As the data controller, the Service Provider acknowledges its obligation to adhere to the provisions of this legal notice. It commits to ensuring that its data processing activities, concerning its services, comply with the requirements delineated in this notice and the prevailing legislation.
The Service Provider is dedicated to safeguarding the personal data of its Users. It places paramount importance on respecting its customers' right to information self-determination. The Service Provider treats personal data with utmost confidentiality and employs comprehensive security, technical, and organizational measures to ensure the data's security.
The Service Provider retains the prerogative to amend this information at any time, with due notice provided to the Users.
Should you have any queries that remain unclear after reviewing this notice, please do not hesitate to contact us, and our staff will provide you with the necessary clarifications.
The Service Provider hereby outlines its data management principles and the standards it has established and adheres to as a data controller. These data management principles align with the relevant data protection legislation in effect.
- Personal data: Personal data encompasses any information pertaining to an identified or identifiable natural person. An identifiable natural person is one who can be discerned, either directly or indirectly, especially by referencing an identifier like a name, number, location data, an online identifier, or one or more factors that are specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the natural person.
- Consent of the data subject: Consent of the data subject is a voluntary, specific, informed, and unambiguous expression of the data subject's preferences. This expression is made by the data subject through a statement or a clear act of affirmation, signifying their agreement to the processing of personal data related to them.
- Data controller: The controller refers to a natural or legal person, a public authority, an agency, or any other entity. This entity, either independently or jointly with others, establishes the purposes and methods for the processing of personal data. In cases where the purposes and methods of processing are determined by European Union or Member State law, the controller, or specific criteria for designating the controller, may also be stipulated by European Union or Member State law.
- Data processing: Data processing encompasses any operation or series of operations carried out on personal data or sets of personal data, whether by automated means or not. These operations include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination, or other means of making data available, alignment or combination, restriction, erasure, or destruction.
- Data processor: A processor refers to a natural or legal person, a public authority, an agency, or any other entity that conducts the processing of personal data on behalf of the controller.
- Recipient: It's important to note that public authorities with access to personal data within the scope of individual investigations under European Union or Member State law are not considered recipients. The processing of such data by these public authorities must comply with the relevant data protection regulations in alignment with the processing purposes.
- Third party: A third party is a natural or legal person, a public authority, an agency, or any other entity distinct from the data subject, the controller, the processor, or individuals authorized to process personal data under the direct authority of the controller or processor.
- Data breach: A data breach denotes a security incident resulting in the unintended or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.
- Restriction of processing: Marking stored personal data with the objective of curtailing their future processing.
- De-identification: De-identification is the process of altering personal data in a manner that renders it impossible to identify the natural person to whom the data relates without additional information. This additional information must be kept separate, and technical and organizational measures are implemented to ensure that no association with an identified or identifiable natural person is feasible.
II. Data Controller's Data and Contact Details
The Service Provider and Data Controller is Richárd Szőke, a sole proprietor, identified by registration number 43263493 and tax number HU67081770, with the registered office located at H-7570 Barcs, Bem street 26., and contactable at firstname.lastname@example.org.
III. Transfers of Data
The Service Provider transfers Users' personal data to the following subcontractors for the purposes indicated:
- OTP Mobil Kft., with a company registration number of 01-09-174466, having its registered office at H-1138 Budapest, Váci street 135-139, Building B, 5th floor, and contactable at email@example.com, will receive and process the User's name, address, and e-mail address for the purpose of handling payments initiated by the User.
- KBOSS.hu Kft., with a company registration number of 01-09-303201, having its registered office at H-1031 Budapest, Záhony street 7., and contactable at firstname.lastname@example.org, will receive and process the User's name, address, e-mail address, and optionally the tax ID for the purpose of generating invoices.
IV. Principles of Data Processing by the Service Provider
Personal data may be processed when:
- The data subject has given their consent for the processing of their personal data for one or more specific purposes.
- Data processing is necessary for the performance of a contract in which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract.
- Data processing is required to fulfill a legal obligation applicable to the data controller.
- Data processing is necessary for the protection of vital interests of the data subject or another natural person.
- Data processing is carried out in the public interest or in the exercise of official authority vested in the data controller.
- Data processing is necessary for the legitimate interests pursued by the data controller or a third party.
In accordance with Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, which is valid in Hungary, and EU Regulation 2016/679 (General Data Protection Regulation - GDPR) the validity of a declaration of consent from a data subject who has reached the age of 16 does not require the consent or subsequent approval of their legal representative. For data subjects under the age of 16, the validity of the declaration of consent requires the consent of the legal representative exercising parental authority over the child. The Service Provider is unable to verify consent; the User is responsible for its accuracy.
The Service Provider conducts the processing of personal data lawfully and fairly, and in a transparent manner to the data subject.
The Service Provider collects personal data only for specific, explicit, and lawful purposes and does not process them in a manner incompatible with these purposes.
The Service Provider determines the data processing in connection with its purposes and restricts it to what is necessary. The personal data managed by the Service Provider are accurate, complete, and up-to-date, and the Service Provider takes all reasonable measures to promptly delete or correct inaccurate personal data from the perspective of the purposes of data processing.
V. Scope of Personal Data, Purpose, Legal Basis and Duration of Data Processing
Within the services, the processing of all personal data related to the data subject is based on voluntary consent, legitimate interests, the performance of a contract, or the fulfillment of a legal obligation. The Service Provider retains personal data for the duration of the customer relationship and until the enforcement of civil law claims.
To prevent and detect fraud, the Service Provider stores certain personal and transactional data about Users even after the termination of the contractual relationship (account suspension or deletion). Data storage is only carried out to an extent and for a purpose that is suitable for preventing excluded Users from creating a new account in the future. Data is stored to maintain a secure platform for other Users.
In cases of data processing, the Service Provider provides detailed information on the following:
- The purpose of the personal data processing.
- The legal basis for the personal data processing.
- The scope of processed personal data and types of data.
- The duration of personal data storage.
- In case of potential data transfers, the recipients of personal data.
- The data security measures applied to protect personal data.
VI. Data Collection by External Service Providers
The platform's code includes links from and to external servers that are independent of the Service Provider.
One of these external servers aids in the independent auditing of website traffic and other web analytics data (Google Analytics). The external service provider, who manages the data, can provide detailed information about the handling of data independently of the Service Provider.
The external service provider does not have access to the personal data managed by the Service Provider. The Service Provider only provides the external service provider with the accessibility of aggregated, non-personal data.
The Service Provider utilizes the personal data of Users for the purpose of creating statistics, analyses that enhance the services and User experience, and the development of information systems.
VII. Registration Database
In the registration database, the Service Provider manages the User's Username, email address, hashed password, first and last name, address, registration date, IP address at the time of registration, and bank account number. These data are essential for identification, communication, invoicing, and financial transactions.
The legal basis for data processing is the performance of the contract between the Service Provider and the User, as well as the User's consent based on this notice.
Data related to invoicing must be retained for 8 years in compliance with the provisions of 169. § (2) of the Hungarian Act of 2000 on Accounting, which is in effect in Hungary. The legal basis for processing invoicing data is the fulfillment of a legal obligation.
Most of the provided data can be modified on the websites. The User may initiate the deletion of data from their own User account if necessary.
VIII. Other Data Processing Purposes
Information about data processing not listed in this notice will be provided at the time of data collection.
For the purpose of verifying registration data (security data reconciliation), we may request a photocopy of an identification document, which the User can send to us via email following a separate data processing notice. The purpose of security data reconciliation is to verify the accuracy of registration data. The Service Provider only conducts the Data Reconciliation process for Users who can reasonably be suspected of abuse, and thus, may pose a security risk. During the security data reconciliation, the check of the data provided during registration aims to maintain the security of the platform, detect potential abuses, and prevent possible criminal activities.
We inform Users that the court, prosecutor, investigative authorities, or regulatory authorities may contact the Service Provider to provide information, disclose personal data, transmit, or make documents available. The Service Provider, in compliance with their lawful request, only discloses personal data to the extent that is indispensable for achieving the purpose of the request, provided that the authorities have defined the exact purpose and scope of the data. The legal basis for data processing and data transfer is the fulfillment of a legal obligation.
IX. Method of Personal Data Storage and Data Security
The Service Provider selects and operates the information technology tools used for the processing of personal data in a manner that ensures that the processed data:
- Is accessible to authorized personnel (availability).
- Is reliable and authenticated (data processing reliability).
- Can be verified for its integrity (data integrity).
- Is protected against unauthorized access (data confidentiality).
The Service Provider ensures the security of data processing through technical, organizational, and structural measures that provide an appropriate level of protection against the risks associated with data processing.
The Service Provider takes care of the appropriate data backup of the IT data and environment, operating it with necessary parameters based on the preservation time of each piece of data. This guarantees the availability of data within the preservation time, and upon the expiration of the preservation time, the data is permanently destroyed.
The Service Provider transparently investigates any potential incidents related to personal data, whether detected during its operation or reported, following responsible and strict principles.
X. Information about the Rights of Data Subjects
The data subject can request information about the processing of their personal data and can also request the correction or, except for data processing mandated by law, the deletion of their personal data via the email address email@example.com.
The Service Provider makes every effort to respond to User inquiries and questions related to data processing as quickly as possible.
Rights of the data subject:
- Right to access - The User can request the Service Provider to confirm the processing of their personal data, provide a copy of the personal data being processed, and provide additional information about their personal data, especially concerning the data held, the purposes of data processing, the recipients of this data, whether the data is transmitted, how the data is protected, the retention period, the rights related to this data, the means and format of lodging complaints, and finally, where the User obtained their data if such information has not been provided to the User before this notice.
- Right to rectification - The User can request the Service Provider to correct or complete their inaccurately or incompletely recorded personal data. Before correcting inaccurate data, the Service Provider may examine the accuracy and completeness of the data.
- Right to erasure - The User can request the deletion of their personal data in cases where the data is no longer necessary for the purposes for which it was collected, when the User has withdrawn their consent (if the data processing is based on consent), if the User exercises their right to object, if the personal data has been unlawfully processed, or if the deletion of the data is required by law. The Service Provider is not obliged to fulfill the User's request for the erasure of personal data if the processing of personal data is necessary to comply with a legal obligation, to assert or defend legal claims, or for the protection of our legitimate interests.
- Right to restriction of processing (right to block) - The User can request the restriction of the processing of their personal data, the blocking of their data, only if they dispute the accuracy of the personal data, during the period required to verify the accuracy, if the processing is unlawful, but the User opposes the erasure of the data, if the personal data is no longer needed for the purposes for which it was collected, but the pursuit, exercise, or defense of legal claims requires it, if the User has objected to the processing, and the legality of the Service Provider's processing is still under investigation. When exercising the right to block, the personal data can still be used by the Service Provider, as long as the User has given their consent for this, if the use of the data (its existence) is necessary for the enforcement of certain rights or legitimate interests of a natural or legal person.
- Ensuring data portability - The User can request the Service Provider to provide their personal data in a structured, widely used, machine-readable format.
- Right to object - The User has the right to object to the processing of their personal data at any time for reasons related to their specific situation, if they believe that their fundamental rights and freedoms require it. At any time and without giving a reason, the User can also object to the processing of their personal data for direct marketing purposes (including User profiling), in which case the Service Provider will terminate data processing as quickly as possible.
- Informing the data subject about possible data protection incidents - To the best of its knowledge and in proportion to the risks, the Service Provider protects the personal and other types of data of Users, operates an up-to-date and reliable IT environment, and carefully selects its cooperating partners. It carries out its internal processes in a regulated and supervised manner to prevent, avoid, or, if it still occurs, to detect, investigate, and manage the slightest mistake, problem, or incident related to the processing of personal data. If an incident related to the processing of personal data does occur, and it is proven to have a probable high risk to the rights and freedoms of Users, the Service Provider undertakes to inform the data subject and the data protection authority about the data protection incident in accordance with applicable data protection regulations without undue delay, both in terms of content and timing.
- Execution of automated processes - As a data subject, the User can request the Service Provider to exempt them from decisions made exclusively through automated processes, but only if such decisions would have legal effects on the User or would have similarly significant, unfavorable consequences for the User. The right under this section cannot be exercised if a decision made through automated decision-making is necessary for the conclusion or performance of a contract with the User, if such decision is allowed by European Union or Member State law, which also provides for appropriate measures to protect the User's rights and freedoms and legitimate interests, or if the User has given explicit consent for it.
- Right to file a complaint - Complaints regarding data processing may be filed with the supervisory authority, the Hungarian National Authority for Data Protection and Freedom of Information (NAIH). The NAIH is headquartered at H-1125 Budapest, Szilágyi Erzsébet fasor 22/c, and can be reached by telephone at +3613911400 or via email at firstname.lastname@example.org.
- Right to Judicial Remedy - The User possesses the right to pursue a judicial remedy in response to a legally binding decision issued by the supervisory authority that pertains to them. This right may be exercised under the following circumstances: If the supervisory authority, having jurisdiction, fails to address the User's complaint or neglects to inform the data subject of the procedural developments or the outcome of the complaint within three months. Legal actions against the supervisory authority shall be initiated within the courts of the Member State where the supervisory authority maintains its establishment. Furthermore, in addition to the right to judicial remedy, data subjects maintain the prerogative to pursue administrative or non-judicial remedies. This includes the option to lodge a complaint with the supervisory authority. A judicial remedy remains available to any data subject who holds the belief that their rights under this Regulation have been violated due to the processing of their personal data, contrary to the provisions set forth in this Regulation.