Data Management Guide/GDPR

1. Introduction

Balogh Sándor Tamás, entrepreneur (hereinafter referred to as the "Data Controller"), acknowledges the content of this legal notice as binding upon himself. The Data Controller undertakes the commitment to ensure that all data processing related to their activities complies with the requirements set forth in this policy and the applicable laws. The Data Controller's data protection principles concerning data handling are continuously accessible at the address https://www.comprehandservices.hu or can be accessed by clicking on the following link https://www.comprehandservices.hu/data-management-guide-gdpr

The Data Controller reserves the right to modify this information notice at any time. Naturally, any such changes will be promptly communicated to the public. If you have any questions related to this notice, please feel free to contact us, and our colleague will address your inquiries.

The Data Controller is dedicated to protecting the personal data of their clients and partners and considers the respect of their clients' right to informational self-determination of paramount importance. The Data Controller treats personal data confidentially and implements all necessary security, technical, and organizational measures to guarantee data security. The Data Controller outlines their data processing practices as follows.

2. Information of the data controller

Service Provider’s name: Balogh Sándor Tamás e.v.
Service Provider’s headquaters: 4025 Debrecen, Erzsébet utca 8. 3/10.
Address of complaint handling: 4025 Debrecen, Erzsébet utca 8. 3/10.
Registration Number: 58214680
Tax number: 42996804-1-29
Statistical Identification Number: 42996804743023109
The contact information of the service provider, which serves for communication with service users and is a regularly used electronic email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Service Provider’s phone number: +36 30 418 7241

Data of the hosting service provider

Hosting service provider’s name: Bányász József László e.v.
Hosting service provider’s headquaters: 1144 Budapest, Rákosfalva park 5. B. ép. 1/7.
Hosting service provider’s contact email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Hosting service provider’s website: https://www.honlapsiker.hu
Hosting service provider’s phone number: +36 70 515 3312

2. Definition of key terms in this document

"Data Subject": any identified or identifiable natural persons based on information, for whom the Data Controller processes personal data related to them.

"Personal Data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

"Data Controller": a natural or legal person, public authority, agency, or any other body which determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law.

"Data Processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;

"Data Processor": a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the data controller;

"Data Processing": the entirety of operations performed by a data processor acting on behalf of or under the authority of the data controller;

"Data Breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

"Recipient": a natural or legal person, public authority, agency, or any other body to whom personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

4. Fundamental Principles of Data Processing

The Data Controller carries out its data processing activities based on the following principles regarding the processing of personal data:

Processing must be lawful, fair, and transparent to the data subject ("lawfulness, fairness, and transparency").
Data collection must be done for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes; in accordance with Article 89(1), further processing for historical, scientific, or statistical purposes shall not be considered incompatible if done in accordance with the original purpose ("purpose limitation").
Data processing must be relevant to the purposes for which they are processed and limited to what is necessary for those purposes ("data minimization").
Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy").
Data must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of the appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject ("limited storage period").
Processing must be done in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ("integrity and confidentiality").
The Data Controller is responsible for compliance with the above principles and must be able to demonstrate such compliance ("accountability").
When determining the means of processing and during processing itself, the Data Controller implements appropriate technical and organizational measures, such as pseudonymization, to effectively carry out the above principles, fulfill obligations, incorporate legal safeguards, etc., all of which are done in a regulated and documented manner. In practice, this mindset is promoted through employee training, data protection awareness, impact assessments, risk analyses, and balancing tests carried out during the introduction and/or regular review of specific data processing activities ("Privacy by design").

The Data Controller exclusively processes personal data based on voluntary consent from the data subject, which is necessary for the provision of services defined in the General Terms and Conditions.

Personal data retains its status as such during the data processing as long as the connection with the data subject can be restored. The connection with the data subject can be restored if the Data Controller possesses the necessary technical conditions for restoration.

The Data Controller pays special attention to the protection of the personal data of incapacitated individuals and minors under 16 years of age who have limited legal capacity. For their declarations, the consent of their legal representative is required, except for service components where the declaration pertains to data processing that commonly occurs in everyday life and does not require special consideration.

If the collection of personal data was based on the data subject's consent, and in the absence of contrary legal provisions, the Data Controller may continue processing the collected data:

a) For the purpose of fulfilling a legal obligation that applies to them; or

b) For the purpose of asserting the legitimate interest of the Data Controller or a third party, provided that the pursuit of this interest is in proportion to the restriction of the data subject's rights and the protection of personal data, without requiring separate additional consent. This applies even after the withdrawal of the data subject's consent.

The Data Controller processes personal data solely for specific purposes, exercising rights, and fulfilling obligations. The Data Controller declares that at every stage of data processing, the purpose is adhered to, and the collection and handling of data are conducted fairly. The Data Controller asserts that only personal data that is indispensable for achieving the purpose of data processing is processed, in a manner suitable for achieving the purpose, to the necessary extent and duration.

The Data Controller asserts that personal data is only processed with consent based on appropriate information. Prior to commencing data processing, the Data Controller provides the data subject with appropriate information regarding whether the data processing is based on consent or obligatory. The data subject is informed clearly, understandably, and comprehensively about all aspects of their data processing, particularly the purpose and legal basis of data processing, the entity entitled to data processing and data processing, the duration of data processing, whether the data subject's personal data is processed by the Data Controller with the data subject's consent and to fulfill legal obligations or the legitimate interests of a third party, as well as who can access the data. The provided information encompasses the data subject's rights and options for legal remedies related to data processing.

During data processing, the Data Controller ensures the accuracy, completeness, and up-to-date nature of the data, as well as that the data subject can only be identified for the necessary duration to achieve the purpose of data processing.

The Data Controller performs the processing of personal data lawfully, fairly, and transparently to the data subject. In the context of the principles, as stipulated in Section 4(5) of the Information Act based on Section 2(2) of the same Act, the provisions of the Regulation must be applied together with the following addition: "The processing of personal data shall be considered fair and lawful if, in order to ensure the freedom of expression of the data subject, a person wishing to ascertain the opinion of the data subject visits the data subject's place of residence or habitual abode, provided that the personal data of the data subject are processed in accordance with the provisions of this Act and the personal approach is not for business purposes. Personal visits shall not take place on a non-working day as defined by the Labour Code."

The Data Controller does not verify the accuracy of the personal data provided to them. The responsibility for the adequacy of the provided data lies solely with the person (Data Subject) providing it. Any Data Subject providing their email address also assumes responsibility for ensuring that only they use the provided email address for availing services. Due to this assumption of responsibility, any and all liabilities related to logins made with a provided email address rest solely with the Data Subject who registered the email address.

5. Types of Data Processing, Scope of Personal Data, Purpose of Data Processing, Legal Basis, and Duration of Data Processing

The data processing activities of the Data Controller are based on voluntary consent or the fulfillment of contracts with the data subjects. However, in certain cases, legal requirements make it obligatory to process, store, or transmit data pertaining to a certain category, about which our audience is specifically informed.

We draw the attention of data providers to the fact that if they provide personal data on behalf of others, it is their responsibility to obtain the consent of the data subject unless they are the rightful owners of the data.

The Data Controller's data processing principles are in accordance with the relevant data protection laws, including the following:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).
Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.).
Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (Eker.tv.).
Act C of 2003 on electronic communications (Eht.).

These principles ensure compliance with the legal framework concerning data protection.

5.1. Data processed during website usage

You can use the https://www.comprehandservices.hu website without providing personal data. Therefore, the General Data Protection Regulation does not apply to the use of the website.

Any data generated during the browsing of the website is not stored or processed by the Data Controller in a way that can be linked to specific individuals.

5.2. https://www.comprehandservices.hu website cookie management

The operator of the https://www.comprehandservices.hu website places and reads small data packets, known as cookies, on the user's computer for the purpose of customized service. However, the use of cookies does not involve the processing of personal data.

The legal basis for data processing: Sections 13/A(3) and (4) of the Electronic Commerce Act (Eker.tv.), provisions of Article 5(3) of Directive 2002/58/EC, and Section 155(4) of the Electronic Communications Act (Ehtv.), based on the user's consent, which is obtained and recorded upon the user's first entry to the website.

More information about cookies can be found at the following address: https://www.comprehandservices.hu/cookie-information

Users can delete cookies from their own computers or disable cookie usage in their browsers. Cookie management settings are typically found in the Privacy settings under the Tools/Settings menu of the browser, often labelled as "Cookies".

5.3. Data processing related to messaging and contact

The Types of Processed Personal Data: The name of the individual, their email address, phone number.

The Purpose of Data Processing: The purpose of data processing is to provide the individual with appropriate information and facilitate communication.

The Scope of Data Subjects: Any natural person who contacts the Data Controller and requests information from the Data Controller by providing their personal data.

Legal Basis for Data Processing: Consent of the data subject pursuant to Article 6(1)(a) of the Regulation.

Duration of Data Processing: Until deletion.

Description of the Activities and Processes Involved in Data Processing:

a. The data subject can contact the Data Controller through the means or methods provided by the Data Controller to inquire about the services offered by the Data Controller and/or other related questions.

b. Data provided by the data subject through the website reach the This email address is being protected from spambots. You need JavaScript enabled to view it. email address of the Data Controller.

c. In line with the purpose of data processing, the data subject voluntarily gives consent that if they provide their contact details during the information request process, the Data Controller may reach out to them through those details to clarify the question or provide an answer.

Authorized Parties with Access to the Processed Data: Data Controller.

5.4. Data Handling Related to Application and Price Inquiry

Type of processed personal data: name of the data subject, email address, phone number

Purpose of data processing: Fulfilment of the contract during application and price inquiry on the website, providing and fulfilling service-related information based on the application, communication.

Circle of data subjects: Any natural person who applies on the data processor's website used by the Data Controller.

Legal basis for data processing: Consent of the data subject pursuant to Article 6(1)(a) of the Regulation.

Duration of data processing: Until the time of storage of user data in the database, or until the user's request for deletion.

Description of the activities and processes involved in data processing: To provide an accurate price quote and ensure efficient and comprehensive service delivery, the data subject must provide the necessary information for the application and price inquiry to be fulfilled.

Authorized recipients of the disclosed data, recipients of personal data: The Data Controller processes the personal data related to the order to provide an accurate price quote and ensure efficient and comprehensive service delivery.

5.5. Data Handling Related to Feedbacks

Type of processed personal data: name of the data subject, email address, message/opinion.

Purpose of data processing: Publication of the Data Subject's opinion and name on the Data Controller's website https://www.comprehandservices.hu, as well as the use of the opinion for constructive purposes in the further activities of the Data Controller.

Circle of data subjects: Any natural person who contacts the Data Controller and requests information from the Data Controller while providing their personal data.

Legal basis for data processing: Consent of the data subject pursuant to Article 6(1)(a) of the Regulation.

Duration of data processing: Throughout the duration of service provision (until the data is deleted).

Transmission of personal data: During data processing, personal data will be transmitted to data processors in contractual relationship with the Data Controller, for the purpose of fulfilling services specified in the contract, based on the instructions of the Data Controller.

Description of the activities and processes involved in data processing:

a. The Data Subject can engage with the Data Controller regarding the services provided by the Data Controller and/or other related questions through the means or methods made available to them by the Data Controller. Additionally, the Data Subject can provide feedback about services already rendered.

b. In line with the purpose of data processing, the Data Subject voluntarily consents to the Data Controller getting in touch with them through the contact details they provided during information requests, for the purpose of clarifying questions or providing answers.

Authorized recipients of the disclosed data, recipients of personal data:

The Data Controller, for the purpose of fulfilling responses and maintaining contact, as well as Google Ireland Limited and Bányász József László ev., as data processors, handle the personal data associated with message sending.

5.6. Data processing related to invoicing

Type of processed personal data: Last name, first name, email address, phone number, billing address (postal code, city name, street, house number, floor, door).

Purpose of data processing: During the "prescription and collection" of the service fee, fulfilment of the contract, issuing an invoice, documenting payment, fulfilling accounting obligations, communication.

Circle of data subjects: Any natural person who applies for and uses the service provided by the Data Controller on the data processor's website utilized by the Data Controller.

Legal basis for data processing: Legal obligation pursuant to Article 6(1)(c) of the Regulation, Section 159(1) of Act CXXVII of 2007 on Value Added Tax, and Act C of 2000 on Accounting.

Duration of data processing: In accordance with Section 169(2) of the Accounting Act, issued invoices must be retained for 8 years from the date of issuance. In addition to legal requirements, the Data Controller processes personal data for an additional 2 years due to the statute of limitations and potential tax authority examinations.

Description of the activities and processes involved in data processing: Data processing is carried out to issue invoices in compliance with regulations and fulfil accounting record-keeping obligations.

Authorized recipients of the disclosed data, recipients of personal data: The Data Controller and data processors involved in invoicing and accounting (as detailed in point 6 of this notice) handle the personal data related to invoicing for the purpose of issuing invoices and recording them for the Data Controller's accounting.

5.7. Data processing related to complaint handling

Type of processed personal data: Unique complaint identifier, name, address, phone number, bank account number (in case of monetary compensation), location and time of complaint submission, method of complaint submission, related documents (e.g., protocol, complaint form), photograph.

Purpose of data processing: Management, assessment, and record-keeping of quality complaints arising in relation to services provided by the Data Controller.

Circle of data subjects: Data of the customer submitting the complaint and the Data Controller's customer service representative are stored in relation to the complaint.

Legal basis for data processing: The processing is initiated based on consent for case handling, and the protocol is prepared due to legal obligation. [Article 6(1)(a) and (c) of GDPR]

Duration of data processing: Regarding the recorded complaint protocols and related documents, 5 + 2 years in accordance with Section 17/A(7) of Act CLV of 1997 on Consumer Protection.

Description of the activities and processes involved in data processing: The data processing process is carried out in compliance with regulations to manage, assess, and record quality complaints related to the services provided by the Data Controller.

Authorized recipients of the disclosed data, recipients of personal data: The Data Controller handles the personal data related to complaints to fulfil the legal obligations regarding recording complaint protocols. In the event of an investigation, the consumer protection authority may also be a recipient.

5.8. Data processing related to provability of consent

Type of processed personal data: IP address of the data subject, email address, timestamp of consent.

Purpose of data processing: During registration and ordering processes, the IT system stores consent-related IT data for the purpose of later provability.

Circle of data subjects: Any natural person who registers, places an order, or subscribes to a newsletter on the Data Controller's website.

Legal basis for data processing: Legal obligation (based on Article 6(1)(c) of GDPR), as specified in Article 7(1) of the GDPR Regulation.

Duration of data processing: Due to legal requirements, consent needs to be provable in the future. Therefore, data storage duration extends to the statutory limitation period following the termination of data processing.

5.9. External links and references

Our website may contain several links and references that lead to the websites of other service providers. As a result, visitors to the website may be directed to web pages where data processing is not conducted by the Data Controller. The Data Controller is not responsible for the data and information protection practices of these service providers.

These links include the following: https://www.honlapsiker.hu

5.10. Other data processing

For data processing not listed in this data processing information, we provide information at the time of data collection. We inform our customers that courts, prosecutors, investigative authorities, misdemeanour authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information, or other authorities as authorized by law may contact the Data Controller for the purpose of providing information, disclosing data, transferring data, or making documents available. The Data Controller will only disclose personal data to authorities to the extent necessary for the achievement of the specific purpose if the authority has specified the precise purpose and scope of the data.

6. Utilization of data processor(s)

For the purpose of facilitating its own data processing activities and fulfilling contractual or legal obligations with data subjects, the Data Controller employs data processors. This means that the Data Controller may share your personal data, as outlined in this privacy notice, with the data processor involved in the respective service.

The Data Controller places great emphasis on engaging data processors who provide sufficient guarantees for compliance with the GDPR requirements for data processing and for implementing appropriate technical and organizational measures to protect the rights of data subjects.

The data processor, as well as any individual acting under the direction of the Data Controller or the data processor, who has access to personal data, processes the personal data outlined in this notice solely in accordance with the instructions of the Data Controller.

The Data Controller holds legal responsibility for the activities of data processors. The data processor is only liable for damages caused by data processing if it fails to comply with the specific obligations assigned to data processors as set out in the GDPR or if it disregards the lawful instructions of the Data Controller or acts contrary to them.

The data processor does not have substantive decision-making power concerning the management of the data. Data processors retain the data for the same duration as the Data Controller, after which it is deleted. The Data Controller is entitled to monitor compliance with data protection and security requirements.

The Data Controller utilizes the following data processors:

td>

	Data processor
Name:	Bányász József László egyéni vállalkozó
Headquaters:	1144 Budapest, Rákosfalva park 5/B. 1/7.
Tax number:	77804613-1-42
Registration number:	34119092
Statistical Identification Number:	77804613620123101
E-mail:	This email address is being protected from spambots. You need JavaScript enabled to view it.
Website:	https://www.honlapsiker.hu
Phone number:	+36 70 515 3312
Name of the Data Processing Activity by Data Processor:	Performing IT Tasks, Website Management, Hosting Services
	Data processor
Name:	Horváthné Zsadányi Valéria egyéni vállalkozó
Headquaters:	4031 Debrecen, Szoboszlói út 50. III. ép. 2/31.
Tax number:	59192459-1-29
Registration number:	57275606
Statistical Identification Number:	59192459692023109
Name of the Data Processing Activity by Data Processor:	Accounting
	Data Processor
Name:	Google Ireland Limited
Headquaters:	Ireland, Dublin 4, Gordon House, Barrow Street
Registration number:	368047
Court Maintaining Records:	Operates under Irish Legislation
Website:	www.google.com
Name of the Data Processing Activity by Data Processor:	Management of Email Communication System

	Data Processor
Name:	KBOSS.hu Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
Headquaters:	1031 Budapest, Záhony utca 7.
Tax number:	13421739-2-41
Company Registration Number:	01-09-303201
Court Maintaining Records:	Fővárosi Törvényszék Cégbírósága
Represents:	Ángyán Balázs, ügyvezető
E-mail:	This email address is being protected from spambots. You need JavaScript enabled to view it.
Website:	https://www.szamlazz.hu
Name of the Data Processing Activity by Data Processor:	Invoicing Activity, Operation of Invoicing Software
	Data Processor
Name:	Microsoft Ireland Operations Limited
Headquaters:	South County Business Park, Leopardstown, Dublin 18, Ireland
Website:	https://www.microsoft.com
Name of the Data Processing Activity by Data Processor:	Operating Microsoft Outlook email communication system

The Data Controller reserves the right to engage further data processors, about whom it will provide individual information at the latest when data processing begins.

"Third party" refers to a natural or legal person, public authority, agency, or any other body that is not the data subject, the data controller, the data processor, or the individuals who, under the direct authority of the data controller or data processor, are authorized to process personal data.

Third-party data controllers process the personal data we provide them in their own name and in accordance with their own privacy policies.

	Third Party (independent) Data Processor
Name:	Magyar Posta Zártkörűen Működő Részvénytársaság
Headquaters:	1138 Budapest, Dunavirág utca 2-6.
Tax number:	10901232-2-44
Company Registration Number:	Cg. 01-10-042463
Court Maintaining Records:	Fővárosi Törvényszék Cégbírósága
Represents:	Schamschula György, vezérigazgató
E-mail:	This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone number:	+36-1-767-8200
Website:	https://posta.hu
Name of the Activity:	Delivery

8. Storage of data

The Data Controller stores the personal data of the data subject on a server operated by Bányász József László ev.

9. Data security measures

Considering the state of the art, implementation costs, the nature, scope, context, and purposes of data processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, the Data Controller and data processors implement appropriate technical and organizational measures to ensure a level of data security that is proportionate to the risk level.

The Data Controller selects and operates the applied IT tools for processing personal data in a way that ensures:

Accessibility of the processed data to authorized individuals (availability);
Assurance of accuracy and authentication (integrity of data processing);
Proof of data's unchanged status (data integrity);
Protection against unauthorized access (confidentiality of data).

The Data Controller employs appropriate measures to protect the data, particularly against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as against accidental destruction, damage, and becoming inaccessible due to changes in technology.

In order to protect electronically managed data files in its various registries, the Data Controller employs appropriate technical solutions to ensure that the stored data, except when permitted by law, cannot be directly linked or associated with the data subject.

Considering the current state of technology, the Data Controller ensures the security of data processing by implementing technical, organizational, and structural measures that provide a level of protection commensurate with the risks associated with data processing.

During data processing, the Data Controller maintains:

Confidentiality: It protects information to ensure that only authorized individuals can access it.
Integrity: It safeguards the accuracy and completeness of information and processing methods.
Availability: It ensures that when an authorized user needs it, they can genuinely access the desired information, and the necessary tools are available for this purpose.

The Data Controller and its partners involved in data processing have both their IT systems and networks protected against computer-assisted fraud, espionage, sabotage, vandalism, fire, flood, as well as computer viruses, hacking, and denial-of-service attacks. The operator ensures security through server-level and application-level protective procedures. Users are informed that electronically transmitted messages on the internet, regardless of the protocol (email, web, FTP, etc.), are vulnerable to network threats that may lead to unfair activities, contract disputes, or the disclosure or modification of information. The Data Controller takes all necessary precautions to safeguard against such threats. The systems are monitored to record any security deviations and provide evidence in case of security incidents. System monitoring also enables the assessment of the effectiveness of implemented security measures.

The Data Controller keeps records of any potential data breaches, including the facts related to the data breach, its effects, and the measures taken to address it. In the event of a data breach, the Data Controller promptly, and if possible, within 72 hours after becoming aware of the data breach, notifies the National Authority for Data Protection and Freedom of Information, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification cannot be made within 72 hours, the reasons for the delay are provided as well.

10. Rights of data subjects and remedies

The data subject can request information about the processing of their personal data and can also request the correction of their personal data, as well as – with the exception of mandatory data processing – deletion, withdrawal, the exercise of data portability and objection rights as indicated at the time of data collection, or by using the contact details of the Data Controller provided above.

10.1. Right to Information

The Data Controller takes appropriate measures to ensure that the data subjects are provided with all the information referred to in Articles 13 and 14 of the GDPR and all the information referred to in Articles 15 to 22 and Article 34 in a concise, transparent, intelligible, and easily accessible form, presented in a clear and plain language.

10.2. Right to Access

The data subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them is being processed, and if such processing is taking place, to access the personal data and the following information:

the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, including specifically recipients in third countries or international organizations;
the envisaged period for which the personal data will be stored;
the right to rectification, erasure, or restriction of processing and the right to object;
the right to lodge a complaint with a supervisory authority;
information about the source of the data;
the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The Data Controller shall provide the information within one month of the receipt of the request.

10.3. Right to Rectification

The data subject has the right to request the rectification of inaccurate personal data concerning them, as well as the right to have incomplete personal data completed by the Data Controller.

10.4. Right to Erasure

The data subject has the right to request the erasure of personal data concerning them without undue delay, based on one of the following grounds:

The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing.
The data subject objects to the processing, and there are no overriding legitimate grounds for the processing.
The personal data have been unlawfully processed.
The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject.
The personal data have been collected in relation to the offer of information society services.

Erasure of data shall not apply if processing is necessary for:

Exercising the right of freedom of expression and information.
Compliance with a legal obligation which requires processing by Union or Member State law to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority.
Reasons of public interest in the area of public health.
Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
The establishment, exercise, or defense of legal claims.

10.5. Right to Restriction of Processing

The data subject shall have the right to request the data controller to restrict processing if one of the following conditions applies:

The accuracy of the personal data is contested by the data subject. In this case, the processing shall be restricted for a period enabling the verification of the accuracy of the personal data.
The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
The data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims.
The data subject has objected to processing pending the verification whether the legitimate grounds of the data controller override those of the data subject. In this case, processing shall be restricted during the period while the verification is pending.
If processing is restricted, except for storage, the personal data shall only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

10.6. Right to Data Portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the data controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another data controller without hindrance.

10.7. Right to Object

The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, or when processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, including profiling based on the aforementioned provisions. In case of objection, the data controller shall no longer process the personal data unless compelling legitimate grounds for the processing override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

10.8. Automated Decision-Making in Individual Cases, Including Profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The Data Controller does not engage in automated decision-making or profiling based on automated processing.

10.9. Right to Withdraw Consent

The data subject has the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject shall be informed of this possibility prior to giving consent. The withdrawal of consent should be as easy as giving it.

10.10. Right to Lodge a Complaint with a Court

In case the rights of the data subject are violated, they have the right to bring an action against the Data Controller before a court. This means that they can initiate legal proceedings at the regional court having jurisdiction over their domicile or habitual residence (you can view a list of regional courts at the following link: http://birosag.hu/torvenyszekek). The court shall handle the case with expedience.

10.11. Proceedings Before the Data Protection Authority

In case of a complaint, the data subject can file a complaint with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, Hungary

Mailing Address: 1530 Budapest, Pf.: 5, Hungary

Phone: +3613911400

Fax: +3613911410

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: http://www.naih.hu

10.12. Informing the Data Subject about Data Breach

If a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject about the data breach without undue delay.

The information provided to the data subject must clearly and understandably explain the nature of the data breach and include the name and contact details of the Data Protection Officer or other relevant contact person for further information. It should outline the probable consequences of the data breach, and describe the measures taken or planned by the Data Controller to address the data breach, including potential mitigating actions to alleviate adverse effects resulting from the incident.

The data subject does not need to be informed if any of the following conditions are met:

The Data Controller has implemented appropriate technical and organizational protective measures, and these measures have been applied to the affected data, particularly measures such as encryption that render the data unintelligible to unauthorized persons.
The Data Controller has taken subsequent measures following the data breach to ensure that the high risk to the rights and freedoms of data subjects is no longer likely.
Providing information would require disproportionate effort. In such cases, data subjects must be informed through publicly available information or similar means that ensure effective communication.

If the Data Controller has not yet informed the data subject about the data breach, the supervisory authority, after considering whether the data breach is likely to result in a high risk, may order the data subject to be informed.

10.13. Compensation and Damages

Any individual who has suffered material or non-material damage as a result of a violation of the data protection regulation is entitled to claim compensation from the Data Controller or Data Processor. The Data Processor is liable for damages resulting from data processing only if they have not complied with the obligations specifically imposed on Data Processors by law, or if they have disregarded the lawful instructions of the Data Controller or acted against them.

If multiple Data Controllers or Data Processors are involved in the same data processing and share liability for damages caused by the data processing, each Data Controller or Data Processor is jointly liable for the entire damage.

The Data Controller or Data Processor is exempt from liability if they can prove that they are in no way responsible for the event that caused the damage.

10.14. Procedural Rules

The Data Controller shall inform the data subject without undue delay and within one month from the receipt of the request, about the measures taken in response to requests under GDPR Articles 15 to 22.
If necessary, taking into account the complexity and number of requests, this period can be extended by an additional two months. The Data Controller shall inform the data subject of such extension, along with the reasons for the delay, within one month from the receipt of the request. If the data subject has submitted the request electronically, the information shall be provided electronically, unless the data subject requests otherwise.
If the Data Controller does not take action on the data subject's request, the data subject shall be informed without undue delay, but no later than one month from the receipt of the request, about the reasons for not taking action, and also about the right to file a complaint with a supervisory authority and to seek judicial remedies.
The Data Controller shall provide the requested information and communication free of charge. If the data subject's request is clearly unfounded or excessive, especially because of its repetitive character, the Data Controller may charge a reasonable fee based on administrative costs for providing the requested information or communication or for taking the requested action, or the Data Controller may refuse to act on the request.
The Data Controller shall inform all recipients to whom the personal data has been disclosed about any rectification, erasure, or restriction of processing carried out, unless this proves impossible or involves disproportionate effort. Upon request, the Data Controller shall also inform the data subject about these recipients.
The Data Controller shall provide a copy of the personal data undergoing processing to the data subject. For any further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request electronically, the information shall be provided in electronic format, unless otherwise requested by the data subject.

11. Review in case of mandatory data processing

If the duration or necessity of mandatory data processing is not determined by law, local government regulation, or mandatory legal act of the European Union, the data controller shall review, at least every three years from the commencement of data processing, whether the processing of personal data managed by the data controller or by a data processor acting on its behalf or under its instruction is necessary for achieving the purpose of data processing.

The circumstances and results of this review shall be documented by the data controller, and this documentation shall be retained for a period of ten years from the completion of the review. Upon request by the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority), the data controller shall provide this documentation to the Authority.

12. Modification of the data processing information

The Data Controller reserves the right to modify this data processing information in a manner that does not affect the purpose and legal basis of data processing. By using the website after the implementation of modifications, you accept the amended data processing information.

If the Data Controller intends to carry out further data processing for a purpose other than the one for which the data was collected, they will inform you about the purpose of the data processing and the following information before proceeding with the additional data processing:

The duration of storage of personal data, or if this is not possible, the criteria used to determine this duration.
Your right to request access to your personal data, their correction, deletion, or restriction of processing, and in the case of data processing based on legitimate interests, your right to object to the processing of personal data. In cases of processing based on consent or contractual relationship, you can request data portability.
In the case of data processing based on consent, the right to withdraw your consent at any time.
Your right to file a complaint with the supervisory authority.
Whether the provision of personal data is based on a legal or contractual obligation or is necessary for entering into a contract, and whether you are obliged to provide personal data, as well as the possible consequences of not providing the requested data.
Information about the existence of automated decision-making, including profiling (if such processes are used), and meaningful information about the logic involved, as well as the potential consequences for you.

Data processing can only commence after these notifications, and if the legal basis for data processing is consent, you must also provide your explicit consent beyond just being informed.