adequacy decision by the Commission, or, in the case of transfers referred to in Article 46, Article 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and suitable safeguards, as well as a reference to the means of obtaining a copy of them or their availability.

(3) In addition to the information referred to in paragraph (1), the Data Controller shall, at the time of obtaining the personal data, inform the data subject of the following additional information in order to ensure fair and transparent data processing:

  1. the duration of storage of personal data or, if this is not possible, the criteria for determining this duration;
  2. the right of the data subject to request from the Data Controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data, as well as the right of the data subject to data portability;
  3. in the case of processing based on Article 6(1)(a) or Article 9(2)(a) of the Regulation, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  4. the right to lodge a complaint with the supervisory authority;
  5. whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for entering into a contract, and whether the data subject is obliged to provide the personal data, as well as the possible consequences of failure to provide the data;
  6. the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

(4) If the personal data were not obtained from the data subject, the Data Controller shall provide the data subject with the following information:

  1. the identity and contact details of the Data Controller and the Data Controller;
  2. contact details of the data protection officer, if any;
  3. the purpose of the intended processing of personal data and the legal basis for the processing;
  4. the categories of personal data concerned;
  5. the recipients of the personal data and the categories of recipients, if any;
  6. where applicable, the fact that the Controller intends to transfer the personal data to a recipient in a third country or to an international organisation, the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46, Article 47 of the Regulation or the second subparagraph of Article 49(1), an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy of them or their accessibility.

(2) In addition to the information referred to in paragraph (1), the Data Controller shall provide the data subject with the following additional information necessary to ensure fair and transparent data processing for the data subject:

  1. the period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;
  2. if the processing is based on Article 6(1)(f) of the Regulation, the legitimate interests of the Controller or a third party;
  3. the right of the data subject to request from the Data Controller access to personal data concerning him or her, rectification, erasure or restriction of processing, and to object to the processing of personal data, as well as the right of the data subject to data portability;
  4. in the case of processing based on Article 6(1)(a) or Article 9(2)(a) of the Regulation, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  5. the right to lodge a complaint with a supervisory authority;
  6. the source of the personal data and, where applicable, whether the data originate from publicly available sources; and
  7. the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

(3) If the Data Controller intends to further process personal data for a purpose other than that for which they were collected, it shall inform the data subject of this different purpose and of any relevant additional information referred to in paragraph (2) prior to further processing.

(4) Paragraphs (1) to (3) shall not apply if and to the extent that:

  1. the data subject already has the information;
  2. providing the information in question proves impossible or would involve a disproportionate effort, in particular for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, in the case of processing carried out subject to the conditions and safeguards referred to in Article 89(1), or where the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously jeopardise the achievement of the purposes of such processing. In such cases, the Controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including making the information publicly available;
  3. the collection or disclosure of the data is expressly required by Union or Member State law applicable to the Controller, which provides for appropriate measures to protect the legitimate interests of the data subject; or
  4. personal data must remain confidential pursuant to an obligation of professional secrecy laid down in Union or Member State law, including a statutory obligation of confidentiality.
  5. The data subject's right of access

(1) The data subject has the right to receive feedback from the Data Controller as to whether his or her personal data is being processed and, if such processing is taking place, he or she has the right to access the personal data and the following information:

  1. the purposes of data processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
  4. where applicable, the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;
  5. the right of the data subject to request from the Data Controller the rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data;
  6. the right to lodge a complaint with a supervisory authority;
  7. if the data were not collected from the data subject, all available information regarding their source;
  8. the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer in accordance with Article 46.

(3) The Data Controller shall provide the data subject with a copy of the personal data subject to processing. For additional copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request electronically, the information shall be provided in a widely used electronic format, unless the data subject requests otherwise.

3. The data subject's right to rectification and erasure

3.1. Right to rectification

(1) The data subject shall have the right to obtain from the Controller, at his request, the rectification of inaccurate personal data concerning him without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

3.2. Right to erasure (“right to be forgotten”)

(1) The data subject shall have the right to request that the Data Controller erase personal data concerning him or her without undue delay, and the Data Controller shall be obliged to erase personal data concerning the data subject without undue delay where one of the following grounds applies:

  1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws his or her consent which was the basis for the processing pursuant to Article 6(1)(a) of the Regulation (consent to the processing of personal data) or Article 9(2)(a) of the Regulation (granting explicit consent) and there is no other legal basis for the processing;
  3. the data subject objects to the processing of his or her data pursuant to Article 21(1) of the Regulation (right to object) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the Regulation (objection to the processing of personal data for commercial purposes);
  4. the personal data has been processed unlawfully;
  5. the personal data must be erased for compliance with a legal obligation under Union or Member State law applicable to the Controller;
  6. the personal data were collected in connection with the provision of information society services referred to in Article 8(1).

(2) Where the Controller has made personal data public and is obliged to erase them at the request of the data subject, the Controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the Controllers processing the data that the data subject has requested the erasure of links to the personal data in question or of copies or replications of those personal data.

(3) Paragraphs (1) and (2) shall not apply if the processing is necessary:

  1. for the purpose of exercising the right to freedom of expression and information;
  2. for the purpose of fulfilling an obligation under Union or Member State law to which the Controller is subject to the processing of personal data, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  3. on grounds of public interest in the field of public health in accordance with Article 9(2)(h) and (i) of the Regulation and Article 9(3) of the Regulation;
  4. for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, where the right referred to in paragraph 1 would likely render impossible or seriously jeopardise such processing; or
  5. to assert, enforce or defend legal claims.

4. Right to restriction of data processing

(1) The data subject has the right to request that the Data Controller restrict data processing if one of the following applies:

  1. the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period of time that allows the Data Controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use;
  3. the Data Controller no longer needs the personal data for the purposes of data processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
  4. the data subject has objected to the processing pursuant to Article 21(1) of the Regulation; in this case, the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the Controller override those of the data subject.

(2) Where processing is subject to restrictions pursuant to paragraph 1, such personal data may, with the exception of storage, only be processed with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important reasons of public interest of the Union or of a Member State.

(3) The Data Controller shall inform the data subject, at whose request data processing has been restricted pursuant to paragraph (1), in advance of the lifting of the restriction on data processing.

5. Notification obligation related to the correction or deletion of personal data or the restriction of data processing

(1) The Data Controller shall inform all recipients to whom the personal data have been disclosed of the rectification, erasure or restriction of data processing, unless this proves impossible or involves a disproportionate effort.

(2) Upon request, the Data Controller shall inform the data subject about the recipients referred to in paragraph (1).

6. Right to data portability

(1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another Data Controller without hindrance from the Data Controller to whom the personal data have been provided, if:

  1. the processing is based on consent pursuant to Article 6(1)(a) of the Regulation (the data subject's consent to the processing of personal data) or Article 9(2)(a) of the Regulation (the data subject's explicit consent to the processing) or on a contract pursuant to Article 6(1)(b); and
  2. data processing is carried out in an automated manner.

(2) When exercising the right to data portability pursuant to paragraph (1), the data subject shall have the right to request the direct transmission of personal data between Data Controllers, where technically feasible.

(3) The exercise of the right referred to in paragraph (1) of this Article shall be without prejudice to Article 17 of the Regulation. That right shall not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

(4) The right referred to in paragraph (1) shall not adversely affect the rights and freedoms of others.

7. Right to object

(1) The data subject shall have the right, on grounds relating to his or her particular situation, to object at any time to processing of personal data concerning him or her carried out in the public interest or in the exercise of official authority vested in him or her, or to processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party (processing based on point (e) or (f) of Article 6(1) of the Regulation), including profiling based on those provisions. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

(2) If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling where it is related to direct marketing.

(3) If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for this purpose.

(4) The right referred to in paragraphs (1) and (2) shall be expressly brought to the attention of the data subject at the latest during the first contact, and the information relating to it shall be displayed clearly and separately from all other information.

(5) In connection with the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may also exercise the right to object by automated means based on technical specifications.

(6) Where personal data are processed for scientific and historical research purposes or for statistical purposes in accordance with Article 89(1) of the Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8. Right to be exempt from automated decision-making

(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2) Paragraph (1) shall not apply if the decision:

  1. necessary for the conclusion or performance of a contract between the data subject and the Data Controller;
  2. is permitted by Union or Member State law applicable to the Controller, which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject; or
  3. based on the explicit consent of the data subject.

(3) In the cases referred to in points (a) and (c) of paragraph (2), the Data Controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention on the part of the Data Controller, to express his or her point of view and to object to the decision.

(4) The decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1) of the Regulation, unless point (a) or (g) of Article 9(2) applies and suitable measures have been taken to safeguard the rights, freedoms and legitimate interests of the data subject.

9. The data subject's right to complain and seek legal redress

9.1. Right to lodge a complaint with a supervisory authority.

(1) The data subject shall have the right, pursuant to Article 77 of the Regulation, to lodge a complaint with the supervisory authority if, in the opinion of the data subject, the processing of personal data concerning him or her infringes this Regulation.

(2) The data subject may exercise his/her right to file a complaint at the following contact details:

National Data Protection and Freedom of Information Authority (Headquarters: 1055 Budapest, Falk Miksa u. 9-11.; Postal address: 1374 Budapest, P.O. Box: 603.; Telephone: +36 (1) 391-1400; Fax: +36 (1) 391-1410 www: http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu)

(3) The supervisory authority to which the complaint has been submitted shall inform the customer of the procedural developments related to the complaint and its outcome, including the fact that the customer has the right to a judicial remedy pursuant to Article 78 of the Regulation.

9.2. Right to an effective judicial remedy against the supervisory authority

(1) Without prejudice to other administrative or non-judicial remedies, every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.

(2) Without prejudice to other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject of the procedural developments or the outcome of a complaint lodged pursuant to Article 77 of the Regulation within three months.

(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

(4) If proceedings are brought against a decision of the supervisory authority in relation to which the Board has previously issued an opinion or taken a decision within the framework of the consistency mechanism, the supervisory authority shall be obliged to send this opinion or decision to the court.

9.3. Right to an effective judicial remedy against the Controller or the Processor

(1) Without prejudice to any available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority under Article 77, each data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of personal data concerning him or her not being in accordance with this Regulation.

(2) Proceedings against a controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its official authority.

10. Restrictions

(1) Union or Member State law applicable to the controller or processor may, by means of legislative measures, restrict the scope of the rights and obligations set out in Article 5 in respect of its provisions in accordance with Articles 12 to 22 and Article 34 and the rights and obligations set out in Articles 12 to 22, where the restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to protect:

  1. national security;
  2. national defense;
  3. public safety;
  4. the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
  5. other important objectives of general public interest of the Union or of a Member State, in particular important economic or financial interests of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
  6. the protection of judicial independence and judicial proceedings;
  7. in the case of regulated professions, the prevention, investigation, detection and conduct of proceedings related to ethical violations;
  8. in the cases referred to in points a)–e) and g) – even occasionally – control, investigation or regulatory activities related to the performance of public authority tasks;
  9. the protection of the data subject or the rights and freedoms of others;
  10. enforcement of civil claims.

2. The legislative measures referred to in paragraph 1 shall, where appropriate, contain detailed provisions on at least:

  1. the purposes of data processing or categories of data processing,
  2. categories of personal data,
  3. the scope of the restrictions introduced,
  4. guarantees to prevent misuse or unauthorized access or transmission,
  5. to define the Data Controller or to define the categories of Data Controllers,
  6. the duration of data storage and the applicable safeguards, taking into account the nature, scope and purposes of the data processing or categories of data processing,
  7. the risks to the rights and freedoms of data subjects, and
  8. the right of data subjects to be informed about the restriction, unless this may adversely affect the purpose of the restriction.

11. Information about the data breach

(1) If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall inform the data subject of the personal data breach without undue delay.

(2) The information provided to the data subject referred to in paragraph (1) shall describe in a clear and comprehensible manner the nature of the data protection incident and shall include at least the name and contact details of the data protection officer or other contact person providing further information, the likely consequences resulting from the data protection incident, the measures taken or planned by the Data Controller to remedy the data protection incident, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

(3) The data subject shall not be required to be informed as referred to in paragraph (1) if any of the following conditions are met:

  1. the Data Controller has implemented appropriate technical and organizational security measures and these measures have been applied to the data affected by the data breach, in particular measures – such as the use of encryption – that make the data unintelligible to persons not authorized to access the personal data;
  2. the Data Controller has taken further measures following the data protection incident to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph (1) is no longer likely to materialise;
  3. information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly published information or a similar measure should be taken to ensure that the data subjects are informed in a similarly effective manner.

(4) If the Data Controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after considering whether the personal data breach is likely to involve a high risk, order the data subject to be informed or determine that one of the conditions referred to in paragraph (3) is met.

IX. PROCEDURE TO BE APPLIED IN CASE OF A DATA SUBJECT'S REQUEST

(1) The Data Controller shall facilitate the exercise of the data subject's rights and may not refuse to comply with the data subject's request to exercise his or her rights as set out in this policy, unless it proves that it is unable to identify the data subject.

(2) The Data Controller shall inform the data subject without undue delay, but in any case within one month of receipt of the request, of the measures taken in response to the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Data Controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay.

(3) If the data subject has submitted the request electronically, the information shall be provided electronically, if possible, unless the data subject requests otherwise.

(4) If the Data Controller does not take action following the request of the data subject, it shall inform the data subject without delay, but no later than one month from the receipt of the request, of the reasons for the failure to take action and of the fact that the data subject may lodge a complaint with the supervisory authority and exercise his/her right to a judicial remedy.

(5) The Data Controller shall provide the data subject with the information specified in Article 13 and 14 of the Regulation, detailed in Section 1 of Chapter VI of this Regulation, and the information and measures specified in Articles 15–22 and 34 of the Regulation (feedback on the processing of personal data, access to the processed data, correction, completion, deletion of data, restriction of data processing, data portability, objection to data processing, information about a data protection incident) free of charge.

(6) If the data subject's request is clearly unfounded or excessive – in particular due to its repetitive nature – the Data Controller may, taking into account the administrative costs of providing the requested information or communication or taking the requested action: charge a fee of HUF 5,000 or refuse to take action based on the request.

(7) The Data Controller shall bear the burden of proving that the request is clearly unfounded or excessive.

(8) Without prejudice to Article 11 of the Regulation, where the Controller has reasonable doubts as to the identity of the natural person submitting a request pursuant to Articles 15 to 21 of the Regulation, he may request the provision of further information necessary to confirm the identity of the data subject.

X. PROCEDURE TO BE USED IN THE EVENT OF A DATA PROTECTION INCIDENT (PERSONAL DATA BREACH)

(1) A data breach, within the meaning of the Regulation, is any breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

(2) A data protection incident is the loss or theft of a device (laptop, mobile phone) containing personal data, or the loss or inaccessibility of the code used to decrypt a file encrypted by the Data Controller, infection by ransomware, which makes the data managed by the Data Controller inaccessible until the ransom is paid, an attack on the IT system, the publication of an e-mail or address list containing personal data sent by mistake, etc.

(3) In the event of a data breach being detected, the Data Controller's representative shall immediately conduct an investigation to identify the data breach and determine its possible consequences. The necessary measures shall be taken to prevent any damage.

(4) The controller shall notify the personal data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons justifying the delay.

(5) The data processor shall notify the data protection incident to the Data Controller without undue delay after becoming aware of it.

(6) The notification referred to in paragraph (3) shall include at least:

  1. the nature of the data breach must be described, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data affected by the breach;
  2. the name and contact details of the data protection officer or other contact person for further information must be provided;
  3. the likely consequences of a data protection incident must be described;
  4. the measures taken or planned by the Data Controller to remedy the data protection incident must be described, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

(7) If and to the extent that it is not possible to communicate the information simultaneously, it may be communicated in parts at a later date without further undue delay.

(8) The Controller shall keep records of data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it. This record shall enable the supervisory authority to verify compliance with the requirements set out in Article 33 of the Regulation.

XI. OTHER ACTIVITIES INVOLVED IN DATA PROCESSING AND DATA GROUPS PROCESSED

1. Data processing based on legal obligation

1.1. Data processing related to the fulfillment of anti-money laundering obligations

(1) Pursuant to Section 6 (1) of Act LIII of 2017 on the Prevention and Interference with Money Laundering and Terrorist Financing, the Data Controller is obliged to identify and verify the identity of a natural person acting on behalf of or on behalf of the client upon the establishment of a business relationship, in the event of data, facts or circumstances indicating money laundering or terrorist financing, if customer due diligence has not yet been carried out; and if there is any doubt regarding the authenticity or adequacy of previously recorded customer identification data.

(2) The Data Controller is obliged to record the following data during identification: natural person acting on behalf of or on behalf of the client

  1. last name and first name;
  2. birth surname and first name;
  3. his/her nationality;
  4. place and time of birth;
  5. his mother's maiden name;
  6. address, or in the absence thereof, place of residence;
  7. the type and number of the identification document.

(3) The scope of data processing: natural persons acting on behalf of the client or on his behalf.

(4) The Data Controller's manager or employee designated for customer due diligence is entitled to access personal data. The Data Controller is entitled to process personal data recorded during customer due diligence for 8 years from the termination of the contract (business relationship).

1.2. Data processing necessary to fulfill accounting obligations

(1) The legal basis for the processing of the data of the Data Controller's natural person clients is the fulfillment of a legal obligation, and the purpose of using the data contained in the invoice pursuant to Section 159 (1) of Act CXXVII of 2007 (VAT Act) is to determine the mandatory data content of the invoice, issue the invoice, and perform related accounting tasks.

(2) The scope of data processing covered by this point is: the natural person clients of the Data Controller.

(3) Scope of the processed data: name, address, tax number of the Data Controller's natural person clients, buyers, suppliers.

(4) The Data Controller and its employees, the manager and employee performing the accounting activity are entitled to access the personal data. The Data Controller is entitled to process the personal data recorded in the course of fulfilling the legal obligation indicated above for 8 years from the termination of the contract (business relationship) through the Data Controller.

1.3. Data processing related to the fulfillment of tax and contribution obligations

(1) Pursuant to Section 50 (1) of Act CL of 2017 on the Taxation System (Art.), the Data Controller shall submit an electronic declaration on all taxes, contributions and/or data specified in paragraph (2) related to payments and benefits made to natural persons resulting in tax and/or social security obligations, by the twelfth day of the month following the month in question.

(2) The scope of data processing includes: the Data Controller, its employees and their family members.

(3) The scope of the processed data: the data of the Data Controller, its employees and their family members as specified in Article 50. § (2), highlighting the natural person's personal identification data (including the previous name and title), gender, citizenship, tax identification number and social security identification number of the natural person.

(4) Recipients: employees and data processors of the Data Controller who perform accounting and payroll activities as part of their job duties.

(5) The Data Controller is entitled to process personal data recorded in the course of fulfilling the legal obligation indicated above for 8 years from the termination of the legal relationship.

2. Data processing during information requests and requests for quotations

(1) The Data Controller provides third parties with the opportunity to request information and quotes regarding the services provided by the Data Controller or the products sold.

(2) The legal basis for data processing is the consent of the data subject in the case of a request for information or a request for a quotation.

(3) The group of data subjects in the case of a request for information or a request for a quote: any natural person who requests information or a quote and provides their personal data in connection with the Data Controller's services and products.

(4) Scope of processed data: name, address, telephone number, e-mail address.

(5) The purpose of data processing in the event of a request for information is: identification, contact.

(6) The purpose of data processing in the case of a request for quotation: providing a quotation, maintaining contact.

(7) The recipients of the data (those who may access the data) in the case of a request for information or a request for a quote are the Data Controller's manager and the employee responsible for customer relations.

(8) Duration of data processing in the case of a request for information or a request for a quote: the Data Controller deletes the personal data 30 days after the provision of the information or the submission of the quote.

3. Data processing activities related to the performance of a contract

(1) The Data Controller shall process the personal data of the natural person co-owners of the companies contracting with it in connection with the contractual relationship. The data subject shall be informed about the processing of personal data.

(2) The scope of data subjects: all natural persons who are owners of enterprises that have established a contractual relationship with the Data Controller, as well as natural persons who enter into a contract with the Data Controller.

(3) The legal basis for data processing is the performance of a contract, the purpose of data processing is to maintain contact, enforce claims arising from the contract, and ensure compliance with contractual obligations.

(4) Recipients of personal data: the Data Controller, the Data Controller's employees and data processors performing customer service and accounting tasks based on their job duties, as well as the Data Controller's attorney and law firm acting as legal representative.

(5) The scope of personal data processed: name, address, place and time of birth, mother's maiden name, registered office, telephone number, e-mail address, tax number, bank account number.

(6) Duration of data management: 5 years from the termination of the contract or from the completion of any legal proceedings initiated by the Data Controller to enforce its claims.

XII. RULES RELATING TO DATA PROCESSING

  1.  

(1) The Data Controller uses an external data processor entrusted with the personal data it processes to perform the following tasks:

– fulfillment of tax and accounting obligations.

(2) The rights and obligations of the data processor related to the processing of personal data are determined by the Data Controller within the framework of law and separate laws relating to data processing.

(3) The Data Controller declares that, during the course of its activities as a data processor, it does not have the competence to make substantive decisions regarding data processing, it may process the personal data it has obtained only in accordance with the provisions of the Data Controller, it may not process data for its own purposes, and it is obliged to store and preserve the personal data in accordance with the provisions of the Data Controller.

(4) The Data Controller is responsible for the legality of the instructions given to the data processor regarding data processing operations.

(5) The Data Controller is obliged to provide the data subjects with information about the identity of the data processor and the place of data processing.

(6) The Data Controller does not authorize its data processors to use additional data processors.

(7) The data processing contract must be in writing. Data processing may not be entrusted to an organization that has a business interest in using the personal data to be processed.

(1) The Data Controller undertakes and provides appropriate guarantees for the compliance of the data processing activities performed by it as a data processor with the requirements set out in the Regulation and for the implementation of appropriate technical and organizational measures to ensure the protection of the rights of the data subjects.

(2) The Data Controller, as a data processor, shall immediately inform the Data Controller if it considers that any of its instructions infringe this Regulation or Member State or Union data protection provisions.

(3) The Data Controller shall process the Data on the instructions of the Data Controller, in accordance with data protection rules and principles, and shall be obliged to pay attention to the contractual obligations of the Data Controller known to the Data Processor.

(4) The Data Controller may not modify, delete, copy, link the data provided to it by the Data Controller with other databases, use it for purposes other than this Agreement, or for its own purposes, or disclose it to third parties, except to the extent that the Data Controller expressly requires it to do so and it is necessary for the purposes of Data Processing.

(5) The Data Controller is not entitled to represent the Data Controller or to make legal statements on behalf of the Data Controller, unless expressly authorized by an agreement concluded with the Data Controller or another document.

(6) The Data Controller shall record that the Data Controller has the exclusive right to determine the purpose and method of processing the data provided to the data processor.

(7) The Data Controller, as a data processor, is obliged to ensure the security of the data, to take all technical and organizational measures necessary to enforce the data protection rules, and accordingly, to take measures against unauthorized access to the data, unauthorized alteration, transmission, disclosure, deletion, destruction of the data. It is also obliged to take appropriate measures against accidental destruction and damage, as well as against inaccessibility resulting from technical changes.

(8) The Data Controller undertakes full obligation to comply with the provisions of this regulation relating to data security during its data processing activities, and the provisions set out therein also apply to its data processing activities.

(9) The Data Controller, as a data processor, provides access to the data only to those employees who need it in order to perform the data processing activity, and also provides information to those with access on the obligation to comply with security requirements and confidentiality.

(10) The Data Controller, as a data processor, undertakes to cooperate with the Data Controller in order to enable the Data Controller to comply with its legal obligations. The cooperation covers in particular the following areas: the fulfillment of requests related to the exercise of the rights of access, deletion and rectification of data subjects within the statutory deadline.

(11) The Data Controller, as a data processor, undertakes to modify, supplement, correct, block or delete the data processed by it in accordance with the instructions of the Data Controller.

(12) The Data Controller is obliged to immediately notify the Data Controller of any event or risk affecting the security of the data, to take the relevant measures and to fully cooperate with the Data Controller.

(13) The Data Controller undertakes to fully cooperate with the Data Controller during the inspection and investigation carried out by the Data Controller and its agents regarding its systems, records, data, information and procedures related to data processing. In this context, it ensures that the person authorized to inspect has full access to the records related to data processing, the data files stored in them, and the procedures applied during data processing.

(14) Name of the data processing activity carried out by the Data Controller:

4791 '08 Mail order, online retail

XIII. PROVISIONS ON DATA SECURITY

1. Principles of implementing data security.

(1) The Data Controller may only process personal data in accordance with the activities set out in this policy and for the purpose of data processing.

(2) The Data Controller ensures the security of the data, and in this regard undertakes to take all technical and organizational measures that are essential for the enforcement of the laws and regulations on data security, data protection and confidentiality, and to develop the procedural rules necessary for the enforcement of the laws specified above.

(3) The technical and organizational measures to be implemented by the Data Controller are aimed at the following:

  1. pseudonymization and encryption of personal data;
  2. ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data;
  3. the ability to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident;
  4. applying a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures taken to guarantee the security of data processing,

(4) When determining the appropriate level of security, specific account shall be taken of the risks arising from the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

(5) The Data Controller shall take appropriate measures to protect the data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, and against inaccessibility resulting from changes in the technology used.

(6) The Data Controller shall keep records of the data it processes in accordance with the applicable laws, ensuring that the data is only accessible to those employees, agents and other persons acting within the scope of the Data Controller's interests who need it in order to perform their duties and tasks.

(7) The Data Controller stores the personal data provided during each data processing activity separately from other data, with the proviso that - in accordance with the above provision - the separated data files may only be accessed by employees with appropriate access rights.

(8) The Data Controller's manager and employees - apart from the Data Controller's data processors - shall not transfer personal data to third parties and shall take the necessary measures to exclude unauthorized access.

(9) The Data Controller grants access to personal data to those employees who have submitted themselves to the obligation to comply with data security rules by making a confidentiality declaration regarding the personal data managed.

(10) When defining and applying measures to ensure data security, the Data Controller takes into account the current state of technology and, in the event of several possible data management solutions, chooses the solution that ensures a higher level of protection of personal data, unless this would represent a disproportionate difficulty.

2. Protection of the Data Controller's IT records

(1) The Data Controller shall take the following necessary measures to ensure data security in relation to its IT records:

  1. It provides the data files it manages with constant protection against computer viruses (it uses real-time virus protection software).
  2. Ensures the physical protection of the IT system's hardware devices, including protection against natural damage,
  3. Ensures the protection of the IT system against unauthorized access, both in terms of software and hardware devices,
  4. It takes all measures necessary to restore data files, performs regular backups, and implements separate, secure management of backup copies.

3. Protection of the Data Controller's paper records

(1) The Data Controller shall take the necessary measures to protect paper-based records, in particular with regard to physical security and fire protection.

(2) The Data Controller's manager, employees and other persons acting on behalf of the enterprise are obliged to securely store and protect the data carriers they use or possess, including personal data, against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, regardless of the method of recording the data.

XIV. OTHER PROVISIONS

(1) The Data Controller's executive director is obliged to explain the provisions of this policy to all employees of the Data Controller.

(2) The Data Controller's CEO shall ensure that all employees of the Data Controller comply with the provisions of this policy. In order to implement this obligation, the Data Controller's CEO shall require the amendment of employment contracts concluded with the Data Controller's employees in such a way as to declare the employee's commitment to comply with and enforce this policy.

(3) The establishment and amendment of these regulations is the responsibility of the Data Controller's executive director.