- Copyright 2024 fonal8.hu All rights reserved.
Introduction
1.1. The Data Controller and Contact Details
Definitions
Principles of Personal Data Processing
Specific Data Processing Activities
4.1. Registration (Creating a User Account)
4.2. Data Processing Related to Webshop Operation
4.3. Customer Relations
4.4. Newsletter, Direct Marketing Activities
4.5. Complaint Handling
Recipients of Personal Data
5.1. Data Processors (acting on behalf of the Controller)
5.2. Specific Data Processors
5.3. Data Transfers to Third Parties
Cookie Management
Use of Google and Facebook Services
7.1. Use of Google AdWords Conversion Tracking
7.2. Use of Google Analytics
7.3. Facebook Pixel
7.4. Social Media Platforms
Customer Service and Other Data Processing Activities
Data Subjects’ Rights
Response Deadlines
Data Security
Notification of Data Breaches to Data Subjects
Notification of Data Breaches to the Supervisory Authority
Review of Mandatory Data Processing
Complaint Mechanisms
Final Provisions
EN-TAN Korlátolt Felelősségű Társaság
(Company registration number: 13-09-215249, Tax number: 14237283-2-13, Registered seat: 2120 Dunakeszi, Magdolna utca 28.)
(hereinafter referred to as: the “Service Provider” or “Data Controller”) hereby submits to the provisions of this policy.
Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, or “GDPR”) of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (repealing Directive 95/46/EC), we provide the following information.
This Privacy Policy governs the data processing activities on the following website:
🔗 https://fonal8.hu/adatvedelmi-szabalyzat/
The policy is also available at:
🔗 https://fonal8.hu/adatvedelmi-szabalyzat/
Any amendments to this policy shall become effective upon publication at the above address.
Name: EN-TAN Korlátolt Felelősségű Társaság
Registered seat: 2120 Dunakeszi, Magdolna utca 28.
Email: entankft@gmail.com
“Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Data processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
“Consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“Personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Personal data must be:
a) Processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes pursuant to Article 89(1) (“purpose limitation”);
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to implementation of the appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of the data subject (“storage limitation”);
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
The data controller is responsible for and must be able to demonstrate compliance with the above principles (“accountability”).
The data controller declares that it processes personal data in accordance with the principles set out in this section.
1. Nature of data collection, scope of processed data, and purpose of processing:
| Personal Data | Purpose of Data Processing |
|---|---|
| Last name, first name | Identification and enabling secure access to the user account |
| Email address | Communication, sending system messages, login to the user account |
| Notification phone number | Identification and communication |
| Password | Enabling secure access to the user account |
| Date of registration | Technical operation |
| IP address at the time of registration | Technical operation |
Note: The email address does not necessarily have to contain personal data.
2. Data subjects concerned:
All individuals who register on the website.
3. Duration of data processing and data deletion period:
If any of the conditions outlined in Article 17(1) of the GDPR are met, the data will be retained until the data subject requests its deletion. Upon deletion of the user account, all personal data will be immediately erased. The controller shall inform the data subject electronically, in accordance with Article 19 of the GDPR, regarding the deletion of any personal data provided by the data subject. If the data subject’s request includes the deletion of the email address, that too will be deleted following the notification.
4. Persons authorised to access the data and possible recipients:
The data may be accessed and processed by authorised staff of the data controller, in accordance with this privacy notice.
5. Rights of the data subjects regarding data processing:
The data subject may request from the controller:
access to their personal data,
rectification or deletion of such data,
restriction of processing,
data portability,
and may withdraw their consent at any time.
6. Methods for initiating access, deletion, rectification, restriction, or data portability:
By post: 2120 Dunakeszi, Magdolna utca 28., Hungary
By email: entankft@gmail.com
By phone: Mon–Fri, 10:00–12:00
7. Legal basis for data processing:
Article 6(1)(a) and (b) of the GDPR.
8. Additional information:
The processing is based on your consent or necessary steps taken at your request prior to entering into a contract.
Providing personal data is a prerequisite for registration.
Failure to provide the required data will result in our inability to create your user account.
1. Nature of data collection, scope of processed data, and purpose of processing:
| Personal Data | Purpose of Data Processing |
|---|---|
| Password | Enabling secure access to the user account |
| First and last name | Necessary for contact, purchase, and issuance of a legally compliant invoice |
| Email address | Communication, sending confirmations |
| Phone number | Communication; more efficient coordination regarding billing or shipping issues |
| Billing name and address | Issuance of a legally compliant invoice; creating, defining, modifying, monitoring performance of a contract; invoicing; enforcement of related claims |
| Shipping name and address | Enabling home delivery |
| Date of purchase/registration | Technical operation |
| IP address at purchase/registration | Technical operation |
Note: The email address does not necessarily have to contain personal data.
2. Data subjects concerned:
All individuals who register or make a purchase on the webshop website.
3. Duration of data processing and data deletion period:
Data is retained until a request for deletion is submitted by the data subject, provided that the conditions in Article 17(1) of the GDPR are met.
The controller will inform the data subject electronically about the deletion of any personal data provided, in accordance with Article 19 of the GDPR.
If the deletion request includes the email address, it will also be deleted following the notification.
Exception: Data found on accounting documents must be retained for 8 years, in accordance with Section 169(2) of Act C of 2000 on Accounting.
Contract-related data may be deleted after the expiration of the limitation period under civil law.
Supporting accounting documentation (including general ledger entries and analytical records) must be kept in readable form and retrievable based on accounting references for at least 8 years.
4. Persons authorised to access the data and possible recipients:
The data may be processed by the sales and marketing staff of the data controller, in compliance with the above principles.
5. Rights of the data subjects regarding data processing:
The data subject may request from the controller:
access to their personal data,
rectification or deletion of such data,
restriction of processing,
data portability,
and may withdraw their consent at any time.
6. Methods for initiating access, deletion, rectification, restriction, or data portability:
By post: 2120 Dunakeszi, Magdolna utca 28., Hungary
By email: entankft@gmail.com
By phone: Mon–Fri, 10:00–12:00
7. Legal basis for data processing:
7.1. Article 6(1)(b) and (c) of the GDPR
7.2. Section 13/A(3) of Act CVIII of 2001 on certain aspects of electronic commerce services and services related to the information society:
The service provider may process personal data that are technically essential for providing the service. The service provider must ensure that the tools used for providing such services process only the data strictly necessary for service provision, to the extent and for the time strictly required.
7.3. In the case of issuing invoices in compliance with accounting laws: Article 6(1)(c) of the GDPR
7.4. For enforcing claims under contracts: Section 6:21 of Act V of 2013 on the Civil Code
Section 6:22 [Limitation period]
(1) Unless otherwise provided by law, claims shall lapse after five years.
(2) The limitation period begins when the claim becomes due.
(3) Any agreement to alter the limitation period must be in writing.
(4) An agreement excluding the limitation period is void.
8. Additional information:
Data processing is necessary for fulfilling the contract and for providing a quote.
Personal data is required to process your order.
Failure to provide data will result in our inability to fulfil your order.
1. Nature of data collection, scope of processed data, and purpose of processing:
| Personal Data | Purpose of Data Processing |
|---|---|
| Name, email address, phone number | Communication, identification, performance of contracts, business purposes |
2. Data subjects concerned:
All individuals who maintain contact with the controller by phone, email, or in person, or who are in a contractual relationship with the controller.
3. Duration of data processing and data deletion period:
Messages and correspondence are retained until a deletion request by the data subject, but for no more than 2 years.
4. Persons authorised to access the data and possible recipients:
The data may be processed by the data controller’s authorised staff, in compliance with the principles outlined above.
5. Rights of the data subjects regarding data processing:
The data subject may request from the controller:
access to their personal data,
rectification or deletion of such data,
restriction of processing,
data portability,
and may withdraw their consent at any time.
6. Methods for initiating access, deletion, rectification, restriction, or data portability:
By post: 2120 Dunakeszi, Magdolna utca 28., Hungary
By email: entankft@gmail.com
By phone: Mon–Fri, 10:00–12:00
7. Legal basis for data processing:
Article 6(1)(b) and (c) of the GDPR
For enforcing contractual claims: Section 6:21 of Act V of 2013 on the Civil Code
Section 6:22 [Limitation period]
(1) Unless otherwise provided by law, claims shall lapse after five years.
(2) The limitation period begins when the claim becomes due.
(3) Any agreement to alter the limitation period must be in writing.
(4) An agreement excluding the limitation period is void.
8. Additional information:
Data processing is necessary for fulfilling the contract or responding to your inquiries.
Providing personal data is required to enable us to fulfil the contract or address your request.
Failure to provide data may prevent us from fulfilling the contract or processing your request.
1. In accordance with Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, the User may give prior and explicit consent to the Service Provider contacting them at the contact details provided during registration with advertisements and other promotional communications.
2. Furthermore, the Client may, in line with the provisions of this Privacy Policy, consent to the Service Provider processing their personal data necessary for sending marketing offers.
3. The Service Provider does not send unsolicited promotional messages, and the User may unsubscribe from promotional messages without any restriction or justification and free of charge. In this case, the Service Provider will delete all personal data necessary for sending marketing messages from its records and will no longer contact the User with further offers.
Unsubscribing can be done by clicking on the link provided in the message.
4. Nature of data collection, scope of processed data, and purpose of processing:
| Personal Data | Purpose of Data Processing |
|---|---|
| Name, email address | Identification, enabling subscription to the newsletter |
| Subscription date | Technical operation |
| IP address at the time of subscription | Technical operation |
5. Data subjects concerned:
All individuals who subscribe to the newsletter.
6. Purpose of data processing:
To send promotional electronic messages (email, SMS, push notifications) to the data subject; to inform them about current news, products, offers, new features, etc.
7. Duration of data processing and data deletion period:
Until the consent is withdrawn, i.e., until the data subject unsubscribes.
8. Persons authorised to access the data and possible recipients:
The data may be processed by the sales and marketing staff of the data controller, in compliance with the principles outlined above.
9. Rights of the data subjects regarding data processing:
The data subject may request from the controller:
access to their personal data,
rectification or deletion of such data,
restriction of processing,
objection to the processing of their personal data,
data portability,
and may withdraw their consent at any time.
10. Methods for initiating access, deletion, rectification, restriction, data portability, or objection:
By post: 2120 Dunakeszi, Magdolna utca 28., Hungary
By email: entankft@gmail.com
By phone: Mon–Fri, 10:00–12:00
11. The data subject may unsubscribe from the newsletter at any time, free of charge.
12. Legal basis for data processing:
Data subject’s consent
Article 6(1)(a) and (f) of the GDPR
Section 6(5) of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities:
“The advertiser, advertising service provider, and publisher may keep records of the personal data of those who have given consent for the purposes defined in the consent. The data recorded in such a registry—regarding the recipient of the advertising—may only be processed in accordance with the content of the consent and until its withdrawal. Data may only be transferred to third parties with the prior consent of the data subject.”
13. Additional information:
The data processing is based on your consent and the legitimate interest of the Service Provider.
Providing personal data is necessary if you wish to receive our newsletters.
Failure to provide data will result in us being unable to send you newsletters.
You may withdraw your consent at any time by clicking the unsubscribe link.
1. Nature of data collection, scope of processed data, and purpose of processing:
| Personal Data | Purpose of Data Processing |
|---|---|
| First and last name | Identification, communication |
| Email address | Communication |
| Phone number | Communication |
| Billing name and address | Identification; handling of complaints, questions or issues related to ordered products |
2. Data subjects concerned:
All individuals who have made a purchase on the website and have submitted a quality-related complaint.
3. Duration of data processing and data deletion period:
According to Section 17/A (7) of Act CLV of 1997 on Consumer Protection, records of complaints, transcripts, and copies of replies must be retained for 5 years.
4. Persons authorised to access the data and possible recipients:
The data may be processed by the sales and marketing staff of the data controller, in compliance with the principles outlined above.
5. Rights of the data subjects regarding data processing:
The data subject may request from the controller:
access to their personal data,
rectification or deletion of such data,
restriction of processing,
data portability,
and may withdraw their consent at any time.
6. Methods for initiating access, deletion, rectification, restriction, or data portability:
By post: 2120 Dunakeszi, Magdolna utca 28., Hungary
By email: entankft@gmail.com
By phone: Mon–Fri, 10:00–12:00
7. Legal basis for data processing:
Article 6(1)(c) of the GDPR
Section 17/A (7) of Act CLV of 1997 on Consumer Protection
Additional information:
Providing personal data is required by legal obligation.
The processing of personal data is a prerequisite for fulfilling the contract.
You are required to provide your personal data so that we can handle your complaint.
Failure to provide data will prevent us from processing your submitted complaint.
“Recipient”: any natural or legal person, public authority, agency or another body to whom personal data are disclosed, regardless of whether they are considered a third party.
The controller engages data processors for the purpose of supporting its own data processing activities and for fulfilling its contractual and legal obligations with the data subject.
The controller places great emphasis on engaging only those data processors who provide sufficient guarantees to implement appropriate technical and organisational measures to ensure that processing complies with GDPR requirements and protects the rights of data subjects.
The data processor and any person acting under the authority of the controller or the processor who has access to personal data shall process those data only in accordance with the controller’s instructions.
The controller bears legal responsibility for the actions of the data processor.
A data processor is only liable for damage caused by processing if:
it has not complied with GDPR obligations specific to processors, or
it acted contrary to or ignored the controller’s lawful instructions.
Data processors have no substantive decision-making authority regarding the data.
Examples of data processors engaged by the controller include:
Hosting service providers
Courier services for delivering ordered products
| Activity | Name and Contact Details |
|---|---|
| Web hosting service | Forpsi.hu (BlazeArts Kft.) – TN: 12539833-2-43 Hungary https://www.forpsi.hu |
| 1096 Budapest, Thaly Kálmán utca 39., phone: +36 1 610 5506, | |
| Email: info@forpsi.hu | |
| Email server | Google (Gmail), Googleplex, Mountain View, CA 94043, USA |
| Cookie analysis | eXTReMe digital, Herengracht 155, 1015 BH Amsterdam, The Netherlands |
| Google Analytics, Googleplex, Mountain View, CA 94043, USA | |
| Couriers | FOXPOST – 3300 Eger, Maklári út 119 |
| Packeta Hungary Kft. – 1044 Budapest, Ezred utca 1-3. B2/11 | |
| MPL Magyar Posta Zrt. – 1138 Budapest, Dunavirág utca 2–6 |
“Third party”: any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor, or persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Third-party data controllers process the shared personal data under their own name and in accordance with their own privacy policies.
| Activity | Name and Contact Details |
|---|---|
| Online payment |
Stripe Payments Europe,
1. Grand Canal Street Lower, Dublin 2, Ireland
Website: https://stripe.com/hu Privacy policy: https://stripe.com/privacyThe webshop uses various types of cookies typical of online stores, such as:
“Session cookies protected by password”
“Shopping cart cookies”
“Security cookies”
“Necessary cookies”
“Functional cookies”
“Cookies responsible for website analytics and statistics”
No prior consent is required for the use of cookies that are essential for the functioning of the website.
However, cookies used for analytics and marketing purposes require the user’s explicit consent.
You may modify your browser settings at any time to manage cookie usage.
Scope of processed data:
Unique identifiers, dates, and timestamps.
Data subjects concerned:
All visitors of the website.
Purpose of data processing:
To identify users, manage shopping cart contents, and track visitor interactions on the site.
Duration of data processing / retention:
Varies depending on the cookie, but users may delete or manage them via browser settings.
Persons authorised to access the data:
The controller does not process personal data directly via cookies.
Rights of data subjects:
You can delete cookies in your browser under Tools/Settings, typically found in the Privacy section.
Legal basis for data processing:
Consent is not required for cookies that are essential for providing a requested service through the electronic communications network.
For other purposes (e.g., analytics/marketing), consent is required.
Further cookie management info per browser:
The controller uses Google AdWords, including Google Conversion Tracking (provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
When a user visits the site via a Google ad, a cookie is placed on their device for conversion tracking. These cookies:
have limited validity,
contain no personal data,
cannot identify users.
If the user visits certain pages before the cookie expires, both Google and the controller can see that the ad was clicked.
Each AdWords client receives a different cookie, preventing cross-site tracking.
The information gathered via these cookies is used to generate conversion statistics for AdWords clients, such as how many users clicked the ad and were directed to a conversion page.
If you prefer not to participate in conversion tracking, you can disable cookies in your browser.
More info: Google Privacy Policy
This website uses Google Analytics, a web analytics service by Google Inc.
Google Analytics uses “cookies” (text files stored on your device) to help analyse how users interact with the website.
Information generated by the cookie is usually transmitted to and stored on a Google server in the USA.
If IP anonymisation is enabled, Google truncates the IP address within the EU or the EEA.
Full IP addresses are only transferred to the USA in exceptional cases. Google uses the data on behalf of the site operator to analyse website use and generate reports on website activity.
The IP address transmitted by the browser as part of Google Analytics is not merged with other Google data.
You can prevent cookie storage through browser settings. However, this may affect full functionality of the website.
To prevent Google from processing data (including your IP address), install this browser plugin:
https://tools.google.com/dlpage/gaoptout?hl=hu
Facebook Pixel is a tracking code that enables conversion tracking, audience targeting, and usage analytics.
It allows the site to show tailored offers and ads to visitors on Facebook.
Facebook remarketing lists do not allow personal identification.
More information: Facebook Business Help
Scope of processed data:
The registered name and public profile picture of users on Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc.
Data subjects concerned:
All individuals who register and “like” or contact the controller via the Service Provider’s social media pages.
Purpose of data collection:
To share, like, follow, or promote content, products, campaigns, or the website on social media.
Duration and manner of data processing, rights of the data subjects:
These are governed by the specific platform’s own data management policies and settings.
The data is processed on the respective platform, and their terms govern deletion, modification, and retention.
Legal basis for data processing:
The data subject’s voluntary consent to the processing of their personal data on the given platform.
If the data subject has questions or issues while using our services, they may contact the controller through the methods provided on the website (phone, email, social media, etc.).
The controller stores the incoming emails, messages, and any voluntarily provided personal data (name, email address, etc.) for up to 2 years from the time of disclosure, unless deletion is requested earlier.
For any data processing activity not specifically listed in this notice, the data subject will be informed at the time the data is collected.
In exceptional cases where an authority or other entity requests data under legal authorization, the Service Provider is obliged to provide the necessary information, transfer data, or make documents available.
In such cases, the Service Provider will only disclose as much personal data as is strictly necessary for fulfilling the request, provided the requesting party has specified the purpose and the scope of the requested data.
Right of Access:
You have the right to obtain confirmation from the controller as to whether your personal data is being processed, and if so, to access the data and certain related information.
Right to Rectification:
You have the right to request the rectification of inaccurate personal data concerning you. You may also request that incomplete data be completed, including by means of a supplementary statement.
Right to Erasure (Right to Be Forgotten):
You have the right to request that the controller erase your personal data without undue delay under certain conditions.
Right to Be Forgotten (Extended):
If the controller has made your personal data public and is obliged to erase it, they must take reasonable steps, including technical measures, to inform other controllers processing the data that you have requested erasure of any links to, or copies or replications of, that data.
Right to Restriction of Processing:
You may request restriction of processing where one of the following applies:
You contest the accuracy of the data (for a period allowing the controller to verify it);
Processing is unlawful but you oppose erasure and request restriction instead;
The controller no longer needs the data, but you need it to assert or defend legal claims;
You have objected to processing, pending verification whether the controller’s legitimate grounds override yours.
Right to Data Portability:
You have the right to receive the personal data you provided to the controller in a structured, commonly used, machine-readable format and to transmit it to another controller without hindrance.
Right to Object:
Where data is processed based on public interest or legitimate interests, you may object at any time based on your personal situation, including profiling.
Right to Object to Direct Marketing:
If your data is processed for direct marketing purposes, you have the right to object at any time. If you object, your data must no longer be processed for that purpose.
Right Not to Be Subject to Automated Decision-Making (Including Profiling):
You have the right not to be subject to decisions based solely on automated processing (including profiling) which produce legal effects concerning you or similarly significantly affect you.
This right does not apply if the decision:
Is necessary for entering into or performing a contract;
Is authorised by EU or Member State law;
Is based on your explicit consent.
The controller shall respond to your request without undue delay, and in any case within 1 month of receiving it.
If necessary, this period may be extended by an additional 2 months. The controller shall inform you of the extension and the reasons for the delay within 1 month of receipt of your request.
If the controller does not take action on your request, they must inform you within 1 month of the reasons and of your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.
The controller and the processor shall implement appropriate technical and organisational measures, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.
These measures may include:
a) Pseudonymisation and encryption of personal data.
b) Ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
c) The ability to restore access to personal data in a timely manner in the event of a physical or technical incident.
d) A process for regular testing, assessment and evaluation of the effectiveness of technical and organisational measures for ensuring the security of processing.
e) Storing processed data in a way that prevents unauthorised access, e.g. via secured physical storage or centralised access management.
f) Implementing irreversible data deletion upon expiry of retention periods or when no longer necessary.
g) Secure destruction of paper-based documents using shredders or external services; and secure deletion or physical destruction of electronic data carriers per relevant policies.
h) Specific security measures implemented by the controller:
Physical Protection:
Documents are stored in a secure, dry, lockable room.
The company premises are equipped with fire and property protection systems.
Only authorised personnel may access personal data.
Personnel must secure documents when leaving a room used for data processing.
Upon digitisation, electronic rules apply to digital documents.
IT Security:
All devices used for data processing are company-owned.
Access to computers is protected by username and password.
Only authorised personnel may access the central server.
Regular data backups and archiving are performed.
The computer systems are protected with up-to-date antivirus software.
SSL encryption is applied on the website.
If a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller shall notify the data subject of the breach without undue delay.
The notification must:
Describe the nature of the breach in clear and plain language;
Provide the name and contact details of the data protection officer or contact point;
Describe the likely consequences of the breach;
Describe measures taken or proposed to address the breach and mitigate its adverse effects.
Minor incident: Typo in account info (no notification required).
Medium risk: Email address exposure (notification required).
High risk: Credit card data breach (must notify data subject and authority within 72 hours).
You are not required to be notified if:
The controller has implemented technical and organisational protection measures (e.g. encryption) making the data unintelligible.
The controller has taken subsequent steps to eliminate the risk of harm.
Notification would require disproportionate effort – in such cases, public disclosure or similar measures are used.
The supervisory authority may require the controller to notify the data subject if the authority deems the risk high.
The controller must report a personal data breach to the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it – unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.
If the report is submitted after 72 hours, the controller must explain the reasons for the delay.
If the duration of mandatory data processing, or the requirement for periodic review of its necessity, is not specified by law, local government regulation, or binding EU legal act, the controller shall:
Review, at least every three years from the start of processing, whether the personal data processing carried out by itself or on its behalf is still necessary for achieving the original purposes.
Document the circumstances and outcome of this review.
Retain such documentation for ten years following the review.
Provide this documentation to the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) upon request.
In the event of a potential infringement, you may lodge a complaint with the supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, P.O. Box: 5.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu
Website: https://naih.hu
This Privacy Policy was prepared in consideration of the following legal acts:
Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) of 27 April 2016,
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data,
and repealing Directive 95/46/EC.
Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Info Act)
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Services Related to the Information Society (esp. Section 13/A)
Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (esp. Section 6)
Act XC of 2005 on Electronic Freedom of Information
Act C of 2003 on Electronic Communications (esp. Section 155)
Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising
The recommendations of the Hungarian National Authority for Data Protection and Freedom of Information regarding prior information and privacy practices