Privacy Policy – Yuliah.com

INTRODUCTION

This data processing by Barth Designs Kft. (19 Dózsa György rakpart, Győr, 9026, Hungary; Tax number: 23935879-2-08; Company registration number: 08-09-023574) (hereinafter: Provider, Data Controller) is carried out in accordance with the provisions of this policy.

We provide the following information pursuant to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR).

This Privacy Policy regulates the data processing of the following websites/mobile applications: https://www.yuliah.com

The Privacy Policy is available from the following webpage: https://www.yuliah.com/privacy-policy

Amendments to this policy shall enter into force upon publication at the above address.

The Data Controller and Contact Details

Name: Barth Designs Kft.
Registered Office: 19 Dózsa György rakpart, Győr, 9026, Hungary
Email: info@yuliah.com
Phone: +36 30 611 5327

DEFINITIONS

"personal data": means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
"processing": means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
"controller" (Data Controller): means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
"processor" (Data Processor): means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
"recipient": means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
"consent of the data subject": means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
"personal data breach": means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
"profiling": means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
"third party": means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA

Personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency");
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ("purpose limitation");
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation");
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy");
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ("storage limitation");
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality").

The controller shall be responsible for, and be able to demonstrate compliance with these principles ("accountability"). The Data Controller declares that its data processing is carried out in accordance with the principles set out in this section.

DATA PROCESSING RELATED TO THE OPERATION OF THE WEBSHOP

1. The Fact of Data Collection, Scope of Processed Data, and Purpose of Processing:

Personal Data	Purpose of Processing	Legal Basis
Username	Identification, enabling registration.	Consent of the data subject, Article 6(1)(a) of the GDPR.
Password	Serves for secure login to the user account.	Consent of the data subject, Article 6(1)(a) of the GDPR.
First name and Last name	Necessary for establishing contact, making purchases, issuing legally compliant invoices, and exercising the right of withdrawal.	Performance of a contract, Article 6(1)(b) of the GDPR.
Email address	Maintaining contact.	Performance of a contract, Article 6(1)(b) of the GDPR.
Phone number	Maintaining contact, more efficient coordination of questions regarding billing or delivery.	Performance of a contract, Article 6(1)(b) of the GDPR.
Billing name and address	Issuing a legally compliant invoice, establishing the contract, defining and modifying its content, monitoring its performance, invoicing the fees resulting from it, and enforcing related claims.	Compliance with a legal obligation, Article 6(1)(c) of the GDPR. (The legal obligation is based on Section 169 (2) of Act C of 2000 on Accounting).
Delivery name and address	Enabling home delivery.	Performance of a contract, Article 6(1)(b) of the GDPR.
Date and time of purchase/registration	Execution of a technical operation.	Performance of a contract, Article 6(1)(b) of the GDPR.
IP address at the time of purchase/registration	Execution of a technical operation.	Performance of a contract, Article 6(1)(b) of the GDPR.

Scope of Data Subjects: All data subjects registered/purchasing on the webshop website. Neither the username nor the email address is required to contain personal data.
Duration of Data Processing, Deadline for Erasure of Data: If any of the conditions set out in Article 17(1) of the GDPR exist, it lasts until the erasure request of the data subject. Pursuant to Article 19 of the GDPR, the Data Controller shall inform the data subject electronically of the erasure of any personal data provided by the data subject. If the data subject's request for erasure also extends to the email address provided by them, the Data Controller shall also erase the email address following the notification. Excepted are accounting documents, since pursuant to Section 169 (2) of Act C of 2000 on Accounting, this data must be preserved for 8 years. The contractual data of the data subject may be erased based on the data subject's request for erasure upon the expiry of the civil law statute of limitations.

Accounting documents directly and indirectly supporting the bookkeeping settlement (including general ledger accounts, analytical and detailed records) must be preserved in a legible form for at least 8 years, retrievable based on references in the accounting records.

Rights of Data Subjects Regarding Data Processing:

The data subject may request from the Data Controller access to, rectification or erasure of personal data relating to them, or restriction of processing, and
the data subject has the right to data portability, as well as the right to withdraw consent at any time.

The data subject can initiate access to, erasure, modification, or restriction of processing of personal data, as well as data portability, in the following ways:

By post: at the address 19 Dózsa György rakpart, Győr, 9026, Hungary
By email: at the email address info@ycom
By phone: at the number +36 30 611 5327

We inform you that:

the data processing is necessary for the performance of a contract and for providing offers;
you are obliged to provide the personal data so that we can fulfill your order;
the failure to provide data has the consequence that we are unable to process your order.

MANAGEMENT OF COOKIES

No prior consent is required from data subjects for the use of so-called "cookies used for password-protected sessions," "cookies required for the shopping cart," "security cookies," "necessary cookies," "functional cookies," and "cookies responsible for managing website statistics."
The Fact of Data Processing, Scope of Processed Data: Unique identification number, dates, times.
Scope of Data Subjects: All data subjects visiting the website.
Purpose of Data Processing: Identification of users, tracking of visitors, providing customized functionality.
Duration of Data Processing, Deadline for Erasure of Data:

Cookie Type	Legal Basis of Processing	Duration of Processing
Session cookies, or other cookies strictly necessary for the operation of the website	No personal data processing takes place through the use of the cookie.	The period until the closure of the relevant visitor session; thus, it remains on the computer only until the browser is closed.
Statistical and marketing cookies	Article 6(1)(a) of the GDPR	1 day to 2 years, in accordance with the cookie policy, or until the data subject's consent is withdrawn.

Rights of Data Subjects Regarding Data Processing: Data subjects have the option to delete cookies in their browser's Tools/Settings menu, typically under the Privacy settings.
Most browsers used by our users allow settings to determine which cookies should be saved and enable (specific) cookies to be deleted again. If you restrict the saving of cookies on specific websites or do not allow third-party cookies, this may, under certain circumstances, lead to our website no longer being fully usable. Here you can find information on how to customize cookie settings for common browsers:

Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu)
Microsoft Edge (https://support.microsoft.com/...)
Firefox (https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn)
Safari (https://support.apple.com/hu-hu/guide/safari/sfri11471/mac)

APPLICATION OF GOOGLE ANALYTICS

This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies", which are text files saved on your computer, thereby helping to analyze the use of the website visited by the User.
The information generated by the cookies regarding the website used by the User is usually transmitted to and stored on a Google server in the USA. By activating IP anonymization on the website, Google shortens the User's IP address beforehand within the Member States of the European Union or in other states party to the Agreement on the European Economic Area.
The transmission of the full IP address to a Google server in the USA and its shortening there takes place only in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how the User used the website, to compile reports on website activity for the website operator, and to provide further services related to website and internet usage.
Within the framework of Google Analytics, the IP address transmitted by the User's browser will not be merged with other Google data. The User can prevent the storage of cookies by appropriately setting their browser; however, please note that in this case, it may happen that not all functions of this website will be fully usable.
You can also prevent Google from collecting and processing data related to your website use generated by cookies (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu

NEWSLETTER, DIRECT MARKETING (DM) ACTIVITIES BASED ON CONSENT

Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activity, unless otherwise provided by a specific act, advertising may be communicated to a natural person – as the recipient of the advertisement – by the method of direct marketing (direct business acquisition), in particular via electronic mail or other equivalent means of individual communication, exclusively if the recipient of the advertisement has clearly and expressly consented to it in advance.
Furthermore, keeping the provisions of this policy in mind, the User may consent to the Provider processing their personal data necessary for sending advertising offers.
The Provider does not send unsolicited advertising messages, and the User may unsubscribe from receiving offers free of charge, without restriction and without giving any reason. In this case, the Provider shall erase all personal data necessary for sending advertising messages from its registry and will not contact the User with further advertising offers. The User can unsubscribe from advertisements by clicking on the link within the message.
The Fact of Data Collection, Scope of Processed Data, and Purpose of Processing:

Personal Data	Purpose of Processing	Legal Basis
Name, email address	Identification, enabling subscription to the newsletter / promotional coupons.	Consent of the data subject, Article 6(1)(a) of the GDPR.
Date and time of subscription	Execution of a technical operation.	Consent of the data subject, Article 6(1)(a) of the GDPR.
IP address at the time of subscription	Execution of a technical operation.	Consent of the data subject, Article 6(1)(a) of the GDPR.

Newsletters are sent in compliance with the provisions of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activity.
Scope of Data Subjects: All data subjects subscribing to the newsletter.
Purpose of Data Processing: Sending electronic messages containing advertisements (email, SMS, push messages) to the data subject, providing information about current updates, products, promotions, new features, etc.
Duration of Data Processing, Deadline for Erasure of Data: Data processing lasts until the withdrawal of consent (unsubscribing, request for erasure by the data subject) or until the termination of the newsletter service.
Rights of Data Subjects Regarding Data Processing:

The data subject may request from the Data Controller access to, rectification, erasure, or restriction of processing of personal data relating to them, and
the data subject has the right to data portability, as well as the right to withdraw consent at any time.

The data subject can initiate access to, erasure, modification, or restriction of processing of personal data, as well as data portability, in the following ways:

By post: at the address 19 Dózsa György rakpart, Győr, 9026, Hungary
By email: at the email address info@yuliah.com)
By phone: at the number +36 30 611 5327

The data subject may unsubscribe from the newsletter at any time, free of charge.
We inform you that:

the data processing is based on your consent;
you are obliged to provide personal data if you wish to receive newsletters from us;
the failure to provide data has the consequence that we are unable to send you newsletters;
you can withdraw your consent at any time by clicking on the unsubscribe link;
the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

COMPLAINT HANDLING

1. The Fact of Data Collection, Scope of Processed Data, and Purpose of Processing:

Personal Data	Purpose of Processing	Legal Basis
First name and Last name	Identification, maintaining contact.	Compliance with a legal obligation, Article 6(1)(c) of the GDPR. (The relevant legal obligation: Section 17/A (7) of Act CLV of 1997 on Consumer Protection).
Email address	Maintaining contact.	Compliance with a legal obligation, Article 6(1)(c) of the GDPR.
Phone number	Maintaining contact.	Compliance with a legal obligation, Article 6(1)(c) of the GDPR.
Billing name and address	Identification, handling quality complaints, questions, and problems arising in connection with the ordered products/services.	Compliance with a legal obligation, Article 6(1)(c) of the GDPR.

Scope of Data Subjects: All data subjects purchasing on the website who make a complaint or raise a quality objection.
Duration of Data Processing, Deadline for Erasure of Data: Pursuant to Section 17/A (7) of Act CLV of 1997 on Consumer Protection, copies of the record drawn up of the objection, the transcript, and the response to it must be preserved for 3 years.
Rights of Data Subjects Regarding Data Processing:

The data subject may request from the Data Controller access to, rectification, erasure, or restriction of processing of personal data relating to them, and
the data subject has the right to data portability, as well as the right to withdraw consent at any time.

The data subject can initiate access to, erasure, modification, or restriction of processing of personal data, as well as data portability, in the following ways:

By post: at the address 19 Dózsa György rakpart, Győr, 9026, Hungary
By email: at the email address info@yuliah.com
By phone: at the number +36 30 611 5327

We inform you that:

the provision of personal data is based on a legal obligation;
the processing of personal data is a prerequisite for the conclusion of the contract;
you are obliged to provide personal data so that we can handle your complaint;
the failure to provide data has the consequence that we are unable to handle the complaint received by us.

RECIPIENTS TO WHOM PERSONAL DATA ARE DISCLOSED

"recipient": means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

1. Data Processors (who perform processing on behalf of the Data Controller)

The Data Controller utilizes data processors for the purpose of facilitating its own data processing activities, as well as to fulfill its obligations arising from contracts concluded with the data subject and from statutory regulations.

The Data Controller places great emphasis on utilizing exclusively data processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects.

The data processor and any person acting under the authority of the data controller or the data processor who has access to personal data shall process the personal data contained in this policy exclusively in accordance with the instructions of the data controller.

The Data Controller bears legal responsibility for the activities of the data processor. The data processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to data processors or where it has acted outside or contrary to lawful instructions of the data controller.

The data processor has no substantive decision-making power regarding the processing of data.

The Data Controller may utilize a hosting provider to ensure the IT background, and a courier service as a data processor to deliver the ordered products.

2. Specific Data Processors

Data Processing Activity	Name, Address, Contact Details
Hosting Services	Hostinger International Ltd. 61 Lordou Vironos str., 6023 Larnaca, Cyprus Email: support@hostinger.com Web: www.hostinger.com
Other Data Processing (e.g., online invoicing, web development, marketing)	Newsletter Provider: MailerLite Ltd. 38 Mount Street Upper, Dublin 2, D02 PR89, Ireland Privacy Policy: https://www.mailerlite.com/legal/privacy-policy

Data Processing Activity

Name, Address, Contact Details

Hosting Services

Hostinger International Ltd.

61 Lordou Vironos str., 6023 Larnaca, Cyprus

Email: support@hostinger.com

Web: www.hostinger.com

Other Data Processing (e.g., online invoicing, web development, marketing)

Newsletter Provider:

MailerLite Ltd.

38 Mount Street Upper, Dublin 2, D02 PR89, Ireland

"third party": means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

3. Data Transfer to Third Parties

Third-party data controllers process the personal data disclosed by us in their own name, in accordance with their own privacy policies.

Data Controller Activity	Name, Address, Contact Details
Shipping / Courier Services	MPL Magyar Posta Logisztika Kft. 1138 Budapest, Dunavirág utca 2-6. Email: ugyfelszolgalat@posta.hu Phone: (06-1) 767-82-82 GTC: https://www.posta.hu/ugyfelszolgalat/aszf Privacy Policy: https://www.posta.hu/adatkezelesi_tajekoztato FoxPost Zrt. Registered Office: 3300 Eger, Maklári út 119. Premises: 1097 Budapest, Könyves Kálmán körút 12-14. Phone: 06-1-999-0-369 Email: info@foxpost.hu
Online Payment Gateway	OTP Mobil Szolgáltató Kft. (SimplePay) Registered Office: 1138 Budapest, Váci út 135-139. B. ép. 5. em. Email: ugyfelszolgalat@simple.hu Phone: +36 1/20/30/70 3-666-611

Data Controller Activity

Name, Address, Contact Details

Shipping / Courier Services

MPL Magyar Posta Logisztika Kft.

1138 Budapest, Dunavirág utca 2-6.

Email: ugyfelszolgalat@posta.hu

Phone: (06-1) 767-82-82

GTC: https://www.posta.hu/ugyfelszolgalat/aszf

FoxPost Zrt.

Registered Office: 3300 Eger, Maklári út 119.

Premises: 1097 Budapest, Könyves Kálmán körút 12-14.

Phone: 06-1-999-0-369

Email: info@foxpost.hu

Online Payment Gateway

OTP Mobil Szolgáltató Kft. (SimplePay)

Registered Office: 1138 Budapest, Váci út 135-139. B. ép. 5. em.

Email: ugyfelszolgalat@simple.hu

Phone: +36 1/20/30/70 3-666-611

SOCIAL MEDIA PLATFORMS

The Data Controller is also present on social media platforms in order to present its services and to maintain contact with interested parties and customers.

Scope of Processed Data: Data publicly available on the data subject's social media profile, in particular:
- name (username)
- public profile picture
- interactions published by the data subject or related to the Data Controller's page (e.g., comments, messages).
Scope of Data Subjects: Natural persons who follow the Data Controller's social media page, interact with it, or send messages through it.
Purpose of Data Processing:
- presentation of the Data Controller's activities and services,
- marketing and communication on social media platforms,
- maintaining contact with interested parties and customers.
Legal Basis of Data Processing: The data subject's voluntary consent to the processing of their personal data on social networks.
Duration of Data Processing: Data processing lasts until the data subject's interaction exists, or until the content published by the data subject is deleted. The Data Controller preserves messages and communication for a maximum of 2 years.
Additional Data Controllers: The social media platforms process the data of users as independent data controllers according to their own privacy policies.

FACEBOOK / META JOINT CONTROLLERSHIP

The Data Controller maintains a Facebook/Meta profile related to its business activities. The data processing for statistical purposes carried out on the Facebook social media platform constitutes joint controllership between the Data Controller and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2, Dublin, Ireland). Detailed information on the joint controllership agreement is provided in the Page Insights Controller Addendum, which can be accessed via the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

The Data Controller communicates via private messages on the social media platform exclusively if you contact us there first.

1. Categories of Data Subjects

Data subjects who have registered on the social media platform and "liked" the Data Controller's profile page.
Data subjects who contact the Data Controller via private message on the social media platform.

2. Purpose of Data Processing

The purpose of data processing on the Facebook social media platform is to share and promote the activities and services of the Data Controller. The Data Controller may use the data provided by the data subject in a private message solely to reply to that message; otherwise, the Data Controller does not collect or extract data through social media platforms.

3. Legal Basis of Data Processing

The data processing is based on Article 6(1)(a) of the GDPR; the legal basis is the data subject's consent to the processing of their personal data on the Facebook social media platform.

4. Scope of Processed Data

The registered name of the data subject.
The public profile picture of the data subject user.
Other public data provided or shared by the data subject on the social media platform.

5. Source of Processed Personal Data

The source of the processed data is the data subject.

6. Withdrawal of Consent

You may withdraw your consent to the data processing at any time and delete your posts or comments. The data processing takes place through social media platforms operated by a third party. If you withdraw your consent, the Data Controller will delete the conversation history held with you. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

The data subject can initiate access to, erasure, modification, or restriction of processing of personal data, as well as data portability, in the following ways:

By post: at the address 19 Dózsa György rakpart, Győr, 9026, Hungary
By email: at the email address info@yuliah.com
By phone: at the number +36 30 611 5327

7. Duration of Data Processing

Until the withdrawal of the data subject's consent.
In the event that an exchange of messages takes place, for a period of 2 years.

8. Transfer, Recipients, or Categories of Recipients of Personal Data

For the definition of "recipient", see Article 4(9) of the GDPR. The Data Controller transfers the personal data of the Data Subject to state organs and authorities – in particular to courts, prosecutor's offices, investigating authorities, misdemeanor authorities, and the National Authority for Data Protection and Freedom of Information (NAHIH) – exclusively in exceptional cases and based on a statutory obligation.

9. Possible Consequences of Failure to Provide Data

In the absence of providing data, the data subject will not be able to obtain information about the activities and services of the Data Controller through the Facebook social media platform or send messages to the Data Controller via Facebook Messenger.

10. Automated Decision-Making (including Profiling)

No automated decision-making, including profiling, takes place during the data processing.

11. Joint Controller Agreement with Facebook Ireland Ltd.

The Page Insights feature displays aggregated data that helps clarify how data subjects use the Facebook page. Facebook Ireland Limited ("Facebook Ireland") and the Data Controller are joint controllers regarding the processing of Insights data. The Page Insights Addendum defines the responsibilities of Facebook and the Data Controller regarding the processing of Insights data. Facebook Ireland assumes primary responsibility under the GDPR for the processing of Insights data and to comply with all applicable obligations prescribed by the GDPR regarding the processing of Insights data. Furthermore, Facebook Ireland makes a summary of the Page Insights Addendum available to all data subjects. The Data Controller ensures that it has an appropriate legal basis under the GDPR for processing Insights data, identifies the controller of the page, and complies with all other applicable legal obligations. Facebook Ireland has sole responsibility for the processing of personal data in connection with the Page Insights feature, except for data falling within the scope of the Page Insights Addendum. The Page Insights Addendum does not grant the Data Controller the right to request the personal data of Facebook users processed by Facebook Ireland in connection with Facebook, including page insights data. The Data Controller may not act or respond on behalf of Facebook Ireland when fulfilling data protection inquiries.

CUSTOMER RELATIONS AND OTHER DATA PROCESSING

If any questions or potential problems arise during the use of the Data Controller's services, the data subject may contact the Data Controller using the methods provided on the website (phone, email, social media platforms, etc.).
The Data Controller shall delete received emails, messages, and data provided over the phone, Meta, etc., together with the inquirer's name, email address, and any other voluntarily provided personal data, after a maximum of 2 years from the communication of the data.
Information regarding data processing activities not listed in this policy will be provided at the time the data is collected.
Upon exceptional statutory requests from authorities, or requests from other organs based on legal authorization, the Provider is obliged to provide information, disclose or transfer data, and make documents available.
In such cases, the Provider shall disclose personal data to the requesting party – provided that the exact purpose and scope of data have been indicated – only as much and to such an extent as is strictly necessary to achieve the purpose of the request.

RIGHTS OF DATA SUBJECTS

1. Right of Access

You have the right to obtain confirmation from the Data Controller as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information listed in the Regulation.

2. Right to Rectification

You have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to Erasure ("Right to be Forgotten")

You have the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay, and the Data Controller shall have the obligation to erase personal data without undue delay under specific conditions.

4. Right to be Forgotten

Where the Data Controller has made the personal data public and is obliged to erase the personal data, it shall, taking into account available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

5. Right to Restriction of Processing

You have the right to obtain from the Data Controller restriction of processing where one of the following applies:

You contest the accuracy of the personal data, for a period enabling the Data Controller to verify the accuracy of the personal data;

The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

The Data Controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise, or defense of legal claims;
You have objected to processing; in this case, the restriction applies for a period pending the verification of whether the legitimate grounds of the Data Controller override your legitimate grounds.

6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to a Data Controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another data controller without hindrance from the Data Controller to which the personal data have been provided.

7. Right to Object

In the case of data processing based on legitimate interest or public authority as legal bases, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including profiling based on those provisions.

8. Objection in the Case of Direct Marketing

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

9. Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The previous paragraph shall not apply if the decision:

is necessary for entering into, or performance of, a contract between you and the Data Controller;

is authorized by Union or Member State law to which the Data Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

is based on your explicit consent.

TIME LIMIT FOR ACTION

The Data Controller shall provide information on action taken on a request to you without undue delay and in any event within 1 month of receipt of the request.

That period may be extended by 2 further months where necessary. The Data Controller shall inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.

Where the Data Controller does not take action on your request, the Data Controller shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

SECURITY OF PROCESSING

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia, as appropriate:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

The processed data must be stored in such a manner that unauthorized persons cannot access them. In the case of paper-based data carriers, this is achieved by establishing a system of physical storage and archiving; in the case of data processed in electronic form, by applying a central access management system.

The method of storing data by IT means must be chosen so that their erasure – also taking into account potentially differing erasure deadlines – can be carried out upon the expiry of the data erasure deadline, or if it is necessary for other reasons. Erasure must be irreversible.

Paper-based data carriers must be deprived of personal data using a document shredder or by utilizing an external organization specialized in document destruction. In the case of electronic data carriers, physical destruction must be ensured in accordance with the rules on scrapping electronic data carriers, or, as necessary, the secure and irreversible deletion of data must be carried out beforehand.

Specific Data Security Measures Taken by the Data Controller:

For the security of personal data handled on a paper basis, the Provider applies the following measures (physical protection):

Documents are placed in a secure, well-lockable, dry room.
If personal data handled on a paper basis are digitized, the rules applicable to digitally stored documents must be applied.
The Provider's employee performing data processing may only leave the room where data processing takes place during their work by locking away the data carriers entrusted to them or by locking the given room.
Personal data may only be disclosed to authorized persons; third parties may not access them.
The Provider's building and rooms are equipped with fire protection and property protection equipment.

IT Protection:

Computers and mobile devices (other data carriers) used during data processing are the property of the Provider.
The computer system containing personal data used by the Provider is equipped with virus protection.
To ensure the security of digitally stored data, the Provider applies data backups and archiving.
The central server machine may only be accessed with appropriate authorization and exclusively by persons designated for that purpose.
Data found on computers can only be accessed with a username and password.

INFORMING THE DATA SUBJECT OF A PERSONAL DATA BREACH

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the data subject shall not be required if any of the following conditions are met:

the Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the Data Controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

NOTIFICATION OF A PERSONAL DATA BREACH TO THE AUTHORITY

In the case of a personal data breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

MANDATORY REVIEW OF DATA PROCESSING

If the duration of mandatory data processing or the periodic review of its necessity is not determined by an Act of Parliament, a local government decree, or a binding legal act of the European Union, the Data Controller shall review at least every three years from the commencement of data processing whether the processing of personal data carried out by it, or by a data processor acting on its behalf or under its instructions, is necessary for the realization of the purpose of data processing.

The circumstances and results of this review shall be documented by the Data Controller; this documentation shall be preserved for ten years following the execution of the review and shall be made available to the National Authority for Data Protection and Freedom of Information (hereinafter: Authority) upon the Authority's request.

RIGHT TO LODGE A COMPLAINT

Complaints against potential infringements by the Data Controller can be lodged with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság)
Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Mailing Address: 1363 Budapest, Pf. 9., Hungary
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu
Web:naih.hu

CLOSING WORDS

During the preparation of this policy, attention was paid to the following legislation and recommendations:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (GDPR) (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (especially Section 13/A);
Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers;

Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activity (especially Section 6);

Act XC of 2005 on Electronic Freedom of Information;

Act C of 2003 on Electronic Communications (specifically Section 155);
Opinion No. 16/2011 on EASA/IAB recommendations on best practice for behavioral online advertising;
The recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information.