AQUAFORTIS.HU PRIVACY POLICY

Aquafortis Ékszerészet Kft.

Privacy Policy

Introduction

Aquafortis Ékszerészet Kft. (1089 Budapest, Bláthy Ottó utca 4–8., Door 119, tax number: 32269422-2-42, company registration number: 01-09-415255) (hereinafter: Service Provider, Data Controller) submits itself to the following regulations:

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we provide the following information.

This privacy policy governs the data processing activities on the following websites/mobile applications:
https://www.aquafortis.hu

The privacy policy is available at:
https://www.aquafortis.hu/adatvedelem

Any amendments to the policy take effect upon publication at the above address.

Data Controller and Contact Information

Name: Aquafortis Ékszerészet Kft.
Registered office: 1089 Budapest, Bláthy Ottó utca 4–8., Door 119
E-mail: info@martiusjewelry.com
Phone: +36 30 640 0677

Definitions

1. “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. “processing”: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. “controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are laid down by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
4. “processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
5. “recipient”: a natural or legal person, public authority, agency or another body, to whom or which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities must comply with the applicable data protection rules according to the purposes of the processing.
6. “data subject’s consent”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
7. “personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
8. “profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Principles Relating to the Processing of Personal Data

Personal data must be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered incompatible with the initial purposes (“purpose limitation”);
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
6. processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

The controller is responsible for, and must be able to demonstrate compliance with, these principles (“accountability”).

The Data Controller declares that its data processing activities are carried out in accordance

 

Data Processing Related to Operating the Webshop / Use of Services

1. The fact of data collection, the scope of processed data, and the purpose of data processing:

Personal Data	Purpose of Processing	Legal Basis
Username	Identification, enabling registration.	Article 6(1)(a) GDPR
Password	Ensuring secure access to the user account.
First and last name	Necessary for contacting the user, purchasing, issuing an invoice in accordance with regulations, and exercising the right of withdrawal.	Article 6(1)(b) GDPR
E-mail address	Communication.
Phone number	Communication, more efficient management of billing or delivery-related inquiries.
Billing name and address	Issuing a proper invoice, as well as creating, defining, modifying, monitoring the performance of the contract, invoicing related fees, and enforcing related claims.	Article 6(1)(c) GDPR (Legal obligation under Act C of 2000 on Accounting, Section 169(2))
Shipping name and address	Enabling home delivery.	Article 6(1)(b) GDPR
Date of purchase/registration	Technical operation.	Article 6(1)(b) GDPR, Act on E-commerce (Elker tv.) Section 13/A (3)
IP address at time of purchase/registration	Technical operation.

2. Data subjects concerned:

All individuals registered on / purchasing from the webshop website.
Neither the username nor the email address is required to contain personal data.

3. Duration of data processing, deadline for deletion of data:

If any of the conditions under Article 17(1) GDPR apply, data will be stored until the data subject requests deletion.

The controller will notify the data subject electronically of the deletion of any personal data provided, pursuant to Article 19 GDPR.
If the deletion request covers the email address as well, the controller will delete it after sending the notification.

Exception: Accounting records must be retained for 8 years under Act C of 2000 on Accounting, Section 169(2).
Contract-related data may be deleted after the expiry of the civil law limitation period if the data subject requests deletion.

Accounting records (including general ledger accounts, analytical and detailed records) must be retained for at least 8 years in a readable, retrievable form.

4. Persons authorized to access the data, recipients of personal data:

Personal data may be processed by the data controller and its authorized employees, in compliance with the above principles.

5. Description of data subjects’ rights related to data processing:

Data subjects may request from the controller:

·        access to personal data relating to them,

·        rectification, deletion, or restriction of processing,

·        the right to data portability,

·        the right to withdraw consent at any time.

6. Methods available for exercising rights (access, deletion, modification, restriction, portability):

·        By post: 1089 Budapest, Bláthy Ottó utca 4-8., Door 119

·        By email: info@martuisjewelry.com

·        By phone: +36 30 640 0677

7. Legal basis for data processing:

1.     Article 6(1)(b) GDPR (performance of a contract)

2.     Act CVIII of 2001 on Electronic Commerce (Elker tv.) Section 13/A (3):
The service provider may process personal data that are technically essential for providing the service. The tools used for providing information society services must be chosen and operated in such a way that personal data is only processed to the extent and for the time strictly necessary.

3.     Article 6(1)(c) GDPR in the case of issuing invoices in accordance with accounting regulations.

4.     Enforcement of contractual claims:
According to Section 6:22 of the Civil Code (Act V of 2013), the limitation period is 5 years.

Section 6:22 [Limitation]
(1) Unless otherwise provided by this Act, claims lapse after five years.
(2) The limitation period starts when the claim becomes due.
(3) Agreements to modify the limitation period must be in writing.
(4) Agreements excluding limitation are null and void.

8. Additional information

·        Data processing is necessary for making an offer and fulfilling the contract.

·        Providing personal data is mandatory for order fulfilment.

·        Failure to provide the data results in us being unable to process the order.

Cookie Management

1. Cookies not requiring prior consent:

The following cookies do not require prior consent from the data subject:

·        password-protected session cookies

·        shopping cart cookies

·        security cookies

·        strictly necessary cookies

·        functional cookies

·        cookies used for website statistics

2. Fact of data processing, scope of processed data:

Unique identification number, dates, timestamps.

3. Data subjects:

All visitors to the website.

4. Purpose of data processing:

User identification, visitor tracking, ensuring customised operation.

5. Duration of data processing, deadline for deletion:

Type of Cookie	Legal Basis	Processing Duration
Session cookies or other cookies essential for website operation	No data processing occurs by the use of the cookie.	Until the session ends (only until the browser is closed).
Statistical, marketing cookies	Article 6(1)(a) GDPR	1 day – 2 years, according to the cookie notice, or until withdrawal of consent.

6. Persons authorized to access the data:

Only the data controller may access the personal data.

7. Data subjects’ rights regarding cookie-related data processing:

Data subjects may delete cookies in their browser settings, typically under the Privacy section.

8. Customizing cookie settings in major browsers:

Information on how to adjust cookie settings:

·        Google Chrome
(https://support.google.com/chrome/answer/95647?hl=hu)

·        Internet Explorer
(https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies)

·        Firefox
(https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn)

·        Safari
(https://support.apple.com/hu-hu/guide/safari/sfri11471/mac)

 

 

Use of Google Ads Conversion Tracking

1.     The data controller uses the online advertising program known as “Google Ads” and, within this framework, also utilizes Google’s conversion tracking service. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).

2.     When a User reaches a website via a Google advertisement, a cookie necessary for conversion tracking is placed on their computer. These cookies have a limited validity period and do not contain any personal data, thus they cannot be used to identify the User.

3.     When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User clicked on the advertisement.

4.     Each Google Ads customer receives a different cookie, making it impossible to track Users across different Ads customers’ websites.

5.     The information obtained through conversion tracking cookies is used to compile conversion statistics for Ads customers who have opted for conversion tracking. In this way, customers receive information regarding the number of Users who clicked on their advertisement and were redirected to a page containing a conversion tracking tag. However, they do not receive any information that could identify individual Users.

6.     If you do not wish to participate in conversion tracking, you may reject this by disabling the installation of cookies in your browser. In this case, you will not be included in the conversion tracking statistics.

7.     According to Google Consent Mode v2, Google may also use two additional types of cookies: ad_user_data and ad_personalization, which are based on the User’s consent and relate to the use and sharing of data.

o   ad_user_data records consent for the use of user data for advertising purposes by Google.

o   ad_personalization regulates whether the data may be used for personalized advertising (e.g., remarketing).
The data controller ensures that appropriate consents can be provided and withdrawn via its cookie banner/panel. Withdrawal of consent does not affect the lawfulness of data processing carried out prior to the withdrawal.

8.     Further information and Google’s privacy policy can be found at: https://policies.google.com/privacy

Use of Google Analytics

1.     This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, text files stored on your computer, to help analyze how Users interact with the website.

2.     The information generated by the cookies regarding the User’s use of the website is generally transmitted to and stored on a Google server in the USA. With IP anonymization enabled on this website, Google shortens the User’s IP address beforehand within the member states of the European Union or other contracting states of the Agreement on the European Economic Area.

3.     The full IP address is transmitted to a Google server in the USA and shortened there only in exceptional cases. On behalf of the website operator, Google will use this information to evaluate the User’s interaction with the website, to compile reports on website activity, and to provide further services related to website and internet usage.

4.     Within Google Analytics, the IP address transmitted by the User’s browser is not merged with any other data held by Google. Users can prevent the storage of cookies by adjusting their browser settings; however, in this case, some website features may not function fully. Users can also prevent Google from collecting and processing data related to their website usage (including IP address) generated by the cookies by downloading and installing the browser add-on available at: https://tools.google.com/dlpage/gaoptout?hl=hu

Newsletter and Direct Marketing Activities Based on Consent

1.     Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, the User may give prior and explicit consent to allow the Service Provider to contact them with advertising offers and other communications using the contact details provided during registration.

2.     Furthermore, the Customer may consent—subject to the provisions of this privacy notice—to the Service Provider processing the personal data necessary for sending advertising offers.

3.     The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from receiving offers at any time, free of charge, without justification or limitation. In such cases, the Service Provider deletes all personal data necessary for sending advertising messages from its records and no longer contacts the User with promotional offers. Users may unsubscribe by clicking the link included in each message.

4.     Facts of data collection, categories of processed data, and purposes of processing:

Personal Data	Purpose of Processing	Legal Basis
Name, email address	Identification; enabling subscription to the newsletter/promotional coupons	User’s consent (GDPR Article 6(1)(a)); Act XLVIII of 2008, Section 6(5)
Time of subscription	Execution of technical operations	—
IP address at the time of subscription	Execution of technical operations	—

5.     Categories of data subjects: All individuals subscribing to the newsletter.

6.     Purpose of processing: Sending electronic messages containing advertising (email, SMS, push notifications), providing information on current news, products, promotions, new features, etc.

7.     Duration of processing and retention period: Until consent is withdrawn (unsubscription or deletion request) or until the newsletter service is terminated.

8.     Authorized data controllers and possible recipients: Personal data may be accessed by the data controller and its sales and marketing employees, in compliance with the principles outlined above.

9.     Data subjects’ rights:

o   The data subject may request access to, rectification, deletion, or restriction of the processing of their personal data;

o   may object to the processing of their personal data;

o   has the right to data portability;

o   and may withdraw their consent at any time.

10.  Initiating requests for access, deletion, modification, restriction, portability, or objection is possible via:

·        postal mail: 1089 Budapest, Bláthy Ottó utca 4–8., door 119

·        email: megrendeles@aquafortis.hu

·        phone: +36 30 640 0677

11.  The data subject may unsubscribe from the newsletter at any time, free of charge.

12.  Please note that:

·        Data processing is based on your consent.

·        You must provide personal data if you wish to receive our newsletter.

·        Failure to provide data means we cannot send you newsletters.

·        You may withdraw your consent at any time by clicking on the unsubscribe link.

·        Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

 

Complaint Handling

1. Facts of Data Collection, Scope of Processed Data and Purpose of Processing

Personal Data	Purpose of Processing	Legal Basis
Surname and given name	Identification, maintaining contact	Article 6(1)(c) GDPR (legal obligation: Section 17/A (7) of Act CLV of 1997 on Consumer Protection)
Email address	Maintaining contact	—
Telephone number	Maintaining contact	—
Billing name and address	Identification; handling quality complaints, questions, and issues related to ordered products/services	—

2. Categories of Data Subjects

All data subjects who purchase through the website and submit a quality complaint or lodge a formal grievance.

3. Duration of Processing and Deadline for Deletion

In accordance with Section 17/A (7) of Act CLV of 1997 on Consumer Protection, the record, transcript, and a copy of the response regarding the complaint must be retained for 3 years.

4. Persons Authorized to Access the Data, Recipients

Personal data may be accessed and processed by the data controller and its authorized employees, in compliance with the above principles.

5. Data Subjects’ Rights Regarding Processing

·        The data subject may request access to, rectification, deletion, or restriction of the processing of their personal data;

·        The data subject has the right to data portability and the right to withdraw consent at any time.

6. Initiating Access, Deletion, Modification, Restriction or Portability Requests

Data subjects may request access to, deletion or modification of their personal data, or restriction of processing, as well as data portability, via:

·        Postal mail: 1089 Budapest, Bláthy Ottó utca 4–8., door 119

·        Email: megrendeles@aquafortis.hu

·        Phone: +36 30 640 0677

7. Notice

·        Providing personal data is based on a legal obligation.

·        Processing personal data is a precondition for concluding the contract.

·        You must provide personal data for us to handle your complaint.

·        Failure to provide data will result in our inability to investigate or handle your complaint.

Recipients to Whom Personal Data Are Disclosed

A “recipient” means any natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether or not it is a third party.

1. Data Processors (acting on behalf of the data controller)

To support its processing activities and to fulfil contractual and statutory obligations, the data controller uses data processors.
The data controller ensures that only such data processors are engaged who provide adequate guarantees of compliance with the GDPR and implement appropriate technical and organisational measures to safeguard data subjects’ rights.

Data processors and any persons acting under the authority of the controller or processor may only process personal data in accordance with the controller’s instructions.

The controller is legally responsible for the activities of the data processor. A processor is only liable for damage caused by processing if it failed to comply with the GDPR obligations specifically directed at processors, or if it acted contrary to or outside the controller’s lawful instructions.

The processor has no autonomous decision-making power concerning data processing.

The controller may use:

·        Hosting providers to ensure IT infrastructure,

·        Courier services for delivering ordered products.

2. Specific Data Processors

Hosting Provider

Wix.com
Wix, Inc.
1 Grant's Row, Dublin 2 D02HX96, Ireland
Email: support@wix.com
Privacy: https://www.wix.com/about/privacy

Other Data Processors (e.g., online invoicing, web development, marketing)

Online invoicing:
Számlázz.hu
KBOSS.hu Kft.
Website: https://www.szamlazz.hu
Email: info@szamlazz.hu
Phone: +36 30 35 44 789

A “third party” means any natural or legal person, public authority, agency, or body other than the data subject, controller, processor, or persons who, under the direct authority of the controller or processor, are authorized to process personal data.

3. Data Transfers to Third Parties

Third-party data controllers process personal data in their own name and in accordance with their own privacy policies.

Transportation / Delivery Services

FedEx
FedEx Express International B.V.
Attn: Legal Department
Taurusavenue 111
2132 LS Hoofddorp
The Netherlands
Email: track@fedex.com

MPL Magyar Posta Logisztika Kft.
1138 Budapest, Dunavirág utca 2–6.
Email: ugyfelszolgalat@posta.hu
Phone: (06-1) 767-82-82
Terms: https://www.posta.hu/ugyfelszolgalat/aszf
Privacy notice: https://www.posta.hu/adatkezelesi_tajekoztato

Online Payment Providers

Stripe Inc.
Website: https://stripe.com
Email: support@stripe.com
Address: 185 Berry Street Suite 550, San Francisco, CA 94107

Apple Pay
Apple Inc.
One Apple Park Way
Cupertino, CA 95014
Phone: (408) 996–1010

Google Pay
Google Inc.
1600 Amphitheatre Parkway,
Mountain View, CA 94043, USA

Social Media Platforms

1.     Facts of data collection and types of processed data:
Name registered on Twitter/Pinterest/YouTube/Instagram/TikTok/LinkedIn, and the user’s publicly available profile picture.

2.     Categories of data subjects:
All users who registered on the above platforms and “liked” the Service Provider’s page or contacted the controller through the social media platform.

3.     Purpose of data collection:
Sharing or promoting certain content elements, products, promotions, or the website itself on social media platforms.

4.     Duration of processing, deletion, access rights, etc.:
Information on data sources, processing methods, transfer, and legal basis can be found on the relevant social media platform.
Processing is carried out on the social media platform; thus, the platform’s rules apply to the duration, method, deletion, and modification of the data.

5.     Legal basis of processing:
The data subject’s voluntary consent to the processing of personal data on social media platforms.

Facebook / Meta Joint Controllership

The controller maintains a profile on Facebook/Meta. Statistical processing carried out on the Facebook Page is considered joint controllership between the controller and Facebook Ireland Ltd.
Details are available in the Page Insights Controller Addendum:
https://www.facebook.com/legal/terms/page_controller_addendum

Private messages on social media are only exchanged if you contact us there.

1. Categories of Data Subjects

·        Persons who “like” or follow the controller’s page.

·        Persons who contact the controller via private message.

2. Purpose of Processing

To share or promote the controller’s activity/services on Facebook.
Data provided in private messages may be used to respond to inquiries.
No additional data is extracted or collected from social media.

3. Legal Basis

Article 6(1)(a) GDPR — consent of the data subject.

4. Scope of Data Processed

·        Registered username

·        Public profile picture

·        Any other public data shared by the data subject on the platform

5. Source of Personal Data

Personal data originate from the data subject.

6. Withdrawal of Consent

Consent may be withdrawn at any time; posts and comments may be deleted by the user.
Upon withdrawal, the controller deletes the conversation.
Withdrawal does not affect the lawfulness of prior processing.

Requests for access, deletion, modification, restriction or portability may be submitted via:

·        Postal mail: 1089 Budapest, Bláthy Ottó utca 4–8., door 119

·        Email: info@martiusjewelry.com

·        Phone: +36 30 640 0677

7. Duration of Processing

·        Until consent is withdrawn

·        In case of message exchange: 2 years

8. Data Transfers, Recipients

Personal data may only be provided to authorities in exceptional cases and only based on legal obligations (e.g., courts, prosecution service, investigation authorities, National Data Protection Authority).

9. Consequences of Failure to Provide Data

If data are not provided, the data subject cannot follow the controller’s activities on Facebook or send messages via Messenger.

10. Automated Decision-Making / Profiling

No automated decision-making or profiling takes place.

11. Joint Controllership Agreement with Facebook Ireland Ltd.

Page Insights statistics show aggregated data on how users interact with the page.
Facebook Ireland bears primary GDPR responsibility for Insights data.
The controller must ensure that a lawful basis exists and that all GDPR obligations are fulfilled.
The agreement does not grant the controller access to Facebook users’ personal data.
The controller cannot act on behalf of Facebook Ireland regarding data subject requests.

 

Customer Relations and Other Processing Activities

1.     If questions or issues arise when using the services, data subjects may contact the controller via the contact details provided on the website (phone, email, social media, etc.).

2.     The controller deletes emails, messages, phone logs, and any voluntarily provided personal data no later than 2 years after receipt.

3.     Any processing not listed in this notice will be communicated at the time of data collection.

4.     In the event of exceptional authority requests, or based on legal authorization, the Service Provider must provide information, data, or documents to authorities.

5.     In such cases, the Service Provider only discloses the minimum personal data necessary to fulfil the request.

Rights of Data Subjects

1. Right of Access

You have the right to obtain confirmation from the data controller as to whether or not personal data concerning you are being processed. Where such processing is taking place, you are entitled to access the personal data and the information listed in the Regulation.

2. Right to Rectification

You have the right to obtain from the data controller the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to Erasure

You have the right to obtain from the data controller the erasure of personal data concerning you without undue delay, and the data controller is obliged to erase such data without undue delay under certain conditions.

4. Right to be Forgotten

Where the data controller has made the personal data public and is required to erase them, the controller shall, taking account of available technology and implementation costs, take reasonable steps— including technical measures— to inform controllers processing the personal data that you have requested the erasure of any links to, or copies or replications of, those personal data.

5. Right to Restriction of Processing

You have the right to obtain restriction of processing from the data controller where one of the following applies:

·        you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;

·        the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

·        the data controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defence of legal claims;

·        you have objected to processing; in such a case, the restriction applies until it is verified whether the legitimate grounds of the controller override your legitimate grounds.

6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided (...)

7. Right to Object

Where processing is based on legitimate interest or the exercise of official authority, you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you, including profiling based on those provisions.

8. Right to Object to Direct Marketing

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling to the extent that it is related to direct marketing.
If you object to such processing, your personal data shall no longer be processed for these purposes.

9. Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you.

This right does not apply if the decision:

·        is necessary for entering into, or performance of, a contract between you and the controller;

·        is authorised by Union or Member State law applicable to the controller and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

·        is based on your explicit consent.

Response Deadlines

The data controller shall provide information on actions taken in response to your request without undue delay and in any event within one month of receiving the request.

Where necessary, this period may be extended by two further months. The controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the controller does not act on your request, it must inform you without delay, but at the latest within one month of receipt, of the reasons for not taking action and of your right to lodge a complaint with a supervisory authority and seek a judicial remedy.

Security of Processing

Taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the varying likelihood and severity of risks to the rights and freedoms of natural persons, the data controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where appropriate:

1.     pseudonymisation and encryption of personal data;

2.     ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

3.     the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

4.     a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

5.     Personal data must be stored in a way that prevents unauthorised access. Paper-based data must be secured through appropriate physical storage and records management systems, while electronic data must be protected through a centralised access control system.

6.     The storage method must allow for secure and irreversible deletion of data once the retention period has expired or earlier if required.

7.     Paper documents must be destroyed using an approved shredding method or through a certified external destruction service. Electronic media must be physically destroyed or irreversibly wiped according to applicable data destruction standards.

8.     The data controller applies the following specific data security measures:

Physical Security for Paper Records

1.     Documents are stored in secure, lockable, dry rooms.

2.     If paper-based personal data are digitised, the rules applicable to digital data apply.

3.     Staff handling personal data must lock away or secure documents before leaving the premises where processing takes place.

4.     Only authorised persons may access personal data; third parties are not permitted access.

5.     The service provider’s buildings and rooms are equipped with fire protection and property protection systems.

IT Security

1.     Computers and mobile devices used for data processing are the property of the Service Provider.

2.     All systems containing personal data are equipped with antivirus protection.

3.     Backups and archiving procedures are used to ensure the security of digitally stored data.

4.     Access to the central server is restricted to authorised personnel.

5.     Access to data stored on computers is protected by username and password.

 

Notification of Data Breaches to Data Subjects

If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the breach to the data subject without undue delay.

The notification must clearly and plainly describe the nature of the personal data breach, the contact details of the data protection officer or another contact point, the likely consequences, and the measures taken or proposed to address the breach, including measures to mitigate potential adverse effects.

Notification is not required if:

·        appropriate technical and organisational protection (such as encryption) was applied to the affected data;

·        subsequent measures have been taken to ensure that the high risk is no longer likely to materialise;

·        notification would require disproportionate effort — in such cases, a public communication or similar measure shall be used to inform data subjects effectively.

If the controller has not already informed the data subject of the breach, the supervisory authority may require such notification after assessing the level of risk.

 

Notification of Data Breaches to the Supervisory Authority

The data controller shall notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
If the notification is not made within 72 hours, reasons for the delay must accompany the submission.

 

Periodic Review in Case of Mandatory Processing

If the duration of mandatory data processing—or the requirement for periodic review—is not specified by law, municipal regulation, or binding EU legal act, the controller shall review, at least every three years from the start of processing, whether the processing of personal data by the controller or its processor is still necessary for achieving the purpose of processing.

The controller shall document the circumstances and results of this review and retain the documentation for ten years. It must be made available to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) at its request.

 

Right to Lodge a Complaint

If you believe that the data controller has infringed applicable data protection laws, you may lodge a complaint with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information (NAIH)
1055 Budapest, Falk Miksa utca 9–11.
Mailing address: 1363 Budapest, Pf. 9.
Phone: +36 1 391 1400
Fax: +36 1 391 1410
Email: ugyfelszolgalat@naih.hu

 

Closing Statement

This privacy notice has been prepared with regard to the following legislation:

·        Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR)

·        Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.)

·        Act CVIII of 2001 on Certain Aspects of Electronic Commerce and Information Society Services

·        Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices

·        Act XLVIII of 2008 on Basic Conditions and Restrictions of Commercial Advertising (esp. Section 6)

·        Act XC of 2005 on Electronic Freedom of Information

·        Act C of 2003 on Electronic Communications (esp. Section 155)

·        Opinion 16/2011 on the EASA/IAB Best Practice Recommendation on Online Behavioural Advertising

·        NAIH Recommendations on the Requirements of Prior Information