Kreativdekorshop.hu Privacy Policy

Kreatív Dekor Stúdió Kft.

Privacy Policy

Introduction

Kreatív Dekor Stúdió Kft. (address: 3711 Szirmabesenyő, Hunyadi Street 2., tax number: 28966322-2-05, company registration number: 05-09-033574) (hereinafter referred to as: Service Provider, Data Controller) subjects itself to the following policy:

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), we provide the following information.

This Privacy Policy regulates the data processing carried out on the following website/mobile applications: https://www.kreativdekorshop.hu

The Privacy Policy is available at the following page: https://www.kreativdekorshop.hu/adatvedelem

Any amendments to the Policy shall take effect upon publication at the above address.

Data Controller and Contact Details

Name: Kreatív Dekor Stúdió Kft.
Registered office: 3711 Szirmabesenyő, Hunyadi Street 2.
E-mail: shop@kreativdekorshop.hu
Phone: +36 70 606 1804

Definitions

“Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

“Processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing.

“Consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Principles Relating to the Processing of Personal Data

Personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
   
   

2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
   
   

3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
   
   

4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
   
   

5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
   
   

6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
   
   

The controller shall be responsible for, and be able to demonstrate compliance with, the above principles (“accountability”).

The Data Controller declares that its data processing activities are carried out in accordance with the principles set out in this section.

Data processing related to the operation of the online store / use of services

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

Personal Data, Purpose of Processing, and Legal Basis

2. Scope of Data Subjects: All individuals who register or make a purchase on the webshop website are considered data subjects. Neither the username nor the e-mail address is required to contain personal data.

3. Duration of Data Processing and Deadline for Data Deletion: If any of the conditions set out in Article 17 (1) of the GDPR apply, processing shall continue until the data subject requests deletion. The Data Controller shall inform the data subject electronically, in accordance with Article 19 of the GDPR, regarding the deletion of any personal data provided by the data subject. If the data subject’s deletion request also includes the e-mail address provided, the Data Controller shall delete the e-mail address following such notification.

Exception: Accounting documents must be retained for 8 years in accordance with Section 169 (2) of Act C of 2000 on Accounting. The data relating to the data subject’s contract may be deleted after the expiry of the statutory limitation period under civil law, based on the data subject’s deletion request.

Accounting documents that directly or indirectly substantiate bookkeeping entries (including general ledger accounts, analytical and detailed records) must be retained for at least 8 years, in a legible form, and retrievable based on accounting records.

4. Persons Authorized to Access the Data, and Recipients of Personal Data: Personal data may be processed by the Data Controller and by its duly authorized employees, in compliance with the fundamental principles set out above.

5. Description of the rights of data subjects in relation to data processing:

• The data subject may request from the data controller access to personal data concerning him or her, the rectification, erasure or restriction of processing of such data, and
  
  

• the data subject has the right to data portability and to withdraw consent at any time.
  
  

6. You may request access to, deletion, modification, or restriction of the processing of your personal data, as well as data portability, in the following ways:

• By post: 3711 Szirmabesenyő, Hunyadi Street 2.
  
  

• By e-mail: shop@kreativdekorshop.hu
  
  

• By phone: +36 70 606 1804
  
  

7. Legal Basis of Data Processing: 

1. Article 6 (1)(b) of the GDPR – processing necessary for the performance of a contract.
   
   

2. Section 13/A (3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce and Information Society Services (Elker tv.):

The service provider may process personal data that are technically indispensable for providing the service. The service provider must select and operate the tools used for providing information society services in such a way that personal data are processed only to the extent and for the duration necessary for providing the service and fulfilling the purposes defined by this Act.

3. Article 6 (1)(c) of the GDPR – processing necessary for compliance with a legal obligation (issuing invoices in accordance with accounting legislation).

4. In the event of enforcement of claims arising from the contract, the limitation period shall be 5 years in accordance with Section 6:22 of Act V of 2013 on the Civil Code.
   
   Section 6:22 [Limitation]

(1) Unless otherwise provided for in this Act, claims shall become time-barred after five years.

(2) The limitation period shall commence when the claim becomes due.

(3) Any agreement to change the limitation period shall be made in writing.

(4) Any agreement to exclude the limitation period shall be null and void.

8. Please note that

• data processing is necessary for the performance of the contract and for making an offer.

• you are required to provide personal data so that we can fulfill your order.

• failure to provide data will result in us being unable to process your order.

Cookie Management

1. The use of so-called “password-protected session cookies,” “shopping cart cookies,” “security cookies,” “necessary cookies,” “functional cookies,” and “cookies responsible for website statistics” does not require the prior consent of the data subject.
   
   

2. Facts of Data Processing and Scope of Processed Data:
   Unique identification number, dates, and times.
   
   

3. Scope of Data Subjects:
   All visitors to the website.
   
   

4. Purpose of Data Processing:
   To identify users, track visitors, and ensure customized website functionality.
   
   

5. Duration of Data Processing and Deadline for Deletion:

6. Persons Authorized to Access the Data: Personal data may be accessed solely by the Data Controller.

7. Information on Data Subjects’ Rights Related to Cookie Management: Data subjects have the option to delete cookies within their browsers, usually under the Privacy settings found in the Tools/Settings menu.

8. Browser Settings and Cookie Control: Most browsers used by our visitors allow users to define which cookies can be saved and also permit the deletion of specific cookies. If you restrict the storage of cookies for certain websites or disable third-party cookies, this may, in some cases, result in our website no longer functioning properly or being only partially usable. Below you can find information on how to customize cookie settings in commonly used browsers:

• Google Chrome: https://support.google.com/chrome/answer/95647?hl=en
  
  

• Internet Explorer: https://support.microsoft.com/help/17442/windows-internet-explorer-delete-manage-cookies
  
  

• Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
  
  

• Safari: https://support.apple.com/guide/safari/sfri11471/mac 

Use of Google Ads Conversion Tracking

1. The Data Controller uses the online advertising program Google Ads and, within its framework, makes use of Google’s conversion tracking service.
   Google Conversion Tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
   
   

2. When a user accesses a website via a Google advertisement, a cookie required for conversion tracking is placed on their computer. These cookies have a limited validity period and do not contain any personal data, therefore users cannot be personally identified by means of them.
   
   

3. When the user browses certain pages of the website and the cookie has not yet expired, both Google and the Data Controller can see that the user has clicked on the advertisement.
   
   

4.  Each Google Ads customer receives a different cookie, so users cannot be tracked across the websites of different Ads clients.
   
   

5. The information obtained through conversion tracking cookies is used to generate conversion statistics for Ads clients who have opted for conversion tracking. These clients can thus learn the number of users who clicked on their advertisement and were redirected to a page tagged with a conversion tracking label. However, they do not receive any information that could personally identify any user.
   
   

6. If you do not wish to participate in conversion tracking, you may opt out by disabling the storage of cookies in your browser settings. In this case, your visits will not be included in the conversion tracking statistics.
   
   

7. Under Google Consent Mode v2, Google also uses two new cookie types: ad_user_data and ad_personalization, which rely on the data subject’s consent and concern the use and sharing of data. The ad_user_data cookie records the user’s consent to allow their data to be used by Google for advertising purposes. The ad_personalization cookie determines whether the data may be used for personalized advertising (e.g., remarketing). The Data Controller ensures that appropriate consent and withdrawal options are provided through its cookie banner/panel.  Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
   
   

8. Further information and Google’s Privacy Policy are available at: https://policies.google.com/privacy

Use of Google Analytics

1. This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies” — text files that are stored on your computer — to help analyse how users interact with the website.
   
   

2. The information generated by these cookies about your use of the website is generally transmitted to and stored on a Google server in the United States.
   With IP anonymisation activated on this website, Google will first truncate the user’s IP address within the member states of the European Union or other states that are parties to the Agreement on the European Economic Area.
   
   

3. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there.On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website and internet usage to the website operator.
   
   

4. The IP address transmitted by your browser within the scope of Google Analytics will not be merged with other data held by Google.You can prevent the storage of cookies by adjusting your browser settings accordingly. However, please note that if you do so, you may not be able to use all the functions of this website to their full extent.You can also prevent Google from collecting and processing data generated by cookies and related to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en 

Newsletter and Direct Marketing Activities Based on Consent

1. Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Economic Advertising Activities, the User may give prior and explicit consent to allow the Service Provider to contact them with advertising offers and other communications through the contact details provided during registration.
   
   

2. Furthermore, the Customer may, in accordance with the provisions of this Privacy Policy, consent to the Service Provider processing their personal data necessary for sending advertising offers.
   
   

3. The Service Provider does not send unsolicited promotional messages, and the User may unsubscribe from receiving such offers at any time, free of charge and without restriction or justification. In such a case, the Service Provider shall delete all personal data necessary for sending advertising messages from its records and shall no longer contact the User with advertising offers. The User may unsubscribe from promotional messages by clicking on the unsubscribe link included in the message.
   
   

4. Facts of Data Collection, Scope of Processed Data, and Purpose of Data Processing:

5. Data subjects: All data subjects who subscribe to the newsletter.

6. Purpose of Data Processing: To send electronic messages containing advertisements (e-mails, SMS messages, push notifications) to the data subject, and to provide information about current updates, products, promotions, new features, and other relevant news.

7. Duration of Data Processing and Deadline for Data Deletion: Processing continues until the withdrawal of consent (unsubscription or deletion request by the data subject) or until the newsletter service is discontinued.

8. Persons Authorized to Access the Data and Recipients of Personal Data: Personal data may be processed by the Data Controller, as well as its sales and marketing employees, in compliance with the above-mentioned principles.

9. Description of the rights of data subjects in relation to data processing:

• The data subject may request from the data controller access to personal data concerning him or her, the rectification, erasure or restriction of processing of such data, and

• may object to the processing of his or her personal data, and

• the data subject has the right to data portability and to withdraw consent at any time.

10. You may initiate access to, deletion, modification, or restriction of the processing of your personal data, as well as data portability and objection, in the following ways:

• By post: 3711 Szirmabesenyő, Hunyadi Street 2.
  
  

• By e-mail: shop@kreativdekorshop.hu
  
  

• By phone: +36 70 606 1804
  
  

11. The data subject may unsubscribe from the newsletter at any time, free of charge.

12. Additional Information

• Data processing is based on your consent.
  
  

• You are required to provide your personal data if you wish to receive our newsletter.
  
  

• Failure to provide the requested data will result in our inability to send you newsletters.
  
  

• You may withdraw your consent at any time by clicking the unsubscribe link.
  
  

• Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

Complaint handling

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

2. Scope of data subjects: All data subjects who make a purchase on the website and those who submit a quality complaint or lodge a grievance.
   
   

3. Duration of data processing, deadline for data deletion: The records, transcripts, and copies of the responses related to the complaint must be retained for 3 years in accordance with Section 17/A (7) of Act CLV of 1997 on Consumer Protection.
   
   

4. Persons authorized to access the data, recipients of personal data: Personal data may be processed by the data controller and its duly authorized employees, in compliance with the above principles.
   
   

5. Description of data subjects’ rights related to data processing:
   
   

• The data subject may request from the data controller access to personal data concerning them, their rectification, erasure or restriction of processing, and

•  the data subject has the right to data portability, as well as the right to withdraw consent at any time.
  
  

6. Methods for initiating access, deletion, modification, restriction of processing, or data portability by the data subject:
   
   

• By post at 3711 Szirmabesenyő, Hunyadi Street 2.,

• By e-mail at shop@kreativdekorshop.hu,

• By phone at +36 70 606 1804.
  
  

7. We inform you that:
   
   

• the provision of personal data is based on a legal obligation.

• the processing of personal data is a precondition for concluding the contract.

• you are required to provide personal data so that we can handle your complaint.

• failure to provide the requested data will result in our inability to handle your submitted complaint.

Recipients with whom personal data are shared

“Recipient”: any natural or legal person, public authority, agency or other body to which the personal data are disclosed, whether or not it is a third party.

1. Processors (who process personal data on behalf of the controller)

The data controller uses data processors in order to facilitate its own data processing activities and to fulfil its contractual obligations towards the data subjects, as well as to comply with legal requirements.

The data controller places great emphasis on engaging only such data processors who provide adequate guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects.

The processor, and any person acting under the authority of the controller or the processor who has access to personal data, shall process those data only on instructions from the controller, in accordance with this policy.

The data controller bears legal responsibility for the activities of the data processor. The processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or acted outside or contrary to lawful instructions of the controller.

The processor has no substantive decision-making authority with regard to the processing of data.

The data controller may use a hosting provider to ensure the operation of the IT infrastructure, and a courier service as a data processor for the delivery of ordered products.

2. Specific Data Processors

“Third party”: any natural or legal person, public authority, agency or other body which is not the data subject, the controller, the processor, or persons who, under the direct authority of the controller or processor, are authorised to process personal data.

3. Data Transfer to Third Parties

Third-party data controllers process the personal data disclosed by us in their own name and in accordance with their own privacy policies.

Social Media Platforms

1. Facts of data collection and scope of processed data:
   The registered name on social media platforms such as Twitter, Pinterest, YouTube, Instagram, TikTok, LinkedIn, etc., and the user’s public profile picture.
   
   

2. Scope of data subjects:
   All data subjects who are registered on Twitter, Pinterest, YouTube, Instagram, TikTok, LinkedIn, etc., and who have “liked” the Service Provider’s social media page or have contacted the Data Controller through a social media platform.
   
   

3. Purpose of data collection:
   To share, “like,” follow, or promote certain content elements, products, promotions, or the website itself on social media platforms.
   
   

4. Duration of data processing, deadline for data deletion, persons authorized to access the data, and description of data subjects’ rights related to data processing:
   Data subjects can find information about the source of data, the method and legal basis of processing, and data transfer on the relevant social media platform.
   Data processing takes place on the respective social media platforms; therefore, the duration, method, and options for deleting or modifying data are governed by the policies of the given social media platform.
   
   

5. Legal basis for data processing:
   The data subject’s voluntary consent to the processing of their personal data on social media platforms.

Facebook / Meta Joint Data Controllership

The Data Controller operates a Facebook / Meta profile in connection with its activities.
The statistical data processing carried out on the Facebook social network is a joint data processing activity between the Data Controller and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland). Details of the joint controllership agreement are set out in the Page Insights Controller Addendum, available at the following link: https://www.facebook.com/legal/terms/page_controller_addendum

The Data Controller communicates via private messages on the social media platform only if you contact us there first.

1. Categories of Data Subjects

• Data subjects who have registered on the social media platform and “liked” the Data Controller’s profile page.
  
  

• Data subjects who contact the Data Controller via private message on the social media platform.
  
  

2. Purpose of Data Processing

The purpose of data processing on the Facebook social media platform is to share and promote the Data Controller’s activities and services. The Data Controller may use personal data provided by the data subject in private messages to respond to such messages. Apart from this, the Data Controller does not collect or extract any data from social media platforms.

3. Legal Basis for Data Processing

Data processing is based on Article 6 (1)(a) of the GDPR — the data subject’s consent to the processing of their personal data on the Facebook social media platform.

4. Scope of Processed Data

• Registered name of the data subject
  
  

• Public profile picture of the data subject
  
  

• Any other public information provided or shared by the data subject on the social media platform
  
  

5. Source of personal data processed: The source of the data processed is the data subject.

6. Withdrawal of Consent

You may withdraw your consent to data processing at any time by deleting your post or comment. Data processing takes place via third-party social media platforms. If you withdraw your consent, the Data Controller will delete the conversation held with you. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

Requests for access, deletion, modification, restriction of processing, or data portability may be submitted via the following channels:

• By post: 3711 Szirmabesenyő, Hunyadi Street 2.
  
  

• By e-mail: shop@kreativdekorshop.hu
  
  

• By phone: +36 70 606 1804
  
  

7. Duration of Data Processing

• Until the data subject withdraws their consent, or
  
  

• In the case of message exchanges, for a period of 2 years.
  
  

8. Transfer and Recipients of Personal Data

For the definition of “recipient,” see Article 4(9) of the GDPR. The Data Controller discloses the personal data of the data subject only in exceptional cases and based on a legal obligation, to state authorities or official bodies — in particular, to courts, prosecutors, investigative authorities, administrative authorities, or the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

9. Possible Consequences of Failure to Provide Data

If personal data are not provided, the data subject will not be able to access information about the Data Controller’s activities or services via Facebook, and will not be able to send messages to the Data Controller through Facebook Messenger.

10. Automated Decision-Making (Including Profiling)

No automated decision-making or profiling takes place during data processing.

11. Joint Controllership Agreement with Facebook Ireland Ltd.

The Page Insights feature displays aggregated data that provide insight into how users interact with the Facebook page. Facebook Ireland Limited (“Facebook Ireland”) and the Data Controller act as joint controllers in relation to the processing of these analytical data.The Page Insights Controller Addendum defines the responsibilities of Facebook and the Data Controller concerning the processing of analytical data. Facebook Ireland assumes primary responsibility under the GDPR for the processing of analytical data and undertakes to comply with all applicable obligations regarding such data. Facebook Ireland also makes an extract of the Page Insights Controller Addendum available to every data subject.The Data Controller ensures that it has a valid legal basis for processing analytical data under the GDPR, identifies itself as the page controller, and complies with all other applicable legal obligations.Facebook Ireland is solely responsible for the processing of personal data in connection with the Page Insights feature, except for data within the scope of the Page Insights Addendum. The Addendum does not grant the Data Controller any right to request personal data of Facebook users processed by Facebook Ireland, including Page Insights data. The Data Controller is not entitled to act or respond on behalf of Facebook Ireland when handling data protection requests.

Customer Relations and Other Data Processing Activities

1. If, during the use of the Data Controller’s services, the data subject has any questions or encounters any problems, they may contact the Data Controller through the means provided on the website (telephone, e-mail, social media platforms, etc.).
   
   

2. The Data Controller stores incoming e-mails, messages, and data provided via telephone, Meta, etc. — including the name and e-mail address of the inquirer and any other voluntarily provided personal data — for a maximum of 2 years from the date of data provision, after which the data are deleted.
   
   

3. Information on any data processing not listed in this Privacy Policy will be provided at the time the data are collected.
   
   

4. In exceptional cases, upon official request or based on statutory authorization, the Service Provider is obliged to provide information, disclose or transfer data, or make documents available to other authorities.
   
   

5. In such cases, the Service Provider shall only disclose personal data to the requesting authority to the extent and in the scope strictly necessary for fulfilling the stated purpose of the request, provided that the request precisely specifies the purpose and the scope of the requested data.

Rights of Data Subjects

1. Right of Access

You have the right to obtain confirmation from the Data Controller as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and to the information listed in the Regulation.

2. Right to Rectification

You have the right to request that the Data Controller rectify inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to request the completion of incomplete personal data, including by means of providing a supplementary statement.

3. Right to Erasure

You have the right to request that the Data Controller erase personal data concerning you without undue delay, and the Data Controller is obliged to erase such data without undue delay under certain conditions.

4. Right to be Forgotten

Where the Data Controller has made the personal data public and is obliged to erase it, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps — including technical measures — to inform other controllers processing the personal data that you have requested the erasure of any links to, or copies or replications of, those personal data.

5. Right to Restriction of Processing

You have the right to obtain from the Data Controller restriction of processing where one of the following applies:

• You contest the accuracy of the personal data — in this case, restriction shall apply for a period enabling the Data Controller to verify the accuracy of the personal data;
  
  

• The processing is unlawful and you oppose the erasure of the data and request the restriction of their use instead;
  
  

• The Data Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defence of legal claims;
  
  

• You have objected to processing — in this case, restriction shall apply pending verification of whether the legitimate grounds of the Data Controller override your legitimate grounds.
  
  

6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to a Data Controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another Data Controller without hindrance from the controller to which the personal data have been provided (...).

7. Right to Object

In the case of processing based on legitimate interest or the exercise of official authority as a legal basis, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, including profiling based on those provisions.

8. Right to Object to Direct Marketing

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

9. Automated Decision-Making in Individual Cases, Including Profiling

You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you.

The above paragraph shall not apply if the decision:

• is necessary for entering into, or performance of, a contract between you and the Data Controller;
  
  

• is authorised by Union or Member State law applicable to the Data Controller, which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  
  

• is based on your explicit consent.
  
  

Response Deadline

The Data Controller shall inform you without undue delay, and in any event within 1 month of receipt of your request, of the action taken in response to your request.

Where necessary, that period may be extended by a further 2 months.
The Data Controller shall inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.

If the Data Controller does not take action on your request, it shall inform you without undue delay and at the latest within 1 month of receipt of the request of the reasons for not taking action, and of your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.

Data Security

The Data Controller and the Data Processor shall implement appropriate technical and organizational measures, taking into account the state of the art, the costs of mplementation, the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk. These measures shall include, as appropriate:

1. the pseudonymization and encryption of personal data;
   
   

2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
   
   

3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
   
   

4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
   
   

5. Personal data must be stored in a manner that prevents unauthorized access.
   For paper-based data carriers, this is ensured through secure physical storage and filing arrangements; for electronically processed data, through the use of a central access control system.
   
   

6. The method of electronic storage must allow for the deletion of data — in accordance with the relevant retention period — to be carried out when necessary or upon expiry of the retention deadline. Deletion must be irreversible.
   
   

7. Paper-based data carriers must be stripped of personal data using a document shredder or by engaging the services of an external organization specializing in document destruction. In the case of electronic data carriers, physical destruction must be ensured in accordance with the rules on the disposal of electronic data carriers, and, if necessary, the data must be securely and irreversibly deleted in advance.
   
   

8. The data controller shall take the following specific data security measures:

Physical protection for paper-based personal data:

1. Documents are stored in secure, lockable, dry premises.
   
   

2. If paper-based personal data are digitized, the rules applicable to digitally stored documents shall apply.
   
   

3. During work, employees handling personal data must lock away data carriers or secure the premises before leaving the room.
   
   

4. Personal data may only be accessed by authorized persons; third parties may not access them.
   
   

5. The Service Provider’s buildings and premises are equipped with fire and property protection systems.
   
   

IT protection:

1. Computers, mobile devices, and other data carriers used for data processing are the property of the Service Provider.
   
   

2. The IT systems containing personal data are protected by antivirus software.
   
   

3. To ensure the security of digitally stored data, the Service Provider performs regular backups and data archiving.
   
   

4. Access to the central server is restricted to designated persons with proper authorization.
   
   

5. Access to data stored on computers is protected by usernames and passwords.
   
   

Informing the Data Subject About a Personal Data Breach

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The information provided to the data subject shall clearly and comprehensively describe the nature of the personal data breach and provide the name and contact details of the data protection officer or other contact person providing further information; describe the likely consequences of the personal data breach; it shall describe the measures taken or planned by the controller to address the personal data breach, including, where appropriate, measures to mitigate any adverse consequences resulting from the personal data breach.

The data subject shall not be required to be informed if any of the following conditions are met:

• the Data Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the breach — in particular, measures such as encryption that render the data unintelligible to any person not authorised to access it;
  
  

• following the personal data breach, the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
  
  

• providing individual notification would involve disproportionate effort. In such cases, data subjects shall instead be informed through public communication or by taking similar measures whereby the data subjects are informed in an equally effective manner.
  
  

If the Data Controller has not already notified the data subject of the personal data breach, the supervisory authority may, after considering the likelihood of a high risk resulting from the breach, require the Data Controller to do so.

Notification of a data breach to the authority

The data controller shall notify the supervisory authority of the data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it to the supervisory authority competent under Article 55, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons for the delay must also be provided.

Review in the case of mandatory data processing

If the duration of mandatory data processing or the periodic review of its necessity is not specified by law, local government decree, or a binding legal act of the European Union, the data controller shall review at least every three years from the start of data processing whether the processing of personal data by the data controller or by a data processor acting on its behalf or on its instructions is necessary for the achievement of the purpose of data processing.

The data controller shall document the circumstances and results of this review, retain this documentation for ten years after the review has been carried out, and make it available to the National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) at the Authority's request.

Complaints

Complaints against any violation of the law by the data controller may be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

1055 Budapest, Falk Miksa utca 9-11.

Postal address: 1363 Budapest, Pf. 9.

Phone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Closing Statement

In the preparation of this Privacy Policy, due consideration was given to the following legal regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  
  

• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.);
  
  

• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (in particular Section 13/A);
  
  

• Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers;
  
  

• Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (in particular Section 6);
  
  

• Act XC of 2005 on Electronic Freedom of Information;
  
  

• Act C of 2003 on Electronic Communications (specifically Section 155);
  
  

• Opinion No. 16/2011 on the EASA/IAB Best Practice Recommendation on Online Behavioural Advertising;
  
  

• The Recommendation of the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) on the data protection requirements of prior information notices.

Document certified and prepared by: Virtualjog.hu

View/download in PDF format: View/download

Date of last update: 13.09.2025