PRIVACY POLICY
HEALTH AND YOUTH KFT.
(Last modified 18 June 2020)
Health and Youth Kft. as data controller (hereinafter referred to as ‘Service Provider’, ‘Data Controller’) hereby informs visitors of its website and those who register there and also customers (hereinafter referred to as Data Subject) about personal data processed by Health and Youth Kft., the company’s policy pursued while processing personal data and also the way and possibilities of data subjects to exercise their rights.
Health and Youth webshop (hereinafter referred to as Webshop) is a part of the website accessible at domain name www.healthandyouth.hu (hereinafter referred to as Website) and it is considered to be the own website of the Data Controller.
Data Controller expresses its consent to be bound by the contents of the present legal notice on data processing carried out in the course of its activity. Data Controller reserves the right to modify this Privacy Policy (hereinafter referred to as ‘Policy’). Data Controller discloses the effective version of the Policy on its internet website. Data Controller shall manage personal data confidentially and safely and upon the change of legal and technical circumstances it carries out the necessary improvements and modifications.
Concurrently with using the Website, the Data Subject accepts the contents of the Policy, for this reason please read this Policy carefully before using the Website. Data Subject provides consent to certain data processing by using the Website, registration and providing the data in question on a voluntary basis.
I. DEFINITIONS
‘data subject’ shall mean any natural person directly or indirectly identifiable by reference to specific personal data;
‘partner’ shall mean the data subjects of personal data getting to the Data Controller in the course of formation of business relations and maintenance thereof; furthermore, all those natural persons acting on behalf of private persons and legal entities, for whom the Data Controller provides services, and those who engage in a contractual relationship with the Data Controller;
‘personal data’ shall mean any information relating to (an identified or identifiable natural person) the data subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
’controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
’consent of the data subject’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘objection’ shall mean the case when the data subject objects to the processing of his personal data and requires the abolishment of processing or erasure of the processed data.
‘data processing’ shall mean performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘website’ means www.healthandyouth.hu
II. DATA OF DATA CONTROLLER, CONTACT INFORMATION
Company name: Health and Youth Kereskedelmi és Szolgáltató Kft. operator of the Website.
Seat and postal address: 1224 Budapest, Diótörő út 108.
Company registration number: 01 09 299000
Tax number: 25966213-2-43
Registration number of data control: NAIH-142640/2018.
E-mail address: info@healthandyouth.hu
III. DATA PROCESSING PRINCIPLES
Data Controller shall record and process personal data lawfully, fairly and in a manner transparent to the Data Subject. Data Controller shall collect and process personal data for specified, explicit and legitimate purposes.
Personal data processed by the Data Controller are adequate, relevant and limited to what is necessary in relation to duration and the purposes for which they are processed.
Data Controller shall manage personal data confidentially and safely and carries all the necessary improvements and modifications required by the legal and technical circumstances.
IV. SCOPE OF PROCESSED DATA, PURPOSE, DURATION AND LEGAL BASIS OF DATA PROCESSING
Data Controller shall carry out data processing involving with the processing of personal data due to the following reasons and in relation to activities listed below:
1. REGISTRATION
Scope of processed personal data: name, e-mail address (not necessary to contain personal data), password, telephone number, invoicing data (name, country, postal code, settlement, street, number), delivery data (name, country:, postal code, settlement, street, number), date and time of registration, IP address of the computer of the user upon registration.
Purposes of data processing: identification of the Data Subject, secure login to the user’s account, contact, issuance of a proper invoice, carrying out technical operations.
Legal basis of data processing is the voluntary consent of the Data Subject and Section 1 (a) Article 6 of the GDPR).
Scope of Data Subjects: all Data Subjects registered on the website.
Duration of data processing and data erasure deadline: until the Data Subject’s request to erase. Personal data shall be erased immediately upon deregistration. On the basis of Article 19 of the GDPR, the controller shall electronically communicate erasure of any personal data provided by the Data Subject. If the erasure request of the Data Subject applies to the e-mail address provided by him, the data controller shall erase the e-mail address as well after the notification.
Potential data controllers entitled to become familiar with the data and the addressees of the personal data: personal data shall be processed by the authorised employees of the data controller, in line with the provisions of this policy.
Hereby we inform you that
data processing is based on your voluntary consent;
you are obliged to provide personal data in order to enable us to register you;
failing to provide data will leave us unable to create a user’s account.
In order to make purchase process quicker and more comfortable, it is possible to purchase in the Webshop without registration as well.
2. DATA PROCESSING IN RELATION TO ONLINE SHOPPING
Scope of processed personal data: name, e-mail address (not necessary to contain personal data), telephone number, invoicing data (name, country, postal code, settlement, street, number), delivery data (name, country:, postal code, settlement:, street, number), bank account number if there is a bank transfer, date of placing the order, IP address when the order is placed.
Purposes of data processing: identification of the Data Subject, contacting, keeping contact, performance of the order, issuance of a proper invoice, confirmation, efficient management of questions regarding orders and delivery, enabling home delivery, enforcement of claims, paying back the purchase price upon withdrawal (aim of processing bank account number), performance of technical operations.
Legal basis of data processing: Section (1) (b) Article 6 of the GDPR and Section (3) Article 13/A of Elker tv., data processing is necessary in order to perform the contract.
Scope of Data Subjects: all persons placing orders are Data Subjects.
Period of data processing, deadline of erasure of data: data related to the performance of the contract are used in the interest of the contract and we erase or destroy them upon the termination of the contract or after a certain time period defined by law elapses. On the basis of Section (1) Article 169 of Act on Accounting, accounting documents and relating files shall be kept for 8 years.
Potential data controllers and addressees of the personal data: personal data shall be processed by the co-workers of the data controller.
Hereby we inform you that
you are obliged to provide personal data in order to conclude a contract, this way we can perform your order;
failing to provide data will leave us unable to process and perform your order.
3. PROCESSING OF RESELLER PARTNERS’ DATA
3.1. Data processing during the formation of business relationships
Scope of processed data: name, e-mail address, phone number.
Legal basis of data processing: voluntary consent of the affected Partner on the basis of Section (1) (a) Article 6 of the GDPR. The affected Partner gives consent to the procession of his personal data by voluntarily handing over contact data to the Data Controller.
Purpose of data processing: to communicate in the offer phase in order to facilitate the procedure of obtaining business.
Period of data processing, deadline for erasure of data: processing shall last until the affected Partner requires erasure. On the basis of Article 19 of the GDPR, the Data Controller shall inform the affected Partner electronically about the erasure of any of the data provided by the Partner. If the request for erasure of the affected Partner covers the provided e-mail address as well, the Data Controller shall delete the e-mail address after the notification has been sent.
3.2 Data processing in the course of the contractual relationship and data processing thereafter, in order to exercise a claim
Scope of processed data: name, e-mail address, phone number, title.
Legal basis of data processing: data processing is necessary in order to perform the agreement, on the basis Section (1) (b) and/or (f) of Article 6 of the GDPR.
Purpose of data processing: communication necessary in order to perform the reseller agreement.
Period of data processing, deadline for erasure of data: we keep the data for the duration of the contractual relationship or until the period for filing claims expires. Insofar as any of the affected Partners or legal entity represented by the Partner requires, then – on the basis of the express declaration of consent of the Partner –, the Data Controller is entitled to process the Partner’s personal data (name, e-mail address, phone number), beyond the above deadline, until the consent of the Partner is revoked.
4. PERSONAL DATA PROCESSED IN THE COURSE OF A PRIZE COMPETITION
Data Controller organises and carries out Facebook prize competition from time to time.
Regarding data processing in the course of carrying out the prize competition, the following section of this Policy and the Prize Competition Rules and Regulations shall prevail.
In the course of registration to the prize competition, name and e-mail addresses of participants giving their consents to get direct marketing offers shall also be placed in the newsletter database.
Scope of processed personal data: name, address or postal address of the winner.
Purpose of data processing: participation in the prize competition, drawing the winners, notification of winners, fulfilment of accounting obligations, information, keeping contact.
Legal basis of data processing: voluntary consent of the Data Subject by means of taking part in the competition, Section (2) of Article 169 of Accounting Act.
Period of data processing: Regarding consent given to receive direct marketing offers, the period of processing is valid until revocation. Data of participants who did not win and those who do not give their consents to receive direct marketing offers shall be deleted after the drawing. Receipts shall be kept for 8 years in line with Section (2) Article 169 of Accounting Act.
5. Contact
May any question arise while using our services, you can contact the Data Controller at contact addresses provided in this Policy and placed on the Website; and you can also contact us by using the form at the bottom of the Website.
Scope of processed personal data: name, e-mail address of sender, date of sending, question, other personal data provided in the message, IP address of the user’s computer.
Purpose of data processing: clarifying arising questions.
Legal basis of data processing: voluntary consent of the Data Subject and Section (1) (a) of Article 6 of the GDPR.
Period of data processing: Maximum 1 year from communication of the data.
6. SOCIAL MEDIA
Scope of processed data: name and public profile picture of the User registered on Facebook social media site.
Scope of data subjects: all data subjects who registered on the social media site of Facebook and “liked”, “followed” the site of the Data Controller.
Purpose of data collection: sharing and “liking” some elements and notifications of the site of the Data Controller on social media platforms.
Data Subjects may gain information on the source of data, their processing and mode of transfer and its legal basis on the given social media site. Data processing is carried out on the social media sites, thus duration of data processing, its mode and erasure or modification of data shall be governed by the rules and regulations of the given social media site. https://www.facebook.com/policy.
Legal basis of data processing: voluntary consent of the data subject to the processing of his personal data on social media sites.
V. NEWSLETTER
Data Controller provides an opportunity to sign up for newsletters on the Website. Thus the User may expressly and in advance -– in view of the provisions of this policy – consent that the Data Controller may contact him to send advertisements and other messages (newsletter) to the contact addresses provided in the course of registration, and that Data Controller may process his personal data necessary for sending advertising offers. Data Controller shall not send unclaimed advertisement messages.
In case of newsletters the Data Controller processes the data of the Data Subject provided in the course of registration until the Data Subject unsubscribes from newsletters by clicking on ‘unsubscribe’ link at the end of the newsletter or requires – without limitation and obligation to provide justification – his removal from the list of newsletter subscribers via e-mail or by post. If Data Subject unsubscribes, the Data Controller shall not send any newsletters or offers. The Data Subject may unsubscribe from the newsletter any time free of charge and may revoke his consent. By logging in to their personal accounts, registered users may unsubscribe at any time from the newsletters free of charge.
Scope of processed personal data: name, e-mail address, date of subscription, IP address upon subscription.
Purpose of data processing: identification of the Data Subject, enabling subscription to newsletters, carrying out technical operations.
Scope of Data Subjects: all Data Subjects signed up for newsletters.
Purpose of data processing: sending electronic messages containing advertisements to the Data Subject, providing information about current news, products and sales.
Duration of data processing and data erasure deadline: until the declaration of consent is revoked, i.e. data processing lasts until the Data Subject unsubscribes. The Data Subject shall be informed electronically about unsubscribing and erasure from the newsletter address list.
Potential data controllers and the addressees of the personal data: personal data shall be processed by the marketing co-workers of the data controller.
The Data Subject may unsubscribe from the newsletter anytime, free of charge.
Legal basis of data processing is the voluntary consent of the data subject and Section (1) (a) Article 6 of the GDPR and Section (1) Article 5 of Infotv., Article 13/A of Elkertv. and Section (5) Article 6 of Grt.
Hereby we inform you that
data processing is based on your voluntary consent;
if you wish to get newsletters from us, it is necessary to provide us with your personal data;
failing to provide data will leave us unable to send you newsletters.
VI. DATA PROCESSORS
Data Controller uses the following data processors:
Hosting service provider
Activity of the Data Processor: Provision of hosting services
Name and contact details of Data Processor:
Name:EVOLUTIONET Szolgáltató és Kereskedelmi Kft.
Registered seat: 7342 Mágocs Széchenyi utca 75.
Web: www.evolutionet.hu
Scope of processed data: all personal data provided by the Data Subject.
Scope of Data Subjects: all Data Subjects using the services of the Website, registered on the website or those who have placed an order.
Purpose of data processing: Making the website accessible, operating the website properly. /Hosting services/
Duration of data processing and data erasure deadline: until the agreement between the Data Controller and the Hosting Service provider terminates or until Data Subjects require erasure from the Hosting service provider.
Legal basis of data processing is the voluntary consent of the User and Section (1) Article 5 of Infotv., Section (1) (a) of Article 6 of the GDPR and Section (3) Article 13/A of Elkertv.
Delivery
Name and contact details of Data Processor:
Name: GLS General Logistics Systems Hungary Kft.
Registered Seat: 2351 Alsónémedi, GLS Európa utca 2.
Web: www.gls-group.eu/HU/hu/home
Activity of the Data Processor: Delivery of products.
Fact of data processing, scope of processed data: delivery name, delivery address, telephone number, e-mail address.
Scope of Data Subjects: all Data Subjects requesting home delivery.
Purpose of data processing: delivering the ordered products.
Duration of data processing and data erasure deadline: until home delivery is performed.
Legal basis of data processing: performance of the contract, Section (1) (b) of Article 6 of the GDPR.
Online payment
Name and contact details of Data Processor
Name: OTP Mobil Szolgáltató Kft.
Registered Seat: 1093 Budapest, Közraktár utca 30-32.
Web: www.otpmobil.hu
Activity of the Data Processor: Online payment– SimplePay
Fact of data processing, scope of processed data: invoicing name, invoicing address, e-mail address.
Scope of Data Subjects: all Data Subjects requesting online payment.
Purpose of data processing: carrying out online payment, confirmation of transactions and checking abuses in the interest of the users.
Duration of data processing and data erasure deadline: until online payment is carried out.
Legal basis of data processing: performance of the contract, Section (1) (b) of Article 6 of the GDPR.
System administrator services
Name and contact details of Data Processor:
Name: Vieeye Online Marketing Kft.
Registered Seat: 2051 Biatorbágy, Tulipán utca 17/a.
Web: www.vieeye.hu
Activity of the Data Processor: system administrator services (monitoring, technical upgrade, development of security system, other developments, repair)
3. Fact of data processing, scope of processed data: all personal data provided by the Data Subject.
4. Scope of Data Subjects: all Data Subjects using the services of the Website, registered on the website or those who have placed orders.
5. Purpose of data processing: System administrator services (improvements, checks, repairs)
6. Duration of data processing and data erasure deadline: until the agreement between the Data Controller and the Data Processor set out in this section terminates or until Data Controller require erasure from the data processor.
7. Legal basis of data processing is the voluntary consent of the User and Section (1) Article 5 of Infotv., Section (1) (a) of Article 6 of the GDPR and Section (3) Article 13/A of Elkertv.
Online marketing services
Name and contact of Data Processor:
Name: ARMADILLO DESIGN Kereskedelmi és Szolgáltató Kft.
Registered seat: 1043 Budapest, Csányi László utca 27.
Web: www.armadillo.hu
Activity of the Data Processor: online marketing.
Fact of data processing, scope of processed data: name, e-mail address.
Scope of Data Subjects: all Data Subjects using the website and signing up for newsletters.
Purpose of data processing: Propagation and advertisement of products on the website and improvement of traffic to the website, organising prize competitions.
Duration of data processing and data erasure deadline: until the agreement between the Data Controller and the Data Processor set out in this section terminates or until Data Subjects require erasure from the data processor.
Legal basis of data processing is the voluntary consent of the User and Section (1) Article 5 of Infotv., Section (1) (a) of Article 6 of the GDPR and Section (3) of Article 13/A of Elkertv.
Invoicing
Name and contact details of Data Processor:
Name: InnVoice Ügyviteli Szoftver Kft.
Registered Seat: 9700 Szombathely, Olimpia utca 20.
Web: https://www.innvoice.hu
Activity of the Data Processor: invoicing.
Fact of data processing, scope of processed data: name, invoicing name, invoicing address.
Scope of Data Subjects: All persons placing orders on the website are Data Subjects.
Purpose of data processing: issuing an invoice.
Duration of data processing and data erasure deadline: 8 years on the basis of Section (2) Article 169 of Act C of 2000 on accounting.
Legal basis of data processing is the consent of the User and Section (1) Article 5 of Infotv, Section (1) (a) of Article 6 of the GDPR and Section (3) Article 13/A of Elkertv.
VII. TECHNICAL DATA, COOKIES
Those data of the login computer of the Data Subject which are generated in the course of using the service and which are recorded by the system of the Data Controller as automatic result of the technical processes. These are – in particular –date and time of visit, IP address of the Data Subject and type of browser.
The automatically recorded data are automatically logged upon login and logout without a specific statement or act of the Data Subject. These data may not be combined with other personal data of the users’ – apart from the ones prescribed by law. Only the Data Controller has access to the data.
Data Controller and the below named external service providers place and read back a small file (so called cookie) containing a series of characters in order to provide customized services. If the browser sends back a previously saved cookie, the service provider managing the cookie is able to combine the data of the Data Subject saved during the current visit with the data of previous visits, but only in relation to its own content. The following cookies are used:
Security cookie;
Session cookie: following the visit of the Data Subject, these cookies are automatically deleted. These cookies are to ensure the more effective and secure operation of the Website of the Data Controller; thus, these are indispensable for certain functions or applications of the Website to operate properly.
Persistent cookie: these are stored in the cookie file of the browser for a longer period of time. Duration of this depends on the settings used by the Data Subject in his browser.
Certain parts of these cookies are to ensure the more effective and secure operation of the Website of the Data Controller and these are indispensable for certain functions or applications of the Website to operate properly. However, certain cookies are placed to provide a better user experience (e.g. provision of optimized navigation).
In the menu of most browsers there is a ‘Help’ function, which provides the Data Subject with information on
how to deny cookies,
how to allow new cookies,
how to instruct the browser to set new cookie, or
how to turn off other cookies in the browser.
External servers assist the independent measure and auditing of the traffic of the website and other web analytical data (Google Analytics). Data processors provide further information to the Data Subjects on the processing of measurement data.
Availability: www.google.com/analytics/
The Website uses the remarketing tracking codes of Google Adwords. The basis of this is that the visitors of the Website are subsequently contacted with remarketing advertisements belonging to the Google Display network website. The remarketing code uses cookies to tag visitors. Users of the Website may deny these cookies if they visit Google advertisement settings and follow the instructions provided there. Thereafter, no personalised advertisements from the Data Controller will appear at the Data Subject.
Insofar as the Data Subject does not want Google Analytics to measure the above data with the above purpose and way, the Data Subject shall install a complementary blocking to his browser.
VIII. MEANS OF DATA PROCESSING
Data Controller shall store data provided by the Data Subject with limitation of purpose.
Data are automatically recorded for statistical reasons and in order to technically improve the Website and also to protect the rights of Data Subjects.
Data Controller shall not check the data it has been provided with. Only the person providing the data is responsible for the suitability of the given data. Upon providing his e-mail address, the Data Subject shall take responsibility that it is only him who uses the service via the provided e-mail address. Regarding this responsibility, the Data Subject – who registered the e-mail address in question – shall bear liability for all logins related to the given e-mail address.
Data Controller does not and shall not use the provided personal data for other purposes than in the Policy.
Disclosing personal data to third parties or authorities – unless otherwise provided by law – is possible only with the prior, express consent of the Data Subject. In such cases when Data Controller intends to use the provided data for a reason other than the original purpose, it shall inform the Data Subject thereof and shall obtain the prior, express consent of the Data Subject, furthermore an opportunity shall be provided for the Data Subject to deny the use of his data.
Insofar as any question arises during the use of the services of the Data Controller, or the Data Subject comes to a problem, he may contact the Data Controller at the contacts (phone, e-mail etc.) indicated on the website.
Data Subject may turn to the co-worker of the Data Controller via the given contact addresses in case any questions or remarks arise concerning data processing. Data Controller shall delete incoming e-mails along with the name, e-mail address and other personal data of the sender provided in the e-mail, maximum after 2 years from communication of the data. Data Controller shall provide information on other data processing not mentioned in the present policy at the time of data recording.
Upon exceptional authority requests or requests of other organisations based on statutory authorisation, Data Controller is obliged to inform, provide and disclose data and to hand over documentation. In such cases, Data Controller discloses personal data to authorities only if the authority has specified the exact aim and data and personal data are disclosed only to an extent that is necessary for the purpose of the request.
IX. RIGHTS OF DATA SUBJECTS
Data protection rights and judicial remedies of the Data Subjects are contained in the relevant regulations of the GDPR (with special regard to Article 15., 16., 17., 18., 19., 20., 21., 22., 77., 78., 79., 80. and 82). The following sections contain the most important regulations.
Right of access
Data subjects shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him are being processed, and, where that is the case, access shall be granted to the personal data and information listed in the regulation.
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him. Taking into account the purpose of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure
The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him without undue delay. The Data Controller shall have the obligation to erase personal data without undue delay if certain conditions apply.
The right to be forgotten
If Data Controller disclosed the personal data and is obliged to erase such data, it shall make all reasonable efforts by taking in consideration the available technology and costs of fulfilment – including technical measures – in order to inform data processors processing the data that the data subject asked for the erasure of the relevant link referring to personal data or the copy or duplicate thereof.
Right to restriction of processing
Upon request of the Data Subject, the Data Controller shall restrict data processing if certain conditions are met.
Right to data portability
The Data subject shall have the right to receive the personal data concerning him, which he has provided to the Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller.
Right to object
The Data Subject shall have the right to object to the processing of his personal data, including profiling.
The Data Subject is entitled to require information from the Data Controller at any time about the processing of his personal data. The Data Subject can initiate to have access to personal data, their erasure, modification, limitation of processing, portability of data and objection to data processing at contact addresses set out in Section II.
Deadline for taking measures
The Data Controller shall provide information to the Data Subject in writing on an action taken on request without undue delay and in any event within 30 days of receipt of the request.
If necessary, this deadline may be extended by 30 days. The Data Controller shall inform the Data Subject of such extension within 30 days of receipt of the request, along with the reasons for the delay. If the Data Controller refuses to take measures upon the Data Subject’s request, it shall inform the Data Subject in writing within one month of the receipt of the request about the factual or legal reasons, the reasons for refusing to take measures and also about the fact that the Data Subject may make a complaint at the authority set out in Section XI or the Data Subject may recourse to legal remedy.
X. INFROMING THE DATA SUBJECT ABOUT PERSONAL DATA BREACH
The Data Controller shall communicate to the Data Subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the Data Subject(s).
The Data Controller’s communication towards the Data Subject shall describe the nature of the personal data breach as well as provide further information about the name and contact of the contact person; Data Controller shall introduce the probable consequences arising from the personal data breach; shall inform about the measures taken or planned to be taken to remedy the personal data breach, including measures aiming to mitigate the adverse consequences arising from the personal data breach.
If any of the below conditions are met, the Data Controller shall not be obliged to inform the Data Subject:
a) the Data Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
b) the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
c) the communication would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
XI. ENFORCEMENT OF RIGHTS
In case the rights of the Data Subject are infringed, he might bring the matter to the court against the Data Controller. The court shall hear such cases in priority proceedings.
Upon infringement of law by the Data Controller, a complaint may be filed with the Hungarian National Authority for Data Protection and Freedom of Information:
1125 Budapest, 22/C Szilágyi Erzsébet fasor
Postal Address: 1530 Budapest, Postafiók: 5.
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: www.naih.hu
Insofar as the Data Subject provided the data of a third party during registration, or causes any damage while using the Website, the Data Controller shall be entitled to claim damages from the Data Subject. In such cases the Data Controller shall offer help to the acting authorities within its power to establish the identity of the offender.
XII. MISCELLANEOUS
The system of the Data Controller may collect information about the activity of the Data Subjects, which shall not be connected to other data provided by the Data Subject upon registration, neither to other data generated upon the use of other websites or services.
The Data Controller undertakes to guarantee the security of the data, and takes those technical measures which ensure that the recorded, stored and processed data are protected and make every attempt to prevent their destroy, unauthorised use and unauthorised modification. Furthermore, the Data Controller undertakes to make all third parties to whom it forwards or transfers the data keep these above regulations.
Data Controller provides information upon special request about requirements and tasks regarding safe backup affecting its IT systems and also about saving procedure.
The Data Controller ensures to act in accordance with the effective data protection regulations and the consistent data protection authority practice in the course of its data processing activity. Principles of data processing are in compliance with the effective regulations relating to data protection, in particular:
Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR – effective from 25 May 2018)
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.);
Act CVIII of 2001 on certain aspects of electronic commerce and information society services (Elker tv.);
Act V of 2013 on the Civil Code (Ptk.);
Act C of 2003 on electronic communications;
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Grtv.).
This Privacy Policy shall come into force on the 18th day of June 2020.