Free cookie consent management tool by TermsFeed Update cookies preferences

WEBSITE PRIVACY POLICY INFORMATION

By publishing this data protection information, Clarity Consulting Kft. - hereinafter referred to as the Company - complies with the prior information obligation of the persons concerned regarding the processing of personal data, as prescribed by REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, pursuant to which according to the relevant articles of the Regulation each piece of information must be made available to those affected by data management in a concise, transparent, understandable and easily accessible form, clearly and comprehensibly worded.

I. NAME OF THE DATA PROCESSOR

The Company informs the data subject that it is a data controller in the management of his personal data.

COMPANY NAME: Clarity Consulting Kft.
HEADQUARTERS: 1145 Budapest, Erzsébet királyné útja 29/B
COMPANY REGISTRATION NUMBER: 900711-01-09
TAX NUMBER: 12735345-2-42
TELEPHONE: 1/4223030
REPRESENTATIVE NAME: Péter Lackó, Barnabás Gőgh, Bálint Andrási managingdirector
E-MAIL: info@clarity. hu
WEBSITE: www.clarity.hu

Employees of the Company with access rights related to the relevantdata management purpose, as well as persons and organizations performing dataprocessing activities on the basis of service contracts for the Company, cansee the personal data, within the scope determined by the Company and to theextent necessary for the performance of their activities.

II. DEFINITIONS

1. "personal data": any informationrelating to an identified or identifiable natural person ("datasubject"); a natural person can be identified directly or indirectly, inparticular on the basis of an identifier such as name, number, location data,online identifier or one or more factors relating to the physical,physiological, genetic, mental, economic, cultural or social identity of thenatural person identifiable;

 

2. "data management": any operation orset of operations performed on personal data or data files in an automated ornon-automated manner, such as the collection, recording, organization,segmentation, storage, transformation or change, query, insight, use,communication, transmission, distribution or by making it available in otherways, coordinating or connecting, limiting, deleting or destroying;

 

3. "restriction of data management": designationof stored personal data for the purpose of limiting their future management;

 

4. "profiling": any form of automatedprocessing of personal data, during which personal data is used to evaluatecertain personal characteristics of a natural person, in particular workperformance, economic situation, state of health, personal preferences, interests,reliability, behavior, location or used to analyze or predict motion-relatedcharacteristics;

 

5. "Pseudonymization": processing ofpersonal data in such a way that, without the use of additional information, itis no longer possible to determine which specific natural person the personaldata refers to, provided that such additional information is stored separately,and technical and organizational measures by doing so, it is ensured that thispersonal data cannot be linked to identified or identifiable natural persons;

 

6. "registry system": the file ofpersonal data in any way - centralized, decentralized or divided according tofunctional or geographical aspects - which is accessible based on specificcriteria;

 

7. "data controller": the natural orlegal person, public authority, agency or any other body that determines thepurposes and means of processing personal data independently or together withothers; if the purposes and means of data management are determined by EU or memberstate law, the data controller or the special aspects regarding the designationof the data controller may also be determined by EU or member state law;

 

8. "data processor": the natural or legalperson, public authority, agency or any other body that processes personal dataon behalf of the data controller;

 

9. "recipient": the natural or legalperson, public authority, agency or any other body to whom or to which the personaldata is communicated, regardless of whether it is a third party. Publicauthorities that have access to personal data in accordance with EU or MemberState law in the context of an individual investigation are not consideredrecipients; the management of said data by these public authorities must complywith the applicable data protection rules in accordance with the purposes ofdata management;

 

10. "third party": the natural or legalperson, public authority, agency or any other body that is not the same as thedata subject, the data manager, the data processor or the persons who, underthe direct control of the data manager or data processor, process the personaldata have been authorized to treat;

 

11. "consent of the data subject": avoluntary, specific and well-informed and clear statement of the will of thedata subject, with which the data subject indicates through a statement or anact clearly expressing the confirmation that he/she consents to the processingof personal data concerning him/her;

 

12. "data protection incident": a breachof security that results in the accidental or unlawful destruction, loss,alteration, unauthorized disclosure or unauthorized access to personal datatransmitted, stored or otherwise handled;

 

13. "enterprise": a natural or legalperson engaged in economic activity, regardless of its legal form, includingpartnerships and associations engaged in regular economic activity.

 

III. LEGAL BASIS OF DATA MANAGEMENT

1. Consent of the data subject

 

(1) The legality of processing personal data must be based on theconsent of the data subject or have some other legal basis established by law.

(2) In the case of data processing based on the data subject'sconsent, the data subject may give his consent to the processing of hispersonal data in the following form:

a) in writing, in the form of a statement giving consent to personaldata processing,

b) by electronic means, by means of express behaviour implemented onthe Company's website, by ticking a checkbox, or by making relevant technicalsettings when using services related to the information society, as well as anyother statement or action that, in the given context, constitutes the datasubject's consent to their personal data clearly indicates the intendedtreatment.

(3) Silence, a pre-ticked box or inaction therefore does notconstitute consent. (4) A

consent covers all data processing activities carried out for thesame purpose or purposes.

(5) If the data management serves several purposes at the same time,consent must be given for all data management purposes. If the data subjectgives his consent after an electronic request, the request must be clear andconcise, and it must not unnecessarily prevent the use of the service for whichthe consent is requested.

(6) The data subject is entitled to withdraw his consent at anytime. Withdrawal of consent does not affect the legality of data processingbased on consent prior to withdrawal. Before giving consent, the data subjectmust be informed of this. Withdrawal of consent should be possible in the samesimple way as giving it.

 

2. Contract performance

 

(1) Data processing is considered lawful if it is necessary for theperformance of a contract to which the data subject is a party, or it isnecessary for taking steps at the request of the data subject prior to theconclusion of the contract.

(2) The consent of the interested party to the processing ofpersonal data that is not necessary for the performance of the contract shallnot be a condition for the conclusion of the contract.

 

3. Fulfilling the legal obligation of the data controller orprotecting the vital interests of the data subject or other natural person

 

(1) The legal basis for data management is determined by law in caseof fulfilment of a legal obligation, so the consent of the data subject is notrequired for the processing of his personal data.

(2) The data controller is obliged to inform the data subject aboutthe purpose, legal basis, duration of the data management, the person of thedata controller, as well as about his rights and legal remedies.

(3) In order to fulfil a legal obligation, the data controller isentitled, after withdrawing the data subject's consent, to manage the data thatis necessary for the fulfilment of a legal obligation concerning him.

 

4. Execution of a task carried out in the public interest or in thecontext of the exercise of public authority granted to the data controller,enforcement of the legitimate interests of the data controller or a thirdparty.

 

(1) The data controller - including the data controller with whomthe personal data may be disclosed - or the legitimate interest of a thirdparty may create a legal basis for data processing, provided that theinterests, fundamental rights and freedoms of the data subject do not takeprecedence, taking into account the relationship with the data controller thereasonable expectations of the data subject. Such a legitimate interest can bediscussed, for example, when there is a relevant and appropriate relationshipbetween the data subject and the data controller, for example in cases wherethe data subject is a client of the data controller or is employed by it.

(2) In order to establish the existence of a legitimate interest, itis necessary to carefully examine, among other things, whether the personconcerned can reasonably expect that data processing may take place for thegiven purpose at the time and in connection with the collection of personaldata.

(3) The interests and fundamental rights of the data subject maytake precedence over the interests of the data controller if the personal dataare processed under circumstances in which the data subjects do not expectfurther data processing.

ARC. RIGHTS OF THE DATA SUBJECT RELATED TO THE MANAGEMENT OF DATA

1. The Company provides the following brief information on therights of the data subject:

The data subject has the right to:

a) for information before the start of data management,

b) to receive feedback from the data controller as to whether hispersonal data is being processed, and if such data processing is underway, heis entitled to request that the personal data and the following information,

c) to request the correction or deletion of your data, to receive anotification from the data controller about this happening, d) to request therestriction of data management, to receive a notification from the datacontroller about this happening,

e) for data portability,

f) to object, if your personal data is used for purposes of publicinterest or with reference to the legitimate interests of the data controller

is treated.

g) exempt from automatic decision-making, including profiling,

h) to file a complaint with the supervisory authority. The datasubject can exercise his right to file a complaint at the following contactdetails: National Data Protection and Freedom of Information Authority,address: 1125

Budapest, Szilágyi Erzsébet fasor 22/c., Phone: +36 (1) 391-1400;Fax: +36 (1) 391-

1410., www:http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu i) foran effective judicial remedy against a supervisory authority,

j) For an effective judicial remedy against the data controller ordata processor

k) For information about the data protection incident.

 

2. Detailed information on data subject rights

 

Right to information

 

(1) The data subject has the right to receive information about theinformation related to data management before the start of the activity aimedat managing his data.

(2) Information to be made available if personal data is collectedfrom the data subject:

 

the. the identity and contact details of the data controller and, ifany, the representative of the data controller;

 

b. the contact details of the data protection officer, if any;

 

c. the purpose of the planned processing of personal data, as wellas the legal basis for data processing;

 

d. in the case of data management based on point f) of Article 6,paragraph (1) of the Regulation, the legitimate interests of the datacontroller or a third party;

 

e. where appropriate, recipients of personal data and categories ofrecipients, if any;

 

f. where applicable, the fact that the data controller wishes totransfer the personal data to a third country or international organization, aswell as the existence or absence of the Commission's compliance decision, orArticle 46 of the Regulation, Article 47 or Article 49 of the Regulation (1) inthe case of data transmission referred to in the second subparagraph ofparagraph 1, indicating the appropriate and suitable guarantees, as well asreferring to the methods for obtaining a copy of them or their availability.

 

(3) In addition to the information mentioned in paragraph (1), thedata controller informs the data subject of the following additionalinformation at the time of obtaining the personal data, in order to ensure fairand transparent data management:

 

the. on the period of storage of personal data, or if this is notpossible, on the aspects of determining this period;

 

b. the data subject's right to request from the data controlleraccess to personal data relating to him, their correction, deletion orrestriction of processing, and to object to the processing of such personaldata, as well as the data subject's right to data portability;

 

c. in the case of data processing based on point a) of Article 6 (1)or point a) of Article 9 (2) of the Regulation, the right to withdraw consentat any time, which does not affect the legality of data processing carried outon the basis of consent before the withdrawal;

 

d. on the right to submit a complaint to the supervisory authority;

 

e. about whether the provision of personal data is based onlegislation or a contractual obligation or is a prerequisite for the conclusionof a contract, as well as whether the data subject is obliged to providepersonal data, and what possible consequences the failure to provide data mayhave;

 

f. the fact of automated decision-making referred to in paragraphs(1) and (4) of Article 22 of the Regulation, including profiling, as well as,at least in these cases, comprehensible information about the logic used andthe significance of such data management and what is expected for the datasubject has consequences.

 

(4) If the personal data was not obtained from the data subject, thedata controller shall provide the data subject with the following information:

 

the. the identity and contact details of the data controller and, ifany, the representative of the data controller;

 

b. the contact details of the data protection officer, if any;

 

c. the purpose of the planned processing of personal data, as wellas the legal basis for data processing;

 

d. categories of personal data concerned;

 

e. recipients of personal data and categories of recipients, if any;

 

f. where applicable, the fact that the data controller wishes toforward the personal data to a recipient in a third country or to aninternational organization, and the existence or absence of the Commission'scompliance decision, or in Article 46, the Regulation

In the case of data transfer referred to in Article 47 or the secondsubparagraph of Article 49, paragraph (1), the indication of appropriate andsuitable guarantees, as well as a reference to the methods for obtaining a copyof them or their availability.

 

(2) In addition to the information mentioned in paragraph (1), thedata controller provides the data subject with the following additionalinformation necessary to ensure fair and transparent data management for thedata subject:

 

the. the period of storage of personal data, or if this is notpossible, the criteria for determining this period;

 

b. if the data management is based on point f) of Article 6 (1) ofthe Regulation, on the legitimate interests of the data controller or a thirdparty;

 

c. the data subject's right to request from the data controlleraccess to personal data relating to him, their correction, deletion orrestriction of processing, and to object to the processing of personal data, aswell as the data subject's right to data portability;

d. in the case of data processing based on point a) of Article 6 (1)or point a) of Article 9 (2) of the Regulation, the right to withdraw consentat any time, which does not affect the legality of data processing carried outon the basis of consent before the withdrawal;

 

e. the right to submit a complaint to a supervisory authority;

 

f. the source of the personal data and, where applicable, whetherthe data comes from publicly available sources; and

 

g. the fact of automated decision-making referred to in paragraphs(1) and (4) of Article 22 of the Regulation, including profiling, as well as,at least in these cases, comprehensible information about the logic used andthe significance of such data management and what is expected for the datasubject has consequences.

 

(3) If the data controller wishes to carry out further dataprocessing of personal data for a purpose other than the purpose for which theywere obtained, he must inform the data subject of this different purpose and ofall relevant additional information mentioned in paragraph (2) prior to furtherdata processing.

(4) Paragraphs (1)–(3) shall not be applied if and to the extentthat:

 

the. the data subject already has the information;

 

b. the provision of the information in question proves to beimpossible or would require a disproportionately large effort, especially inthe case of data processing for the purpose of archiving in the publicinterest, for scientific and historical research purposes or for statisticalpurposes, taking into account the conditions and guarantees contained inArticle 89 (1), or if the the obligation mentioned in paragraph (1) of thisarticle would probably make it impossible or seriously jeopardize the achievementof the goals of this data management. In such cases, the data controller musttake appropriate measures - including making the information publicly available- in order to protect the rights, freedoms and legitimate interests of the datasubject;

 

c. the acquisition or disclosure of the data is expressly requiredby the EU or Member State law applicable to the data controller, which providesfor appropriate measures to protect the legitimate interests of the datasubject; or

 

d. personal data must remain confidential on the basis of theobligation of professional confidentiality prescribed by an EU or member statelaw, including the obligation of confidentiality based on legislation.

 

The data subject's right of access

 

(1) The data subject has the right to receive feedback from the datacontroller as to whether his personal data is being processed, and if such dataprocessing is underway, he is entitled to receive access to the personal dataand the following information:

 

the. the purposes of data management;

 

b. categories of personal data concerned;

 

c. the recipients or categories of recipients to whom or to whom thepersonal data has been or will be communicated, including in particularrecipients in third countries and international organizations;

 

d. where applicable, the planned period of storage of personal dataor, if this is not possible, the criteria for determining this period;

 

e. the right of the data subject to request from the data controllerthe correction, deletion or restriction of the processing of personal dataconcerning him and to object to the processing of such personal data;

 

f. the right to submit a complaint to a supervisory authority;

 

g. if the data were not collected from the data subject, allavailable information about their source;

 

h. the fact of automated decision-making referred to in paragraphs(1) and (4) of Article 22 of the Regulation, including profiling, as well as,at least in these cases, comprehensible information about the logic used andthe significance of such data management and what it means for the data subjecthas expected consequences.

 

(2) If personal data is transferred to a third country or to aninternational organization, the data subject is entitled to receive informationabout the appropriate guarantees in accordance with Article 46 regarding thetransfer.

 

(3) The data controller shall make a copy of the personal datasubject to data management available to the data subject. For additional copiesrequested by the data subject, the data controller may charge a reasonable feebased on administrative costs. If the data subject submitted the requestelectronically, the information must be provided in a widely used electronicformat, unless the data subject requests otherwise.

 

The data subject's right to rectification and erasure

 

Right to rectification

 

(1) The data subject has the right to have inaccurate personal datacorrected without undue delay upon request by the data controller. Taking intoaccount the purpose of the data management, the data subject is entitled torequest the completion of incomplete personal data, including by means of asupplementary statement.

 

The right to erasure ("the right to be forgotten")

 

(1) The data subject has the right to request that the datacontroller delete the personal data concerning him without undue delay, and thedata controller is obliged to delete the personal data concerning the datasubject without undue delay if one of the following reasons exists:

 

the. the personal data are no longer needed for the purpose forwhich they were collected or otherwise processed;

 

b. the data subject withdraws the consent that forms the basis ofthe data management in accordance with point a) of Article 6 (1) of theregulation (consent to the processing of personal data) or point a) of article9 (2) of the regulation (giving express consent), and the data management hasno other legal basis;

 

c. the data subject objects to the processing of his data on thebasis of Article 21 (1) of the regulation (right to object) and there is nooverriding legitimate reason for data processing, or the data subject on thebasis of Article 21 (2) of the regulation (personal data processing for thepurpose of obtaining business) objection to) object to data processing;

 

d. personal data has been processed unlawfully;

 

e. the personal data must be deleted in order to fulfil the legalobligation prescribed by the EU or Member State law applicable to the datacontroller;

 

f. the collection of personal data took place in connection with theoffering of information society-related services referred to in Article 8 (1).

 

(2) If the data controller has disclosed the personal data and isobliged to delete it at the request of the data subject, taking into accountthe available technology and the costs of implementation, it will take thereasonably expected steps - including technical measures - in order to informthe data controllers handling the data that the data subject requested fromthem the deletion of the links to the personal data in question or the copy orduplicate of this personal data.

 

(3) Paragraphs (1) and (2) do not apply if data management isnecessary:

 

the. for the purpose of exercising the right to freedom ofexpression and information;

 

b. for the purpose of fulfilling the obligation under the EU orMember State law applicable to the data controller requiring the processing ofpersonal data, or for the execution of a task carried out in the publicinterest or in the context of the exercise of a public authority vested in thedata controller;

 

c. in accordance with points h) and i) of Article 9 (2) of theRegulation and Article 9 (3) of the Regulation on the basis of public interestin the field of public health;

 

d. in accordance with Article 89 (1) of the Regulation for thepurpose of archiving in the public interest, for scientific and historicalresearch purposes or for statistical purposes, if the right referred to inparagraph (1) would likely make this data management impossible or seriouslyjeopardize it; or

 

e. for the presentation, enforcement and defence of legal claims.

 

The right to restrict data processing

 

(1) The data subject has the right to have the data controllerrestrict data processing at his request, if one of the following is met:

 

the. the data subject disputes the accuracy of the personal data, inwhich case the limitation applies to the period that allows the data controllerto check the accuracy of the personal data;

 

b. the data processing is illegal and the data subject opposes thedeletion of the data and instead requests the restriction of its use;

 

c. the data controller no longer needs the personal data for thepurpose of data management, but the data subject requires them to present,enforce or defend legal claims; or

 

d. the data subject objected to the data processing in accordancewith Article 21 (1) of the Regulation; in this case, the restriction applies tothe period until it is established whether the legitimate reasons of the datacontroller take precedence over the legitimate reasons of the data subject.

(2) If data processing is subject to restrictions based on paragraph(1), such personal data, with the exception of storage, will only be processedwith the consent of the data subject, or for the presentation, enforcement or defenceof legal claims, or for the protection of the rights of other natural or legalpersons, or the Union , or can be handled in the important public interest of amember state.

 

(3) The data controller informs the data subject at whose requestthe data processing was restricted based on paragraph (1) in advance of thelifting of the data processing restriction.

 

Notification obligation related to the correction or deletion ofpersonal data or the limitation of data management

 

(1) The data controller informs all recipients of the correction,deletion or restriction of data management to whom or to whom the personal datawas disclosed, unless this proves to be impossible or requires adisproportionately large effort.

 

(2) At the request of the data subject, the data controller informsabout these recipients.

 

The right to data portability

 

(1) The data subject has the right to receive the personal dataconcerning him/her provided to a data controller in a segmented, widely used,machine-readable format, and is also entitled to transmit this data to anotherdata controller without being hindered by the data controller to whom you madethe personal data available, if:

 

the. data processing is based on the consent of Article 6 (1) pointa) of the regulation (data subject consent to the processing of personal data)or Article 9 (2) point a) of the regulation (data subject express consent todata processing), or Article 6 It is based on a contract according to paragraph(1) b); and

 

b. data management is automated.

 

(2) When exercising the right to data portability in accordance withparagraph (1), the data subject is entitled to - if this is technicallypossible - request the direct transfer of personal data between datacontrollers.

(3) The exercise of the right referred to in paragraph (1) of thisarticle may not violate Article 17 of the Regulation. The aforementioned rightdoes not apply if the data processing is in the public interest or is necessaryfor the performance of a task performed in the context of the exercise of thepublic authority delegated to the data controller.

(4) The right referred to in paragraph (1) may not adversely affectthe rights and freedoms of others.

 

The right to protest

 

1) The data subject has the right to protest at any time for reasonsrelated to his own situation against the processing of his personal datacarried out in the context of the exercise of the public interest or publicauthority, or the processing necessary to enforce the legitimate interests ofthe data controller or a third party (Article 6 (1) of the Decree e) or f)),including profiling based on the aforementioned provisions. In this case, thedata controller may no longer process the personal data, unless the datacontroller proves that the data processing is justified by compellinglegitimate reasons that take precedence over the interests, rights and freedomsof the data subject, or that are necessary for the presentation, enforcement ordefence of legal claims are connected.

 

(2) If personal data is processed for the purpose of direct businessacquisition, the data subject has the right to object at any time to theprocessing of his/her personal data for this purpose, including profiling, ifit is related to direct business acquisition.

 

(3) If the data subject objects to the processing of personal datafor the purpose of direct business acquisition, then the personal data may nolonger be processed for this purpose.

 

(4) The right mentioned in paragraphs (1) and (2) must bespecifically brought to the attention of the data subject during the firstcontact at the latest, and the relevant information must be displayed clearlyand separately from all other information.

 

(5) In connection with the use of services related to theinformation society and a

Deviating from Directive 2002/58/EC, the data subject may alsoexercise the right to protest using automated means based on technicalspecifications.

 

(6) If personal data is processed for scientific and historicalresearch purposes or for statistical purposes in accordance with Article 89 (1)of the Regulation, the data subject is entitled to object to the processing ofpersonal data concerning him for reasons related to his own situation, except,if the data management is necessary for the execution of a task carried out forreasons of public interest.

The right to be exempt from automated decision-making

 

(1) The data subject has the right not to be covered by a decisionbased solely on automated data management, including profiling, which wouldhave legal effects on him or affect him to a similar extent.

2) Subsection (1) does not apply if the decision:

 

the. necessary for the conclusion or fulfilment of the contractbetween the data subject and the data controller;

 

b. is made possible by EU or Member State law applicable to the datacontroller, which also establishes appropriate measures to protect the rightsand freedoms and legitimate interests of the data subject; or

 

c. based on the express consent of the data subject.

(3) In the cases referred to in points a) and c) of paragraph (2),the data controller is obliged to take appropriate measures to protect therights, freedoms and legitimate interests of the data subject, including atleast the right of the data subject to request human intervention on the partof the data controller, his/her position express and file an objection againstthe decision.

(4) The decisions referred to in paragraph (2) may not be based onthe special categories of personal data referred to in Article 9 (1) of theRegulation, unless points a) or g) of Article 9 (2) apply and the data subjectappropriate measures have been taken to protect your rights, freedoms andlegitimate interests.

 

The data subject's right to complaint and legal remedy

 

The right to complain to the supervisory authority.

 

(1) Based on Article 77 of the Regulation, the data subject isentitled to file a complaint with the supervisory authority if the

according to the opinion of the data subject, the processing ofpersonal data concerning him/her violates this regulation. (2) The data subjectmay exercise his right to file a complaint at the following contact details:

National Data Protection and Freedom of Information Authorityaddress: 1125 Budapest, Szilágyi Erzsébet fasor 22/c Phone: +36 (1) 391-1400;Fax: +36 (1) 391-1410 www: http://www.naih.hu

e-mail: ugyfelszolgalat@naih.hu

 

(3) The supervisory authority, to which the complaint was submitted,is obliged to inform the client about the procedural developments related tothe complaint and its result, including that the client is entitled to ajudicial remedy based on Article 78 of the Decree.

 

The right to an effective judicial remedy against the supervisoryauthority

 

(1) Without prejudice to other administrative or non-judicialremedies, all natural and legal persons are entitled to an effective judicialremedy against the legally binding decision of the supervisory authority.

 

(2) Without prejudice to other administrative or non-judicial legalremedies, all data subjects are entitled to effective judicial remedies if thecompetent supervisory authority does not deal with the complaint or does notinform the data subject within three months about the complaint submittedpursuant to Article 77 of the Regulation about procedural developments or theirresults.

 

(3) Proceedings against the supervisory authority must be initiatedbefore the court of the Member State where the supervisory authority isheadquartered.

 

(4) If proceedings are initiated against a decision of thesupervisory authority, in relation to which the Board previously issued anopinion or made a decision within the framework of the uniformity mechanism,the supervisory authority is obliged to send this opinion or decision to thecourt.

 

The right to an effective judicial remedy against the controller orprocessor

 

(1) Without prejudice to the available administrative ornon-judicial legal remedies, including the right to complain to the supervisoryauthority according to Article 77, all data subjects are entitled to aneffective judicial remedy if, in their judgment, their personal data has beenhandled in a way that does not comply with this regulation your rights underthis regulation have been violated.

 

(2) Proceedings against the data controller or data processor shallbe initiated before the court of the Member State where the data controller ordata processor operates. Such a procedure can also be initiated before thecourt of the Member State of the habitual residence of the person concerned,unless the data controller or the data processor is a public authority of aMember State acting in its public authority.

 

Restrictions

 

(1) The EU or Member State law applicable to the data controller ordata processor may limit the provisions of Articles 12-22 through legislativemeasures. Article and Article 34, as well as Articles 12–22. with regard to itsprovisions in accordance with the rights and obligations set out in Article 5,the scope of the rights and obligations contained in Article 5, if therestriction respects the essential content of fundamental rights and freedoms,as well as a necessary and proportionate measure for the protection of thefollowing in a democratic society:

 

the. national security;

 

b. national defence;

 

c. public safety;

 

d. the prevention, investigation, detection or prosecution ofcrimes, or the enforcement of criminal sanctions, including the protectionagainst threats to public safety and the prevention of such threats;

 

e. other important general public interest objectives of the Unionor a Member State, in particular an important economic or financial interest ofthe Union or a Member State, including monetary, budgetary and tax matters,public health and social security;

 

f. the protection of judicial independence and judicial proceedings;

 

g. in the case of regulated occupations, the prevention,investigation and detection of ethical violations and the conduct of relatedprocedures;

 

h. in the cases mentioned in points a)-e) and ag) - evenoccasionally - control, investigation or regulatory activities related to theperformance of public authority tasks;

 

i. the protection of the data subject or the protection of therights and freedoms of others;

 

j. enforcement of civil law claims.

 

(2) The legislative measures referred to in paragraph (1) contain,where appropriate, detailed provisions at least:

 

the. for the purposes of data management or the categories of datamanagement,

 

b. categories of personal data,

 

c. on the scope of the restrictions introduced,

 

d. guarantees aimed at preventing misuse, unauthorized access ortransmission,

 

e. to define the data controller or to define the categories of datacontrollers,

 

f. for the duration of data storage, as well as the applicableguarantees, taking into account the nature, scope and purposes of datamanagement or categories of data management,

g. to risks affecting the rights and freedoms of the data subjects,and

 

h. on the right of the data subjects to receive information aboutthe restriction, unless this may adversely affect the purpose of therestriction.

 

Information about the data protection incident

 

(1) If the data protection incident likely involves a high risk forthe rights and freedoms of natural persons, the data controller shall informthe data subject of the data protection incident without undue delay.

 

(2) The nature of the data protection incident must be clearly andcomprehensibly described in the information provided to the data subjectreferred to in paragraph (1), and at least the

 

the name and contact details of the data protection officer or othercontact person providing additional information, the likely consequences of thedata protection incident, the measures taken or planned by the data controllerto remedy the data protection incident, including, where appropriate, measuresaimed at mitigating any adverse consequences resulting from the data protectionincident.

 

(3) The data subject need not be informed as mentioned in paragraph(1) if any of the following conditions are met:

 

the. the data controller has implemented appropriate technical andorganizational protection measures and these measures have been applied to thedata affected by the data protection incident, in particular those measures -such as the use of encryption - that make the personal data unintelligible topersons not authorized to access the personal data data;

 

b. after the data protection incident, the data controller has takenadditional measures to ensure that the high risk to the rights and freedoms ofthe data subject referred to in paragraph (1) is unlikely to materialize in thefuture;

 

c. providing information would require a disproportionate effort. Insuch cases, the data subjects must be informed through publicly publishedinformation, or a similar measure must be taken that ensures similarlyeffective information to the data subjects.

 

(4) If the data controller has not yet notified the data subject ofthe data protection incident, the supervisory authority, after consideringwhether the data protection incident is likely to involve a high risk, mayorder the data subject to be informed or establish that one of the conditionsmentioned in paragraph (3) has been met.

 

V. PROCEDURE TO BE APPLIED IN THE CASE OF A REQUEST BY THE PARTICIPANT

(1) The Company facilitates the exercise of the data subject'srights, and may not refuse to comply with the data subject's request toexercise his or her rights, as set out in this data management information,unless it proves that the data subject cannot be identified.

 

(2) The Enterprise informs the person concerned about the measurestaken following the request without undue delay, but in any case within onemonth from the receipt of the request. If necessary, taking into account thecomplexity of the application and the number of applications, this deadline canbe extended by another two months. The data controller shall inform the datasubject of the extension of the deadline, indicating the reasons for the delay,within one month of receiving the request.

 

(3) If the data subject submitted the application electronically,the information must be provided electronically, if possible, unless the datasubject requests otherwise.

 

(4) If the Company does not take measures following the request ofthe data subject, it shall inform the data subject without delay, but at thelatest within one month of the receipt of the request, of the reasons for thefailure to take action, as well as that the data subject may file a complaintwith the supervisory authority and take legal action with his right of redress.

(5) The Company provides the data subject with the followinginformation and measures free of charge: feedback on the processing of personaldata, access to processed data, correction, addition, deletion of data,restriction of data processing, data portability, objection to data processing,information about data protection incidents.

 

(6) If the data subject's request is clearly unfounded or -especially due to its repetitive nature - excessive, the data controller,taking into account the administrative costs associated with providing therequested information or information or taking the requested measure: maycharge a fee of HUF 5,000 or refuse the request action based on

 

(7) It is the responsibility of the data controller to prove thatthe request is clearly unfounded or exaggerated.

 

(8) Without prejudice to Article 11 of the Regulation, if the datacontroller has well-founded doubts about the Regulation

15–21. regarding the identity of the natural person who submittedthe application pursuant to Article, you may request the provision ofadditional information necessary to confirm the identity of the personconcerned.

 

VI. PROCEDURE IN CASE OF A DATA PROTECTION INCIDENT (PERSONAL DATABREACH)

(1) According to the Regulation, a data protection incident is abreach of security that results in the accidental or unlawful destruction,loss, alteration, unauthorized disclosure or unauthorized access to personaldata transmitted, stored or handled in another way.

 

(2) A data protection incident is the loss or theft of a devicecontaining personal data (laptop, mobile phone), as well as the loss orinaccessibility of the code used to decrypt files encrypted by the datacontroller, infection by ransomware (blackmail virus), which makes the datamanaged by the data controller inaccessible until a ransom is paid, attacks onthe IT system, e-mail containing wrongly sent personal data, publication ofaddress lists, etc.

 

(3) If a data protection incident is detected, the representative ofthe Company shall immediately conduct an investigation in order to identify thedata protection incident and determine its possible consequences. Necessarymeasures must be taken to prevent damage.

 

(4) The data protection incident must be reported to the competentsupervisory authority without undue delay and, if possible, no later than 72hours after becoming aware of the data protection incident, unless the dataprotection incident does not likely pose a risk to the rights and freedoms ofnatural persons looking at. If the notification is not made within 72 hours,the reasons justifying the delay must also be attached.

 

(5) The data processor shall report the data protection incident tothe data controller without undue delay after becoming aware of it.

 

(6) In the notification referred to in paragraph (3), at least:

 

the. the nature of the data protection incident must be described,including – if possible – the categories and approximate number of affectedpersons, as well as the categories and approximate number of data affected bythe incident;

 

b. the name and contact details of the data protection officer orother contact person providing additional information must be provided;

 

c. the probable consequences of the data protection incident must bedescribed;

 

d. the measures taken or planned by the data controller to remedythe data protection incident must be described, including, where appropriate,measures aimed at mitigating any adverse consequences resulting from the dataprotection incident.

 

(7) If and to the extent that it is not possible to provide theinformation at the same time, it can be provided later in parts without furtherundue delay.

(8) The data controller keeps records of data protection incidents,indicating the facts related to the data protection incident, its effects andthe measures taken to remedy it. This register enables the supervisoryauthority to check compliance with the requirements set out in Article 33 ofthe Regulation.

 

VII. DATA MANAGEMENT IN CONNECTION WITH THE WEBSITE

Information regarding the data of visitors to the Company's website

 

(1) During visits to the Company's website, one or more cookies -small information packages that the server sends to the browser and then thebrowser sends back to the server for every request directed to the server - aresent to the computer of the person visiting the website, which its browser willbe uniquely identifiable, if the person visiting the website has given hisexpress (active) consent by continuing to browse the website after clear andunambiguous information.

 

(2) Cookies work solely to improve the user experience and automatethe login process. The cookies used on the website do not store personallyidentifiable information, and the Company does not manage personal data in thiscontext.

 

VIII. DATA MANAGEMENT ACTIVITY RELATED TO CONTRACT PERFORMANCE

(1) The Company manages the personal data of the natural personscontracting with it - customers, buyers, suppliers - in connection with thecontractual relationship. The data subject must be informed about the handlingof personal data.

 

(2) Scope of stakeholders: all natural persons who establish acontractual relationship with the Enterprise.

 

(3) The legal basis of data management is the performance of acontract, the purpose of data management is to maintain contact, assert claimsarising from the contract, and ensure compliance with contractual obligations.

 

(4) Recipients of personal data: the head of the Company, theCompany's employees and data processors performing customer service andbookkeeping tasks based on their job title.

 

(5) The range of personal data handled: name, address, seat, phonenumber, e-mail address, tax number, bank account number, entrepreneur IDnumber, primary producer ID number.

 

(6) Duration of data management: 5 years from the termination of thecontract.

 

IX. DATA SECURITY PROVISIONS

(1) The Company may process personal data only in accordance withthe activities set out in these regulations and according to the purpose ofdata management.

 

(2) The Company takes care of the security of the data, in thiscontext it undertakes to take all the technical and organizational measuresthat are absolutely necessary for the enforcement of the laws relating to datasecurity, data and privacy protection rules, as well as to establish theprocedural rules necessary for the enforcement of the laws defined above.

 

(3) The Company shall take appropriate measures to protect the dataagainst unauthorized access, alteration, transmission, disclosure, deletion ordestruction, as well as accidental destruction and damage, as well asinaccessibility resulting from changes in the technology used.

 

(4) The technical and organizational measures to be implemented bythe Company for the sake of data security are a

It is recorded in the company's data protection policy.

(5) When determining and applying data security measures, theCompany takes into account the state of the art at all times, and in the caseof several possible data management solutions, chooses a solution that ensuresa higher level of protection of personal data, unless it would represent adisproportionate difficulty.

 

X. RULES RELATING TO DATA PROCESSING

1. General rules related to data processing

 

(1) The rights and obligations of the data processor related to theprocessing of personal data are defined by the law and the data controllerwithin the framework of separate laws on data management.

 

(2) The Company declares that the data processor does not have thecompetence to make a substantive decision regarding data management in thecourse of its activities, it can process the personal data it has come to knowonly in accordance with the provisions of the data controller, it does notperform data processing for its own purposes, and it is also obliged to disposeof personal data in accordance with the provisions of the data controller storeand preserve.

 

(3) For the legality of the instructions given to the data processorregarding data management operations a

Business is responsible.

 

(4) The Company is obliged to provide the data subjects withinformation about the person of the data processor and the place of dataprocessing.

 

(5) The Enterprise does not authorize the data processor to use additionaldata processors.

 

(6) The contract for data processing must be in writing. Dataprocessing cannot be entrusted to an organization that is interested inbusiness activities that use the personal data to be processed.

 Dated 09.26, 2024.