Data Management Notice for Customer Data Processing

1. Name of the Data Controller

2.  Legal Regulations Governing Data Processing

The following legal regulations apply to customer data processing:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, consolidated version:

https://eur-lex.europa.eu/legal-content/HU/TXT/PDF/?uri=CELEX:32016R0679&from=HU 

• Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Info Act), consolidated version:

https://net.jogtar.hu/jogszabaly?docid=A1100112.TV

• Act CLV of 1997 on consumer protection, consolidated version:
  https://net.jogtar.hu/jogszabaly?docid=99700155.TV 

3. Information Regarding the Processed Data

Scope of Processed Data and Purpose of Data Processing

The scope, purpose, duration, legal basis, and method of data processing are included in the annex of this notice.

4. Access to Data and Data Security Measures

1. Access to Data and Data Transfer

The personnel of the Data Controller may access the personal data you provide to fulfill their duties. The Data Controller transfers the processed personal data to subcontractors specified in the annex of this regulation.

The Data Controller will only disclose your personal data to other Data Controllers or government authorities in exceptional cases.

For instance, if:

• A court proceeding is initiated in relation to you, and it is necessary to transfer documents containing your personal data to the court,

• The police contacts the Data Controller and requests the transfer of documents containing your personal data for an investigation.

2. Data Security Measures

The Data Controller stores the personal data you provide on its servers, and where applicable, in a paper-based archive. The Data Controller does not use the services of other companies for the storage of personal data.

The Data Controller takes appropriate measures to protect personal data against unauthorized access and unauthorized modification. For example, access to personal data stored on the server is logged by the Data Controller, meaning it is always verifiable who accessed which personal data and when.

5. Rights of the Data Subject Regarding Data Processing

1. 1. Your Right of Access

As a data subject, you have the right to access your personal data.

If you request that the Data Controller provides feedback on whether it processes your personal data, the Data Controller is obligated to inform you regarding the following:

1. which personal data it processes,

2. the legal basis for the processing,

3. the purpose of the data processing,

4. the source of the data,

5. how long the data will be processed.

Your right to receive feedback on whether the Data Controller is processing your personal data (or not):

1. pertains to personal data related to you;

2. does not apply to anonymous data;

3. does not apply to personal data that does not relate to you; and

4. includes pseudonymized data that can be clearly linked to you.

The Data Controller will provide access to and a copy of your personal data upon your request. If you request additional/repeated copies of your personal data, the Data Controller may charge a reasonable fee to cover the administrative costs associated with fulfilling that request, which you will be responsible for paying.

2. Your right to rectification

You have the right to have your personal data corrected.

This right: 

1. does not apply to anonymous data;

2. pertains to personal data related to you;

3. does not apply to personal data that does not relate to you; and

4. includes pseudonymized data that can be clearly linked to you.

The Data Controller will appropriately rectify or complete your personal data upon your request. The Data Controller will inform the recipients of your personal data (if any) about the rectification. However, the Data Controller will not inform the recipients about the rectification of personal data if it proves impossible or requires disproportionate effort.

3. Your right to erasure

Under certain conditions, you have the right to have your personal data erased.

The Data Controller is obliged to erase your personal data without undue delay if:

1. the Data Controller processes these personal data; and

2. you request the erasure of your personal data; and

3. the personal data are no longer necessary for the purposes for which the Data Controller processes them.

The Data Controller is obliged to erase your personal data without undue delay if: 

1. the Data Controller processes your personal data; and

2.  you request the erasure of your personal data; and

3. you withdraw your consent on which the processing of your data is based; and

4. there is no other legal basis for the further processing of your data.

The Data Controller is obliged to erase your personal data without undue delay if: 

1. the processing is necessary for the enforcement of the legitimate interests of the Data Controller or a third party; and

2. you object to the processing of your personal data; and

3. the legitimate grounds for the processing of such personal data do not override your objection.

The Data Controller is obliged to erase your personal data without undue delay if: 

1. you request the erasure of your personal data; and

2. the processing of such data by the Data Controller is not unlawful; or

3. the erasure is mandatory under applicable laws; or

4. your data are collected in relation to services offered by the information society.

The Data Controller will inform the recipients of your personal data (if any) about the erasure of your personal data. However, the Data Controller will not inform the recipients about the erasure of personal data if informing them proves impossible or requires disproportionate effort.

4. Your right to restriction of processing

You have the right to request the restriction of processing of your personal data.

Your right to request the restriction of processing of your personal data: 

1. does not extend to anonymous data;

2. applies to your personal data;

3. does not extend to personal data not concerning you; and

4. includes clearly identifiable pseudonymized data related to you.

The Data Controller will restrict the processing of your personal data for the period during which it verifies the accuracy of such data if you request the restriction of processing and you contest the accuracy of such data.

The Data Controller will restrict the processing of your personal data if you request the restriction of processing of data that is unlawful, and you oppose the erasure of such data.

The Data Controller will restrict the processing of your personal data if: 

1. you request the restriction of processing of your personal data; and

2. the Data Controller no longer needs such data for the purposes of processing; and

3. you require your data for the establishment, exercise, or defense of legal claims.

The Data Controller will restrict the processing of your personal data if: 

1. you object to the processing of your personal data that is necessary for the legitimate interests of the Data Controller; and

2. you are waiting for confirmation of whether there is a legitimate basis for the processing of your personal data by the Data Controller that overrides your objection.

The Data Controller will inform the recipients of your personal data (if any) about the restriction of processing of your personal data. However, the Data Controller will not inform the recipients about such restrictions if informing them proves impossible or requires disproportionate effort.

If the Data Controller restricts the processing of your personal data, it may: 

1. store such personal data;

2. process such personal data based on your consent;

3. process personal data for the establishment, exercise, or defense of legal claims or to protect the rights of another person.

5. Your right to data portability

You have the right to receive your personal data concerning you, which you have provided to a data controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit those data to another data controller without hindrance (where technically feasible) to the data controller to whom you provided the personal data if the processing is based on consent or is necessary for the performance of a contract and the processing is carried out by automated means.

Your right to data portability: 

1. does not extend to anonymous data;

2. applies to your personal data;

3. does not extend to personal data not concerning you; and

4. does not extend to clearly identifiable pseudonymized data.

6. The deadline for processing your request as a data subject

The Data Controller will respond to requests regarding the rights you are entitled to as outlined above without undue delay, but no later than within one month.

7. Right to lodge a complaint

If you believe that your rights have been violated, the Data Controller recommends that you initiate a consultation with the Data Controller through direct contact. If such a consultation does not yield results or if you do not wish to participate in such activity, you may turn to the court or the National Authority for Data Protection and Freedom of Information (NAIH). When initiating legal proceedings, you may choose to bring the action before the court that has jurisdiction based on your residence or domicile.

The contact details of the NAIH are as follows:

Official name: National Authority for Data Protection and Freedom of Information

Headquarters: 1055 Budapest, Falk Miksa utca 9-11.

Mailing address: 1363 Budapest, Pf.: 9.

Phone number: +36 (1) 391-1400

Fax number: +36 (1) 391-1410

Central electronic email address: ugyfelszolgalat@naih.hu

Website URL: http://www.naih.hu

Official storage address: short name: NAIH, KRID: 429616918

Customer service or public relations contact: National Authority for Data Protection and Freedom of Information Customer Service

Phone number: +36 (1) 391-1400

Fax number: +36 (1) 391-1410

Address: 1055 Budapest, Falk Miksa utca 9-11.

Mailing address: 1363 Budapest, Pf.: 9.

Online administration contact: https://online.naih.hu/EMS/Home

The Authority's Data Protection Officer: Dr. Attila Kiss

Phone contact: +36 (1) 391 1470

Email address: dpo@naih.hu

8. Amendments to this notice

The Data Controller reserves the right to amend this notice at any time. The Data Controller will inform customers of such modifications, where applicable, by letter or email, and in all cases in accordance with applicable laws.