Privacy Policy - Woodfrog Accessories

The primary language of the document is HUNGARIAN.

Downloads:

Introduction

The Yourental Bt. (Hungary, 1201 Budapest Tótfalusi Kis Miklós sétány 4., VAT No 21986996-2-43, Community VAT No. 21986996, company registration number 01-06-797796 / 575/2000) (hereinafter referred to as “Service Provider, Controller”) subject to the following rule:

The following information will be provided in accordance with Regulation (EC) No 2016/679 of the European Parliament and of the Council (EU) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the repeal of Regulation (EC) No 95/46 (General Data Protection Regulation).

This privacy policy governs the processing of the following pages/mobile/apps: https://woodfrog.eu; https://woodfrog.hu, The privacy policy is available from https://woodfrog.eu/privacy-policy/

Amendments to this Policy shall enter into force by publication at the above address.

Data controller and contact details

Name: Yourental Szolgáltató és Kereskedelmi Bt.
Headquarters: Hungary, 1201 Budapest Tótfalusi Kis Miklós sétány 4.
E-mail: shop@woodfrog.eu
Phone: +36301600960

Definitions

„personal data” means any information relating to an identified or identifiable natural person (“data subject”); identify a natural person who can be identified directly or indirectly, in particular by means of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
„processing” means any operation or set of operations carried out on personal data or files by automated or non-automated means, such as collection, recording, ordering, distribution, storage, conversion or alteration, query, inspection, use, transmission, dissemination or otherwise making available, coordination or interconnection, restriction, deletion or destruction;
„controller”means a natural or legal person, public authority, agency or any other body which determines the purposes and means of processing personal data independently or together with others; where the purposes and means of processing are determined by Union or Member State law, the controller or specific aspects relating to the designation of the controller may also be defined by Union or Member State law;
„processor” means a natural or legal person, public authority, agency or any other body which process personal data on behalf of the controller;
„addressed” means the natural or legal person, public authority, agency or any other body with whom the personal data is communicated, whether or not it is a third party. Public authorities which have access to personal data in accordance with Union or Member State law in the context of an individual investigation shall not be considered as addressees; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
„consent of the data subject” means a voluntary, specific and informed and unambiguous statement of the data subject’s will to indicate, by means of the declaration concerned or an unmistakably expressive act of confirmation, that he or she consents to the processing of personal data concerning him;
„data breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access to personal data transmitted, stored or otherwise processed.

Principles for the processing of personal data

Personal data:

its management must be carried out lawfully and fairly and in a transparent manner for the data subject (‘legality, fairness and transparency’);
be collected only for a specific, clear and lawful purpose and shall not be treated in a manner inconsistent with those objectives; further processing for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes (“purpose-bound”) shall not be deemed to be compatible with the original purpose in accordance with Article 89(1);
they must be appropriate and relevant to the purposes of the processing and limited to what is necessary (“data saving”);
be accurate and, if necessary, up-to-date; all reasonable measures shall be taken to ensure that personal data inaccurate for the purposes of processing are promptly erased or corrected (“accuracy”);
be stored in a form which allows the identification of data subjects only for the period necessary to achieve the purposes for which the processing of personal data is to be accomplished; personal data may be stored for a longer period only if the processing of personal data will be carried out for archiving in the public interest in accordance with Article 89(1), for scientific and historical research purposes or for statistical purposes, subject to the implementation of the appropriate technical and organisational measures provided for in this Regulation to protect the rights and freedoms of data subjects (“restricted storage”);
be managed in such a way as to ensure the proper security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage to the data (integrity and confidentiality) by applying appropriate technical or organisational measures.

The controller is responsible for compliance with the above and should be able to demonstrate this compliance (“accountability”).

The data controller declares that its processing is carried out in accordance with the principles set out in this point.

Data management related to the operation/use of a webshop

The fact of the data collection, the scope of the data processed and the purpose of the processing:

Personal data	Purpose of data processing	Legal basis
User name	Identification, enable registration	Article 6(1)(b) of the GDPR and Article 13/A(3) of the GDPR.
Password	For secure access to the user account.
First and last name	Required for contacting, purchasing, issuing a regular invoice, exercising the right of withdrawal.
Email address	Contact
Phone Number	Contact, billing, or shipping questions more effective coordination of the euthree.
Billing name and address	Issuing a regular invoice and creating, defining, modifying, monitoring the performance of the contract, invoicing the resulting fees and enforcing claims relating there to it.	Article 6(1)(c) and The Accounting Act 2000 C. § 169(2) Article 6(1)(b) of the GDPR and Article 13/A(3) of the Elker law.
Shipping name and address	Allow delivery.
Time of purchase/registration	Perform technical operation.
Ip address at time of purchase/registration	Perform technical operation.

It is not necessary for your username or email address to contain personal information.

Scope of data subjects: All stakeholders registered/shopped on the webshop website.

Duration of data processing, deadline for deletion of data: If one of the conditions of Article 17(1) of the GDPR is met, it shall last until the data subject has made an application for deletion. The data controller shall inform the data subject electronically of the deletion of any personal data provided by the data subject on the basis of Article 19 of the GDPR. If the data subject’s request for deletion extends to the e-mail address provided by him, the data controller also deletes the e-mail address after the information has been provided. Except in the case of accounting documents, since these data must be kept for 8 years under § 169(2) of Act C of 2000 on accounting. The data subject’s contractual data may be deleted after the expiry of the civil statute of limitations on the basis of the data subject’s request for cancellation.

The accounting document (including general accounts, analytical and detailed records) supporting the accounting accounts directly and indirectly shall be kept in legible form for at least 8 years, in a way that can be retrieved on the basis of reference to the accounting records.

The identity of the potential controllers authorised to know the data, the recipients of the personal data: The personal data may be processed by the controller and his sales and marketing staff, in accordance with the above principles.

Description of the data subjects’ rights in relation to data processing

The data subject may request the controller to access, rectify, delete or restrict the processing of the personal data relating to him or her, and
the data subject has the right to data portability and to withdraw consent at any time.

The data subject may initiate access to, deletion, modification or restriction of the processing of personal data, the portability of the data in the following ways:

by post Hungary, 1201 Budapest Tótfalusi Kis Miklós sétány 4.,
e-mail to shop@woodfrog.eu,
by phone at +36301600960
on woodfrog.eu page (logged in to your account): https://woodfrog.eu/data-request-form/

The legal basis for processing:

Article 6(1)(b)(c) of the GDPR
Section 13/A(3) of the 2001 CVIII Act on certain issues relating to e-commerce services and information society services (hereinafter referred to as ‘Elker Law’):

For the purpose of providing the service, the service provider may process the personal data which are technically necessary for the provision of the service. In the case of the identity of other conditions, the service provider shall choose and in any case operate the means used in the provision of the information society service in such a way that personal data are processed only if this is strictly necessary for the provision of the service and for the other purposes set out in this Law, but only to the extent and for the necessary period of time.

Where an account is issued in accordance with accounting legislation, Article 6(1)(c) shall apply.
In the case of the enforcement of claims arising from the contract, 5 years according to Section 6:21 of Section V of the Civil Code Act 2013..

6:22. § [Limitation]

Unless otherwise provided for in this Law, claims shall be over the age of five years.
The limitation period shall begin when the claim becomes due.
The agreement to change the limitation period shall be in writing.
The agreement to the exclusion of limitation shall be for nothing.

Please note that

the processing is necessary for the performance of the contract and the tender.
you are obliged to provide personal data so that we can fulfill your order. Failure to provide information has the consequence that we are unable to process your order.

Cookie management

The use of so-called “password-protected session cookies”, “shopping cart cookies”, “security cookies”, “necessary cookies”, “Functional cookies” and “cookies responsible for the management of website statistics” does not require prior consent from data subjects. For more information on the handling of cookies: https://woodfrog.eu/cookie-policy-eu/

Fact of processing, scope of data processed: Unique identification number, dates, times
Scope of stakeholders: The website is affected by all visitors.
Purpose of data management: Identify users and track visitors.

Duration of processing, deadline for deletion of data:

Cookie Type	Data Processing Legal Basis	Data Management Duration
Session cookies (session)	Act 2001 on certain aspects of electronic commerce services and information society services (Elker Law) § 13/A (3)	The period until the end of the relevant visitor session
Persistent or saved cookies	Act 2001 on certain aspects of electronic commerce services and information society services (Elker Law) § 13/A (3)	until the data subject is deleted.
Statistical Cookies	Act 2001 on certain aspects of electronic commerce services and information society services (Elker law.) § 13/A (3)	1 month – 2 years

The identity of the potential data controllers entitled to know the data: The data controller does not process personal data using cookies.
Description of the data subjects’ rights to data processing: The data subject has the option to delete cookies in the Tools/Settings menu of browsers, usually under the settings of the Privacy menu.
Legal basis for processing: Consent from the data subject is not required where the sole purpose of the use of cookies is to forward communications over the electronic communications network or to provide the information society service specifically requested by the subscriber or user.
Most browsers used by our users allow you to set which cookies should be saved and allow (specific) cookies to be deleted again. If you restrict the saving of cookies on specific websites or do not allow third-party cookies, this may in certain circumstances lead to our website no longer being fully used.

List of specific cookies: https://woodfrog.eu/cookie-policy-eu/

Use Google Ads conversion tracking

An online advertising program called “Google Ads” is used by the data controller and uses Google’s conversion tracking service within its scope. Google Conversion Tracking is an analytics service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
When a User accesses a website through a Google ad, a cookie for conversion tracking is placed on their computer. The validity of these cookies is limited and do not contain any personal data, so the User cannot be identified by them.
When the User browses certain pages of the website and the cookie has not yet been over, both Google and the data controller can see that the User clicked on the ad.
Each Google Ads customer receives a different cookie and cannot be tracked through the websites of Ads customers.
The information, obtained through conversion tracking cookies, is used to provide conversion statistics to Ads conversion tracking customers. Customers are now informed about the number of users who clicked on their ad and forwarded to a page with a conversion tracking tag. However, they do not have access to information that can be used to identify any user.
If you don’t want to participate in conversion tracking, you can refuse to do so by disabling the option to install cookies in your browser. You won’t be included in conversion tracking statistics after that.
For more information and google’s privacy statement, see available on page www.google.de/policies/privacy/

Google Analytics app

This website uses Google Analytics, a web analytics service of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files that are saved on your computer to help you analyze your use of a User’s web page.
Information generated by cookies on the website used by the User is usually sent and stored on a Google server in the USA. By activating IP anonymisation on its website, Google will shorten the User’s IP address within the Member States of the European Union or in other States party to the Agreement on the European Economic Area.
The transmission and shortening of the full IP address to google’s server in the USA will only take place in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how the User has used the website, to provide the website operator with reports on website activity, and to provide additional services related to website and internet use.
Within the framework of Google Analytics, the IP address transmitted by the User’s browser is not aggregated with other Google data. The user can prevent the storage of cookies by setting his/her browser properly, but please note that in this case, not all functions of this website may be fully usable. You may also prevent Google from collecting and processing your information about your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link. https://tools.google.com/dlpage/gaoptout

Newsletter, DM activity

According to Section 6 of the 2008 XLVIII Act on the basic conditions and certain limitations of economic advertising activities, the User may expressly and in advance contribute to contacting the Service Provider with his advertising offers and other mails at the contact details provided at the time of registration.
Furthermore, the Customer may, in accordance with the provisions of this notice, agree to the Service Provider’s processing of the personal data necessary for the sending of advertising offers.
The Service Provider does not send unsolicited advertising messages and the User can unsubscribe from sending offers free of charge without restriction or justification. In this case, the Service Provider will delete all personal data necessary for the sending of advertising messages from its register and will not contact the User with further advertising offers. User can unsubscribe from advertisements by clicking on the link in the message.

The fact of the data collection, the scope of the data processed and the purpose of the processing:

Personal data	Purpose of data processing	Legal basis
Name, e-mail address	Identification, allowing you to sign up for newsletters/discount coupons.	Consent of the data subject, Article 6(1)(a). § 6(5) of The XLVIII Act 2008 on the basic conditions and certain limitations of economic advertising.
The time of signing up	Perform a technical operation.
Ip address at the time of subscription	Perform a technical operation.

Stakeholders: All stakeholders who subscribe to the newsletter.

Purpose of data processing: to send electronic messages containing advertising (e-mail, sms, push message) to the data subject, to provide information on current information, products, promotions, new features, etc.

The duration of the processing, the deadline for the deletion of the data: the data management takes until the withdrawal of the consenting declaration, i.e. the unsubscribe.

The identity of the potential controllers authorised to know the data, the recipients of the personal data: Personal data may be processed by the controller and his sales and marketing staff, in accordance with the above principles.

Description of the data subjects’ rights in relation to data processing:

The data subject may request the controller to access, rectify, delete or restrict the processing of personal data relating to him or her and object to the processing of his or her personal data
and the data subject has the right to data portability and to withdraw consent at any time.

The data subject may initiate access to, deletion, modification or restriction of the processing of personal data, portability or objection to the data in the following ways:

by post: Hungary, 1201 Budapest Tótfalusi Kis Miklós sétány 4.,
e-mail at shop@woodfrog.eu,
by phone at +36301600960.

The data subject may unsubscribe from the newsletter free of charge at any time.

Please note that,

the processing is based on your consent and the legitimate interest of the service provider.
must provide personal information if you wish to receive a newsletter from us.
failure to provide information has the consequence that we are not able to send you a newsletter
we inform you that you can withdraw your consent at any time by clicking on the unsubscribe the withdrawal of consent shall not affect the lawfulness of consent-based processing prior to withdrawal.

Complaint handling

The fact of the data collection, the scope of the data processed and the purpose of the processing:

Personal data	Purpose of data processing	Legal basis
First and last name	Identification, contact.	Article 6 (1) (c) and CLV 1997 on Consumer Protection. Act 17 / A. § (7).
E-mail	contact
Phone	contact.
Billing name and address	addressing quality objections, questions and problems with the ordered products.

Scope of data subjects: All those who have made a complaint and have made a quality complaint on the website.

Duration of processing, deadline for deletion of data: Copies of the minutes, transcripts and replies to the objection shall be kept for 5 years in accordance with § 17/A(7) of the CLV Act on Consumer Protection.

The identity of the potential controllers authorised to know the data, the recipients of the personal data: The personal data may be processed by the controller and his sales and marketing staff, in accordance with the above principles.

Description of the data subjects’ rights in relation to data processing:

The data subject may request the controller to access, rectify, delete or restrict the processing of the personal data relating to him or her,
the data subject has the right to data portability and the right to withdraw consent at any time

The data subject may initiate access to, deletion, modification or restriction of the processing of personal data, the portability of the data in the following ways:

by post at 1201 Budapest Tótfalusi Kis Miklós sétány 4.,
e-mail to/shop@woodfrog.eu e-mail address,
by phone at +36301600960,
on woodfrog.eu page (logged in to your account): https://woodfrog.eu/data-request-form/

Please note that

the provision of personal data is based on a legal obligation.
the processing of personal data is a prerequisite for the conclusion of the contract.
you are obliged to provide personal data so that we can handle your complaint.
failure to provide information has the consequence that we cannot handle the complaint you have received.

Recipients to whom personal data is disclosed

„addressee” means the natural or legal person, public authority, agency or any other body with whom the personal data is communicated, whether or not it is a third party.

Data processors (who process data on behalf of the controller)

The controller shall use processors to facilitate his own processing activities and to fulfil his obligations under the contract or the law with the data subject.

The controller shall place great emphasis on using only processors who provide adequate guarantees of compliance with the requirements of the GDPR and the implementation of appropriate technical and organisational measures to ensure the protection of the rights of data subjects.

The processor and any person acting under the control of the controller or processor having access to personal data shall process the personal data contained in this Policy only in accordance with the instructions of the controller.

The controller shall be legally responsible for the activities of the processor. The processor shall be liable for the damage caused by the processing only if it has not respected the obligations specified in the GDPR specifically for processors, or if the controller has disregarded or acted contrary to the lawful instructions of the controller.

The processor has no meaningful decision on the processing of the data.

The data controller may use a hosting service provider to provide the IT background, a courier service as a data processor for the delivery of the ordered products.

Some processors

Data processor activities	Name, address, contact details
Hosting service	MédiaCenter Hungary Kft. Hungary, 6000 Kecskemét, Sosztakovics u. 3. II/6 postal address: 6001 Kecskemét, Pf. 588. Email: mediacenter@mediacenter.hu data network center: Hungary, 1132 Budapest XIII. Victor Hugo u. 18-22. (BIX building)
Other processors (e.g. online invoicing, web development, marketing)	Billingo Technologies Zrt. Hungary, 1133 Budapest, Árbóc utca 6. III. floor E-mail: hello@billingo.hu phone: +36-1/500-9491 Hosting service: Amazon Web Services EMEA SARL (38 avenue John F. Kennedy, L-1855 Luxembourg) https://www.billingo.hu/adatkezelesi-tajekoztato

Transfer of data to third parties

„third party” means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or persons authorised to process personal data under the direct direction of the controller or processor;

Third-party data controllers process personal data we provide in their own name in accordance with their own privacy policy.

Data controller activities	Name, address, contact details
Transport, fulfillment, logistics	Fuvar.hu Kft. representative: Szucsányi-Borza Sebestyén Cím: Hungary 7626 Pécs, Farkas István utca 3/1. Telefon: +36 30 589 0000 E-mail: info@fuvar.hu
	MPL Magyar Posta Logisztika Kft. Hungary, 1138 Budapest, Dunavirág utca 2-6. ugyfelszolgalat@posta.hu Telefon: (06-1) 333-7777 https://www.posta.hu/adatkezelesi_tajekoztato
	Webshippy Magyarország Korlátolt Felelősségű Társaság (1044 Budapest, Ezred u. 2. B. ép. 13; info@webshippy.com https://webshippy.com/adatkezelesi-tajekoztato/
E-business	Woocommerce WooCommerce Ireland Ltd. Grand Canal Dock, 25 Herbert Pl Dublin, D02 AY86 Ireland https://automattic.com/privacy/
Marketing / newsletter	Mailpoet.com Aut O’Mattic A8C Ireland Ltd. Grand Canal Dock, 25 Herbert Pl Dublin, D02 AY86 Ireland 1-877-273-3049 https://automattic.com/privacy/
Online payment	PayPal PayPal (Europe) S.à.r.l. et Cie, S.C.A. Société en Commandite par Actions. Székhely: 22–24 Boulevard Royal, L-2449 Luxemburg RCS Luxemburg B 118 349 https://www.paypal.com/hu/webapps/mpp/ua/privacy-full
	Barion Payment Inc. Headquarter: H-1117, Budapest, Infopark sétány 1. Helpdesk: +36 1 464 70 99 Company registration number: 01-10-048552 Barion Payment Inc. operates with the license of the Central Bank of Hungary based on the act CCXXXV of 2013 and the EU E-money Directive (EMD) of 2011. License id: H-EN-I-1064/2013 \| Institution id: 25353192 Data management registration number: NAIH-73794/2014 https://www.barion.com/en/privacy-notice/

Social media

Fact of data collection, range of data processed: Facebook/Twitter/Pinterest/Youtube/Instagram, etc. social media registered name and user’s public profile picture.
Stakeholders: All data subjects who have registered on Facebook/Twitter/Pinterest/Youtube/Instagram, etc. and “like” the Service Provider’s social media page or contacted the data controller via the social media site.
Purpose of data collection: To share or “like”, follow and promote certain content, products, promotions or the website itself on social media sites.
Duration of data processing, deadline for deletion of data, identity of potential data controllers entitled to know the data and description of data subjects’ rights in relation to data processing: The data subject can find out about the source of the data, their processing and the method of transmission and legal basis on the relevant social media site. Data processing takes place on social media sites, so the duration, manner of processing and the possibilities of deleting and modifying data are subject to the regulation of the respective social media site.
Legal basis for processing: the voluntary consent of the data subject to the processing of his/her personal data on social media sites.

Customer relationships and other data management

If you have any questions or problems with the data subject when using our data management services, you can contact the data controller in the ways provided on the website (telephone, e-mail, social media sites, etc.).
The Data Controller deletes the received e-mails, messages, data provided by telephone, Facebook, etc., together with the name and e-mail address of the interested person and other personal data provided voluntarily, up to 2 years after the communication.
Data processing not listed in this information is provided when the data is recorded
At the request of an exceptional authority or, if authorised by law, if other bodies are contacted, the Service Provider is obliged to provide information, to provide data, to provide information or to provide documents.
In such cases, the Service Provider shall only provide the requesting party with personal data, if it has indicated the exact purpose and scope of the data, only so much and to the extent necessary to achieve the purpose of the request.

Rights of data subjects

Right of access

You have the right to receive feedback from the controller as to whether your personal data are being processed and, if such processing is ongoing, you have the right to have access to the personal data and the information listed in the Regulation.

Right to rectification

You have the right, at your request, to correct inaccurate personal data relating to you without undue delay. Taking into account the purpose of the processing, you have the right to request the addition of incomplete personal data, including by means of an additional statement.

Right to erasure

You have the right, at your request, to delete the personal data relating to you without undue delay, and the controller is obliged to delete your personal data without undue delay under specific conditions.

The right to be forgotten

If the controller has disclosed the personal data and is obliged to delete it, he shall take reasonable steps, including technical measures, to inform the controllers handling the data that you have requested the deletion of links to the personal data in question or of copies or copies of such personal data, taking into account the available technology and the costs of implementation.

Right to restrict processing

You have the right to restrict data processing at your request if one of the following conditions is met:

You dispute the accuracy of the personal data, in which case the restriction applies to the period of time that allows the controller to verify the accuracy of the personal data;
the processing is unlawful and you object to the deletion of the data and instead ask for restrictions on their use; the controller no longer needs the personal data for the purpose of processing, but you require them to submit, enforce or protect legal claims;
You objected to the processing of data; in this case, the restriction shall apply until it is established whether the controller’s legitimate reasons take precedence over your legitimate reasons.

Right to data portability

You have the right to receive the personal data relating to you which it has provided to a controller in an artied, widely used, machine-readable format, and you have the right to forward such data to another controller without being hindered by the controller to which you have provided the personal data (…)

Right to object

In the case of processing based on a legitimate interest or public authority as a legal basis, you have the right to object at any time to the processing of your personal data, including profiling based on those provisions, for reasons relating to your own situation.

Protest in the form of direct sales

If your personal data is processed for direct business purposes, you have the right to object at any time to the processing of personal data relating to you for that purpose, including profiling, in so far as it relates to direct business acquisition. If you object to the processing of personal data for direct business purposes, personal data may no longer be processed for this purpose.

Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, that would have legal effects on you or affect you to a similar extent.

The preceding paragraph shall not apply where the decision:

necessary for the conclusion or performance of a contract between you and the controller;
be made possible by union or member state law applicable to the controller, which also lays down appropriate measures to protect your rights and freedoms and legitimate interests;

Time limit for action

The controller shall inform you without undue delay, but in any case within 1 month of receipt of the application, of the measures taken following these applications.

If necessary, this may be extended by 2 months. The data controller will inform you of the extension of the deadline within 1 month of receipt of the request, with an indication of the reasons for the delay.

If the controller does not take action on your request, the controller will inform you without delay and at the latest within one month of receipt of the request of the reasons for the non-action and that you can lodge a complaint with a supervisory authority and have the right of judicial redress.

Security of data management

The controller and processor shall implement appropriate technical and organisational measures to ensure a level of data security appropriate to the extent of the risk, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and objectives of the processing, as well as the risk to the rights and freedoms of natural persons, in order to ensure, inter alia, where appropriate:

the pseudonymisation and encryption of personal data;
ensuring the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data;
in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;
a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures taken to ensure the security of data processing.
The data processed must be stored in such a way that it cannot be accessed by unauthorised persons. In the case of paper-based media, by creating a system of physical storage and archives, using a central entitlement management system for data processed in electronic form.
The method of storing data by the IT method shall be chosen in such a way that it can be deleted at the end of the data deletion deadline or, if otherwise necessary, at the end of the deletion deadline, taking into account any different deletion deadline. The deletion must be unrestoppable.
Paper media shall be deprived of personal data by means of a shredder or by an external body specialising in shredding documents. In the case of electronic media, physical destruction shall be provided for in accordance with the rules on the scrapping of electronic media and, where necessary, the safe and irreversible deletion of the data in advance.
The controller shall take the following specific data security measures:

In order to ensure the security of personal data processed on paper, the Service Provider applies the following measures (physical protection):

Place documents in a safe, well-closed dry room.
Where personal data processed on paper is digitised, the rules governing digitally stored documents shall apply
The service provider’s data processing staff member may only leave the room where the data are processed by locking the data carriers entrusted to him or closing the room.
Personal data may only be known to authorised persons and shall not be accessible to third parties.
The building and premises of the Service Provider are equipped with fire protection and property protection equipment.

IT protection

The computers and mobile devices (other media) used in the processing are the property of the Service Provider.
The computer system containing the personal data used by the Service Provider is protected by viruses.
In order to ensure the security of digitally stored data, the Service Provider shall use data backups and archiving.
Access to the central server machine shall be granted only by the appropriate authority and only by the designated persons.
Data on computers can only be accessed with a user name and password.

Informing the data subject about the data breach

Where a data breach is likely to pose a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject without undue delay.

The information provided to the data subject shall provide a clear and clear statement of the nature of the data breach and shall provide the name and contact details of the Data Protection Officer or other contact person providing further information; the likely consequences of the data breach should be set out; the measures taken or planned by the controller to remedy the data breach, including, where appropriate, measures to mitigate the possible adverse consequences of the data breach.

The data subject need not be informed if any of the following conditions are met:

the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the data breach, in particular measures, such as the use of encryption, which make the data incomprehensible to persons not entitled to access personal data;
the controller has taken additional measures following the data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize
the rights and freedoms of the data subject is no longer likely to materialize;
information would require a disproportionate effort. In such cases, data subjects shall be informed by means of publicly disclosed information or similar measures shall be taken to ensure that data subjects are equally effectively informed.

If the controller has not yet notified the data subject of the data breach, the supervisory authority may, after considering whether the data breach is likely to pose a high risk, order the data subject to be informed.

Reporting a data breach to the authority

The data breach shall be reported by the controller to the supervisory authority competent under Article 55 without undue delay and, if possible, no later than 72 hours after the data breach has come to its attention, unless the data breach is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by the reasons for the delay.

Review in case of mandatory processing

If the duration of the mandatory processing or the periodic review of its need is not determined by law, by decree of the local authority or by a mandatory act of the European Union, the controller shall review at least every three years from the start of the processing whether the processing of the personal data processed by him or by a processor acting on his behalf or on his behalf is necessary for the purposes of the processing.

The circumstances and outcome of this review shall be documented by the controller, retained for 10 years after the review has been carried out and made available to the Authority at the request of the National Data Protection and Freedom of Information Authority (hereinafter referred to as the Authority).

Possibility to complain

A complaint against a possible breach of the controller can be lodged with the National Data Protection and Freedom

of Information Authority: National Data Protection and Freedom of Information Authority:

Nemzeti Adatvédelmi és Információszabadság Hatóság
Hungary, 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Levelezési cím: 1530 Budapest, Postafiók: 5.

Telefon: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

Closing word

During the preparation of the prospectus, we took into account the following legislation:

On the protection of natural persons with regard to the processing of personal data and the free movement of such data and the repeal of Regulation (EC) No 95/46 (General Data Protection Regulation)
REGULATION (GDPR) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) (27 APRIL 2016);
Act CXII of 2011 on the right to information self-determination and freedom of information (hereinafter referred to as
Info law);
Act CVIII of 2001 on certain aspects of e-commerce services and information society services (in particular§ 13/A a);
Act XLVII of 2008 on the prohibition of unfair commercial practices against consumers;
Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising (in particular
6.§a);
Act XC of 2005 on freedom of information;
Act C of 2003 on electronic communications (specifically§ 155);
Opinion No 16/2011 on EASA/IABarecommand on best practice in behavioural online advertising;
Recommendation of the National Data Protection and Freedom of Information Authority on the data protection requirements for prior information.