Privacy Policy

Last update date: 15.08.2024.

Data management information

Christoph Árpád Némethy ev . . ( nemethyshop.com )

Data management information ́

Introduction

Némethy Christoph Árpád e.v. (nemethyshop.com) (located at Boglárka Street 82, Pomáz, 2013 HU, tax number: HU56932098, company registration number: -) (hereinafter referred to as the Service Provider, Data Controller) submits itself to the following regulations:

Regarding the protection of natural persons with respect to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) THE EUROPEAN PARLIAMENT AND COUNCIL (EU) 2016/679 REGULATION (April 27, 2016), the following information is provided. This privacy policy governs the data processing of the following pages/mobile applications: nemethyshop.com. The privacy policy is available from the following page: nemethyshop.com/policies/privacy-policy.

Amendments to the policy come into effect upon publication at the above address.

The data manager and contact details

Name : Némethy Christoph Árpád ev . . ( nemethyshop.com )

Headquarters : Boglárka utca 82. Pomáz, 2013 HU .

Mailing address, complaint handling: Boglárka utca 82. Pomáz, 2013 HU

Email: support@nemethy-system.com

Concept definitions

  1. ” personal data”: identified or identifiable ́ natural relating to a person (” concerned „) any information ́;
  2. „identified natural person” : the natural person person who is direct or indirect way , especially some identifier ́, for example name , number , locator data, online identifier or the natural person’s physical, physiological , genetic, mental, economic , cultural or social identity refer to one or more based on factor ̋ can identify ́;
  3. ” data management „: personal data or data files automated or non- automated way finished any operation or operations totality , such as the collection , recording , organization , segmentation , storage , transformation or change , query , insight , use , communication transmission , distribution or otherwise way happening ̋ accessible ́ item through , coordination or connection , restriction , deletion or destruction ;
  4. ” data controller „: the natural or legal person , public authority, agency or any other body that handles personal data goals and your tools alone or with others together define ; if the data management goals and its means are determined by EU or member state law , to designate the data manager or the data manager relevant special aspects may also be determined by EU or member state law ;
  5. ” data processor „: the natural or legal person , public authority, agency or any other body, which is on behalf of the data controller manages personal data;
  6. ” addressee „: the natural or legal person , public authority, agency or any other body with or with which the personal data is communicated , regardless whether it is a third party . Those public bodies that have a unique investigation in accordance with EU or Member State law they can access personal data, they do not qualify to addressee ; the mentioned data is provided by these public authorities data management must be responsible for handling it goals according to the alkamanando ́ data protection rules ;
  7. „The affected consent „: the person concerned of his will voluntary , concrete and on appropriate information and _ _ a clear ̋ statement with which the affected statement or confirmation unmistakably through an expressive act , he indicates that he gives his consent for the management of relevant personal data ;
  8. ” data protection incident”: a breach of security that is transmitted , stored or otherwise accidental or illegal destruction , loss , alteration , unauthorized disclosure or unauthorized access to personal data managed in results in .

To manage personal data related principles

Personal data :

  1. must be processed lawfully, fairly, and in a transparent manner in relation to the data subject („lawfulness, fairness, and transparency”);
  2. must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes in accordance with Article 89(1) („purpose limitation”);
  3. must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed („data minimisation”);
  4. must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, with respect to the purposes for which they are processed, are erased or rectified without delay („accuracy”);
  5. must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the individual („storage limitation”);
  6. must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures („integrity and confidentiality”).

The data manager is responsible for compliance with the above, and must be able to do so for verification (” accountability „).

The data manager declares that his data management is in accordance with the basic principles contained in this point is happening .

Data management related to Online product catalog, webshop operation/service use

  1. The fact of data collection, the scope of processed data and the purpose of data management:

Personal data

Purpose of data management

Legal basis

Username

Identification, enabling registration.

Article 6 (1) point b) of the GDPR and Elker tv. 13/A. (3) of §

Password

It is used for secure access to the user account.

Surname and first name

It is necessary for making contact, making purchases, issuing regular invoices, and exercising the right of withdrawal.

E-mail address

Keeping in touch.

Phone number

Keeping in touch, more effectively negotiating questions related to invoicing or delivery.

Billing name and address

Issuing the regular invoice, as well as creating the contract, defining its content, amending it, monitoring its performance, invoicing the resulting fees, and asserting related claims.

Article 6(1)(c) and Section 169(2) of Act C of 2000 on Accounting

Shipping name and address

Enabling home delivery.

Article 6 (1) point b) of the GDPR and Elker tv. 13/A. (3) of §

Date of purchase/registration

Execution of a technical operation.

The IP address at the time of purchase/registration

Execution of a technical operation.

  1. Scope of stakeholders: All stakeholders registered/purchased on the webshop website. Neither the username nor the e-mail address is required to contain personal data.
  1. Duration of data management, deadline for data deletion: If one of the conditions set out in Article 17 (1) of the GDPR exists, it lasts until the data subject’s request for deletion. Based on Article 19 of the GDPR, the data controller informs the data subject electronically of the deletion of any personal data provided by the data subject. If the data subject’s deletion request also covers the e-mail address he/she has provided, the data controller will also delete the e-mail address after the information has been provided. Except in the case of accounting documents, as this data must be kept for 8 years based on § 169 (2) of Act C of 2000 on accounting. The data subject’s contractual data can be deleted after the expiration of the civil law limitation period based on the deletion request of the data subject.

The accounting documents directly and indirectly supporting the bookkeeping (including ledger accounts, analytical and detailed records) must be kept in legible form for at least 8 years, in a way that can be retrieved by reference to the accounting records.

  1. The persons entitled to know the data, possible data controllers, and the recipients of the personal data: The personal data can be processed by the data controller and its authorized employees, in accordance with the above principles.
  1. Description of the data subjects’ rights related to data processing:
  • The data subject may request the data controller to access, correct, delete, or restrict processing of their personal data, and
  • the data subject has the right to data portability, as well as the right to withdraw consent at any time.
  1. The data subject can initiate access to personal data, deletion, modification, or restriction of processing, as well as data portability in the following ways:
  1. Legal basis for data management:
  1. Article 6(1)(b) and (c) GDPR,
  2. CVIII of 2001 on certain issues of electronic commerce services and services related to the information society. Act (hereinafter: Elker Law) 13/A. Section (3):
  3. For the purpose of providing the service, the service provider may process the personal data that is technically absolutely necessary for the provision of the service. If the other conditions are the same, the service provider must choose and in any case operate the tools used in the provision of services related to the information society in such a way that personal data is only processed if this is absolutely necessary for the provision of the service and the fulfillment of other objectives defined in this law necessary, but also in this case only to the extent and for the necessary time.
  4. In the case of issuing invoices in accordance with accounting legislation, point c) of Article 6 (1).
  5. In case of enforcement of claims arising from the contract, Act V of 2013 on the Civil Code 6:22. according to § 5 years.
    1. 6:22 a.m. § [Prescription]

(1) If this law does not provide otherwise, claims become time-barred within five years.

(2) The statute of limitations begins when the claim becomes due.

(3) The agreement to change the limitation period must be in writing.

(4) An agreement excluding the limitation period is void.

  1. We inform you that
  • data management is necessary for the performance of the contract and the submission of an offer.
  • must provide personal data so that we can fulfill your order.
  • Failure to provide data will result in us not being able to process your order.

Management of cookies

The so-called „password-protected session cookies „, „shopping cart cookies „, „security cookies „, „necessary cookies „, „functional „cookies ” and ” cookies responsible for the management of website statistics ” do not require prior consent from the data subjects.

  1. The fact of the data management, the scope of the managed data: Unique identification number, dates, times
  2. Scope of stakeholders: All stakeholders visiting the website.
  3. Purpose of data management: Identification of users and tracking of visitors.
  4. Duration of data management, deadline for data deletion:

Data handling

Cookie type

Legal basis

Its duration

Session cookies

CVIII of 2001 on certain issues of electronic commercial services and information society services. Act ( Elkertv .) 13/A. (3) of §

The period until the relevant visitor session is closed

Persistent or saved cookies

CVIII of 2001 on certain issues of electronic commercial services and information society services. Act ( Elkertv .) 13/A. (3) of §

until the data subject is deleted

Statistical and marketing cookies

CVIII of 2001 on certain issues of electronic commercial services and information society services. Act ( Elkertv .) 13/A. (3) of §

1 month – 2 years

  1. The person of the possible data controllers entitled to access the data: The data controller does not process personal data through the use of cookies .
  2. Description of data processing rights of data subjects: The data subject has the option to delete cookies in the Tools/Settings menu of browsers, usually under the settings of the Data Protection menu item.
  3. Legal basis for data management: Consent from the data subject is not required if the sole purpose of using cookies is the transmission of information via an electronic communication network or if the service provider absolutely needs it to provide a service related to the information society specifically requested by the subscriber or user.
  4. Most browsers that our users use allow you to set which cookies are saved and allow (certain) cookies to be deleted again. If you limit the saving of cookies on certain websites or do not allow third-party cookies , this may lead to the fact that our website can no longer be used in its entirety under certain circumstances. Here you can find information on how to customize cookie settings for standard browsers:

Google Chrome ( https://support.google.com/chrome/answer/95647?hl=hu )

InternetExplorer ( https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies )

Firefox ( https://support.mozilla.org/hu/kb/sutik-engedelizeze-es-tiltasa-amit-weboldak-haszn )

Safari ( https://support.apple.com/hu-hu/guide/safari/sfri11471/mac )

Using Google Ads conversion tracking

  1. the online advertising program called „Google Ads „, and also uses Google’s conversion tracking service within its framework. Google conversion tracking is an analytics service of Google Inc. (1600 Amphitheater Parkway , Mountain View , CA 94043, USA; ” Google” ).
  2. When a User accesses a website through a Google ad, a cookie required for conversion tracking is placed on their computer. The validity of these cookies is limited and they do not contain any personal data, so the User cannot be identified by them.
  3. When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User has clicked on the ad.
  4. Each Google Ads customer receives a different cookie , so they cannot be tracked through the websites of Ads customers.
  5. The information – obtained with the help of conversion tracking cookies – serves the purpose of creating conversion statistics for Ads’ customers who choose conversion tracking. In this way, clients are informed about the number of users who click on their ad and are redirected to a page with a conversion tracking tag. However, they do not get access to information that could identify any user.
  6. If you do not want to participate in conversion tracking, you can reject this by disabling the installation of cookies in your browser. After that, you will not be included in the conversion tracking statistics.
  7. Further information and Google’s privacy statement are available at https://policies.google.com/privacy

Application of Google Analytics

  1. This website uses Google Analytics , a web analytics service provided by Google Inc. („Google”). Google Analytics uses so-called ” cookies „, text files that are saved on your computer, thus facilitating the analysis of the use of the website visited by the User.
  2. by cookies related to the website used by the User is usually sent to and stored on one of Google ‘s servers in the USA . By activating IP anonymization on the website, Google shortens the User’s IP address beforehand within the member states of the European Union or in other states that are parties to the Agreement on the European Economic Area.
  3. The full IP address is transmitted to a Google server in the USA and shortened there only in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how the User used the website, to prepare reports related to website activity for the website operator, and to provide additional services related to website and Internet use.
  4. Google Analytics , the IP address transmitted by the User’s browser is not combined with other Google data. The User can prevent the storage of cookies by setting their browser accordingly, but please note that in this case, not all functions of this website may be fully usable. You can also prevent Google from collecting and processing the User’s website usage data (including IP address) through cookies by downloading and installing the browser plugin available at the following link . https://tools.google.com/dlpage/gaoptout?hl=en

Newsletter, DM activity

  • XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activity. Pursuant to § 6 of the Act, the User may give prior and express consent to contact the Service Provider with its advertising offers and other mailings at the contact details provided during registration.

 

  • In addition, the Customer may, bearing in mind the provisions of this information, consent to the Service Provider handling his personal data necessary for sending advertising offers.

 

  • The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from the sending of offers free of charge without limitation or justification. In this case, the Service Provider deletes all personal data necessary for sending advertising messages from its records and does not contact the User with further advertising offers. Users can unsubscribe from advertisements by clicking on the link in the message.

 

  • The fact of data collection, the scope of processed data and thepurpose of data management:

Personal data

Purpose of data management

Legal basis

Name, e-mail address.

Identification, enabling subscription to the newsletter/discount coupons.

The consent of the data subject,

Article 6, paragraph 1, point a).

XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activity. § 6 (5) of the Act.

Date of subscription

Execution of a technical operation.

IP address at the time of registration

Execution of a technical operation.

 

  • Scope of stakeholders:All stakeholders who subscribe to the newsletter.

 

  • Purpose of data management: sendingelectronic messages containing advertising (e-mail, sms, push message) to the person concerned, providing information about current information, products, promotions, new functions, etc.

 

  • Duration of data management, deadline for deleting data:data management lasts until withdrawal of consent, i.e. until unsubscription.

 

  • Person of possible data controllers entitled to access the data, recipients of personal data:Personal data can be processed by the data controller, as well as its sales and marketing staff, in compliance with the above principles.

 

  • Description of the rights of data subjects related to data management:
  1. The data subject may request from the data controller access to personal data relating to him, their correction, deletion or restriction of processing, as well as
  2. you can object to the processing of your personal data and
  3. the data subject has the right to data portability and to withdraw consent at any time.
  • The data subject can initiate access to personal data, its deletion, modification, or limitation of processing, data portability, or objection in the following ways:

 

  • by email atsupport@nemethy-system.com
  • The person concernedcan unsubscribefrom the newsletter at any time, free of charge.
  • We inform you that
  • data management is based on your consent and the service provider’s legitimate interest.
  • you must provide personal data if you want to receive a newsletter from us.
  • failure to provide data will result in us not being able to send you a newsletter.
  • we inform you that you can withdraw your consent at any time by clicking on unsubscribe.
  • withdrawal of consent does not affect the legality of data processing based on consent, prior to withdrawal.

Complaint handling

·The fact of data collection, the scope of processed data and the purpose of data management:

  • Scope of stakeholders: All stakeholders who purchase on the website and complain about quality issues.

 

  • Duration of data management, deadline for deletion of data: Copiesof the record of the objection, transcript and the response to it, CLV of 1997 on consumer protection. Act 17/A. § (7) must be kept for 3 years.

 

  • Person of possible data controllers entitled to access the data, recipients of personal data:Personal data can be processed by the data controller, as well as by its employees authorized to do so, in compliance with the above principles.

 

  • Description of the rights of data subjects related to data management:
  1. The data subject may request from the data controller access to personal data relating to him, their correction, deletion or restriction of processing, and
  2. the data subject has the right to data portability and to withdraw consent at any time
  • The data subject can initiate access to personal data, its deletion, modification or restriction of processing, data portability in the following ways:

 

1We inform you that

  • the provision of personal data is based on a legal obligation .
  • the processing of personal data is a prerequisite for the conclusion of the contract .
  • must provide personal data so that we can handle your complaint.
  • Failure to provide data will result in us not being able to handle your complaint.

Recipients with whom personal data is communicated

” recipient „: the natural or legal person, public authority, agency or any other body to whom or to which the personal data is communicated, regardless of whether it is a third party.

1.    Data processors (those who perform data management on behalf of the data controller)

  • The data controller uses data processors in order to facilitate its own data management activities, as well as to fulfill its contractual obligations with the data subject and the obligations imposed by legislation.
  • The data controller places great emphasis on using only data processors who provide adequate guarantees for the implementation of appropriate technical and organizational measures ensuring compliance with the requirements of the GDPR and the protection of the rights of the data subjects.
  • The data processor and any person acting under the control of the data processor who has access to personal data shall handle the personal data contained in these regulations exclusively in accordance with the instructions of the data controller.
  • The data controller is legally responsible for the activities of the data processor. The data processor is only liable for damages caused by data processing if it has not complied with the obligations specifically imposed on data processors specified in the GDPR, or if it has ignored or acted contrary to the legal instructions of the data controller.
  • The data processor has no meaningful decision-making regarding the management of the data.
  • The data controller can use a storage service provider to provide the IT background, and a courier service as a data processor to deliver the ordered products.

2.    Data processors:

Data controller (1): SalesAutopilot Kft.

Headquarters (1): 1016 Budapest, Zsolt street 6/A. 5th em. 1.

Postal address (1): SalesAutopilot Kft. 1538 Budapest, Pf. 515.

Phone (1): (+36) 1 490 0172

Responsibilities (1): Collecting email addresses and sending newsletters

Data controller (2): Google Inc.

Address (2): 1600 Amphitheater Parkway , Mountain View , 3, California 94043, USA

Responsibilities (2): All activities

Data controller (3): Számlázz.hu

Headquarters (3): KBOSS.hu Kft., 1031 Budapest, Záhony street 7/D.

Postal address (3): KBOSS.hu Kft., 1031 Budapest, Záhony street 7/D.

Responsibilities (3): Online invoicing

” third party „: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data controller, the data processor or the persons who, under the direct control of the data controller or data processor, are authorized to process personal data they got.

3.    Data transfer to third party

The third-party data controllers handle the personal data provided by us on their own behalf, in accordance with their own data protection regulations. Transport service providers under contract for the delivery of orders:

Transport:

Magyar Posta Private Limited Liability Company

Headquarters: Budapest, 1138 Budapest, Dunavirág utca 2-6.

Website: https://www.posta.hu/

DPD Hungary Kft.

Headquarters: Hungary, 1134 Budapest, Váci út 33, Building II. floor

Website: https://www.dpd.com/hu/

 

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.DHL

Headquarters: Hungary, 2351 Alsónémedi, GLS Európa u. 2.

Website: https://gls-group.com/

FedEx Express International BV

Headquarters: Taurusavenue 111

2132 LS Hoofddorp, The Netherlands

Website: https://www.fedex.com/

UPS Corporate Headquarters

55 Glenlake Parkway , NE

Adress: Atlanta, GA 30328, USA

Website: https://www.ups.com/

SPRINTER Courier Service Limited Liability Company

Adress: 1097 Budapest, Táblás utca 39.

Website: www.sprinter.hu

Express One Hungary Limited Liability Company

Adress: 1239 Budapest, Európa utca 12

Website: https://expressone.hu/

DELIVERY SOLUTIONS ZRT.

Adress: 1033 Budapest, Szentendrei út 89-95. Building X

Website: https://www.sameday.hu

Community sites

  • The fact of the data collection, the scope of the processed data:Meta / Twitter / Pinterest / Youtube / Instagram etc. the name registered on social networking sites and the user’s public profile picture.
  • Scope of stakeholders:All stakeholders who have registered on Meta / Twitter / Pinterest / Youtube / Instagram etc. on social media sites and „liked” the Service Provider’s social media site, or contacted the data controller via the social media site.
  • Purpose of data collection:Sharing, „liking”, following and promoting certain content elements, products, promotions or the website itself on social networking sites.
  • The duration of data management, the deadline for data deletion, the identity of possible data managers entitled to access the data and the description of the rights of the data subjects:The data subject can find out about the source of the data, its management, the method of transfer and its legal basis on the given social media page. Data management takes place on social networking sites, so the duration and method of data management, as well as the options for deleting and modifying data, are governed by the regulations of the respective social networking site.
  • The legal basis for data management:the voluntary consent of the concerned person to the management of his personal data on social networking sites.

Customer relations and other data management

  • If a question arises when using our data management services, or if the data subject has a problem, you can contact the data manager using the methods provided on the website (telephone, e-mail, social media sites, etc.).
  • The data manager handles received e-mails, messages, on the phone, on Meta , etc. data provided, together with the name and e-mail address of the interested party, as well as other voluntarily provided personal data, will be deleted after a maximum of 2 years from the date of data communication.
  • We provide information on data management not listed in this information when the data is collected.
  • The Service Provider is obliged to provide information, communicate and transfer data, and make documents available in the event of an exceptional official inquiry, or in the event of an inquiry by other bodies based on the authorization of the law.
  • In these cases, the Service Provider only releases personal data to the requester – if he has specified the exact purpose and the scope of the data – to the extent and to the extent that is absolutely necessary to achieve the purpose of the request.

Rights of data subjects

  • Right of access:You have the right to receive feedback from the data controller as to whether your personal data is being processed, and if such data processing is in progress, you are entitled to access the personal data and the information listed in the regulation.
  • Right to rectification:You have the right to request that the data controller correct inaccurate personal data concerning you without undue delay. Taking into account the purpose of data management, you are entitled to request the completion of incomplete personal data, including by means of a supplementary statement.
  • The right to erasure:You have the right to request that the data manager delete your personal data without undue delay, and the data manager is obliged to delete your personal data without undue delay under certain conditions.
  • The right to be forgotten:If the data controller has disclosed personal data and is obliged to delete it, taking into account the available technology and the costs of implementation, it will take reasonably expected steps – including technical measures – in order to inform the data controllers that process the data that you requested the deletion of the links to the personal data in question or the copy or duplicate of this personal data.
  • The right to restrict data processing:You have the right to have the data controller restrict data processing at your request if one of the following conditions is met:
  1. You dispute the accuracy of the personal data, in which case the limitation applies to the period that allows the controller to check the accuracy of the personal data;
  2. the data processing is unlawful and you object to the deletion of the data and instead request the restriction of its use;
  3. the data controller no longer needs the personal data for the purpose of data management, but you require them to submit, enforce or defend legal claims;
  4. You have objected to data processing; in this case, the limitation applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over your legitimate reasons.
  • The right to data portability:You have the right to receive the personal data you have provided to a data controller in a segmented, widely used, machine-readable format, and you have the right to transfer this data to another data controller without hindrance the data controller to whom you made the personal data available (…)
  • The right to protest:In the case of data processing based on legitimate interest or public authority as legal grounds, you are entitled to object at any time for reasons related to your own situation against the processing of your personal data by (…), including profiling based on the aforementioned provisions .
  • Objection in case of direct business acquisition:If personal data is processed for the purpose of direct business acquisition, you have the right to object at any time to the processing of your personal data for this purpose, including profiling, if it is related to direct business acquisition. If you object to the processing of personal data for direct business purposes, then the personal data may no longer be processed for this purpose.
  • Automated decision-making in individual cases, including profiling:You have the right not to be subject to the scope of a decision based solely on automated data management, including profiling, which would have legal effects on you or would similarly significantly affect you .

The previous paragraph does not apply if the decision:

  1. It is necessary to conclude or fulfill the contract between you and the data controller;
  2. is made possible by EU or Member State law applicable to the data controller, which also establishes appropriate measures for the protection of your rights and freedoms, as well as your legitimate interests; obsession
  3. It is based on your express consent.

Action deadline

The data controller will inform you of the measures taken following the above requests without undue delay, but in any case within 1 month from the receipt of the request.

If necessary, this can be extended by 2 months . The data controller will inform you of the extension of the deadline, indicating the reasons for the delay, within 1 month of receiving the request .

If the data controller does not take measures following your request, it will inform you without delay, but at the latest within one month of the receipt of the request, of the reasons for the failure to take action, as well as the fact that you can file a complaint with a supervisory authority and exercise your right to judicial redress.

Security of data management

The data manager and the data processor implement appropriate technical and organizational measures, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data management, as well as the variable probability and severity of the risk to the rights and freedoms of natural persons. , to guarantee a level of data security appropriate to the degree of risk, including, among others, where applicable:

  • pseudonymization and encryption of personal data;
  • ensuring the continuous confidentiality, integrity, availability and resilience of the systems and services used to manage personal data;
  • in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;
  • a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures taken to guarantee the security of data management.
  • The processed data must be stored in such a way that unauthorized persons cannot access them. In the case of paper-based data carriers, by establishing the order of physical storage and filing , in the case of data handled in electronic form, by using a central authorization management system.
  • The method of data storage using IT methods must be chosen in such a way that it can be deleted – taking into account the possibly different deletion deadline – at the end of the data deletion deadline, or if necessary for other reasons. The deletion must be irreversible.
  • Paper-based data carriers must be stripped of personal data using a document shredder or an external organization specialized in document destruction. In the case of electronic data carriers, physical destruction must be ensured in accordance with the rules for the disposal of electronic data carriers, and, if necessary, the data must be securely and irretrievably deleted in advance.
  • The data controller implements the following specific data security measures:
    In order to ensure the security of personal data managed on a paper basis, the Service Provider applies the following measures (physical protection):
  1. Place the documents in a safe, well-sealed dry room.
  2. If personal data managed on paper is digitized, the rules applicable to digitally stored documents must be applied
  3. During the course of his work, the employee of the Service Provider performing data management may only leave the room where data management is taking place by blocking the data carriers entrusted to him or by closing the given room.
  4. Personal data can only be accessed by authorized persons, third parties cannot access it.
  5. The Service Provider’s building and premises are equipped with fire protection and property protection equipment.

IT protection

  1. Computers and mobile devices (other data carriers) used during data management are the property of the Service Provider.
  2. The computer system containing personal data used by the Service Provider is equipped with virus protection.
  3. In order to ensure the security of digitally stored data, the Service Provider uses data backups and archives.
  4. The central server machine can only be accessed by persons with appropriate authorization and only those designated for it.
  5. Data on computers can only be accessed with a username and password.

Informing the data subject about the data protection incident

If the data protection incident is likely to involve a high risk for the rights and freedoms of natural persons, the data controller shall inform the data subject without undue delay.

In the information provided to the data subject, the nature of the data protection incident must be clearly and comprehensibly described, and the name and contact information of the data protection officer or other contact person providing additional information must be provided; the likely consequences of the data protection incident must be described; the measures taken or planned by the data controller to remedy the data protection incident must be described , including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

The data subject does not need to be informed if any of the following conditions are met:

  • the data controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular those measures – such as the use of encryption – that make the personal data unintelligible to persons not authorized to access the personal data data;
  • after the data protection incident, the data controller has taken additional measures to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialize in the future;
  • providing information would require a disproportionate effort. In such cases, the data subjects must be informed through publicly published information, or a similar measure must be taken that ensures similarly effective information to the data subjects.

If the data controller has not yet notified the data subject of the data protection incident, the supervisory authority, after considering whether the data protection incident is likely to involve a high risk, may order the data subject to be informed.

Reporting a data protection incident to the authority

The data controller shall report the data protection incident to the competent supervisory authority pursuant to Article 55 without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is likely to pose no risk to the rights of natural persons and freedoms. If the notification is not made within 72 hours, the reasons justifying the delay must also be attached.

Review in case of mandatory data management

If the duration of mandatory data management or the periodic review of its necessity is not determined by law, local government decree or a mandatory legal act of the European Union, the data controller shall review at least every three years from the start of data management that the personal data managed by him or by a data processor acting on his behalf or at his direction whether its management is necessary for the realization of the purpose of data management.

The data manager documents the circumstances and results of this review, keeps this documentation for ten years after the review has been completed and makes it available to the Authority at the request of the National Data Protection and Freedom of Information Authority (hereinafter: the Authority).

Possibility of filing a complaint

You can file a complaint with the National Data Protection and Freedom of Information Authority against possible violations of the data controller:

National Data Protection and Freedom of Information Authority

1055 Budapest, Falk Miksa street 9-11.

Mailing address: 1363 Budapest, Pf. 9.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Final word

During the preparation of the information sheet, we paid attention to the following legislation:

  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (GDPR )( 27 April 2016);
  • CXII of 2011 Act – on the right to self-determination of information and freedom of information (hereinafter: Infotv .);
  • CVIII of 2001 Act – on certain issues of electronic commercial services and services related to the information society (mainly § 13/A);
  • XLVII of 2008 law – on the prohibition of unfair commercial practices towards consumers;
  • XLVIII of 2008 law – on the basic conditions and certain limitations of economic advertising activity (especially § 6);
  • XC of 2005. Act on Electronic Freedom of Information;
  • Act C of 2003 on electronic communications (specifically §155);
  • 16/2011. s. opinion on the EASA/ IA Recommendation on the best practice of behavior-based online advertising ;
  • The recommendation of the National Data Protection and Freedom of Information Authority on the data protection requirements of prior information.

Last update date: 15.08.2024

Budapest, 2023.04.15.