Privacy Policy

 

Introduction

Pannon Generál Kft. (1012. Budapest Tábor u 5. 3/5., tax number: 29230134-2-41, company registration number: Cg.01-09-384296) (hereinafter referred to as the ‘Service Provider’, ‘Data Controller’) hereby submits to the following policy:

Pursuant to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and on the repeal of Directive 95/46/EC (General Data Protection Regulation), we provide the following information.

The present data protection policy regulates the processing of data on the following pages: www.zoldpark100.hu

The data protection policy is available on the following page: www.zoldpark100.hu

Amendments to the Rules will enter into force upon publication at the above address.

Data controller and contact details

Name: Béla Strausz

Seat: 1012 Budapest Tábor u 5.

E-mail: info@zoldpark100.hu

Telephone: +36 30 111 9988

 

Definitions of terms

 

  1. ‘personal data’ is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  2. ‘processing’ is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, viewing, use, disclosure by transmission, dissemination or otherwise making it available, synchronisation or combination, restriction, erasure or destruction;
  3. ‘data controller’ is a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the data controller or the specific criteria for the designation of the data controller may also be determined by Union or Member State law;
  4. ‘data processor’ is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller;
  5. ‘recipient’ is a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not they are a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with EU or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
  6. ‘data subject’s consent’ means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she agrees to the processing of personal data concerning him or her;
  7. ‘data breach’ is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles relating to the processing of personal data

Personal data:

  1. must be processed lawfully and fairly and in a transparent manner for the data subject (‘lawfulness, fairness and transparency’);
  2. must be collected for specified, explicit and legitimate purposes and not processed in a way that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purpose in accordance with Article 89(1) (‘purpose limitation’);
  3. must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (‘data minimisation’);
  4. must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes for which they are processed are erased or rectified without delay (‘accuracy’);
  5. must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods only if the personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), taking into account the implementation of appropriate technical and organisational measures required by this Regulation to safeguard the rights and freedoms of data subjects (‘storage limitation’);
  6. must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by implementing appropriate technical or organisational measures (‘integrity and confidentiality’).

The data controller is responsible for compliance with the above and must be able to demonstrate such compliance (‘accountability’).

The data controller declares that their processing will be carried out in accordance with the principles set out in this point.

 

Data processing related to webshop operation/use of the service

  1. The fact of collection, the scope of the data processed and the purpose of the processing:
Personal data Purpose of data processing Legal basis
E-mail address Contact.
Name Contact.

Neither the name nor the e-mail address needs to contain personal data.

  1. Scope of data subjects: Using the messaging form.
  1. Duration of data processing, data deletion deadline: If one of the conditions set out in Article 17(1) of the GDPR is met, it shall remain in force until the data subject’s request for erasure. The deletion of any personal data provided by the data subject shall be notified by the data controller to the data subject by electronic means pursuant to Article 19 of the GDPR. If the data subject’s request for erasure also includes the e-mail address provided by the data subject, the data controller shall erase the e-mail address after the information is provided. With the exception of accounting documents, since according to Article 169 (2) of Act C of 2000 on Accounting, these data must be kept for 8 years. The contractual data of the data subject may be erased after the expiry of the civil limitation period on the basis of a request for erasure by the data subject.

Bookkeeping documents (including general ledger accounts, analytical and detailed records) directly and indirectly supporting the bookkeeping accounts must be kept for at least 8 years in a legible form, retrievable by reference to the bookkeeping records.

  1. The identity of the potential data controllers entitled to access the data, the recipients of the personal data: Personal data may be processed by the sales and marketing staff of the controller, in compliance with the above principles.
  1. Description of data subjects’ rights in relation to data processing:
  • The data subject may request the data controller to access, rectify, erase or restrict the processing of personal data relating to him or her, and
  • the data subject shall have the right to data portability and to withdraw consent at any time.
  1. The data subject may request access to, deletion, modification or restriction of the processing of personal data, or the portability of data in the following ways:
  • by post to the following address: Budapest Tábor u 5,
  • by e-mail to info@zoldpark100.hu,
  • by phone on +36 30 111 9988.
  1. Legal basis for data processing:
  1. Article 6(1)(b) and (c) of the GDPR,
  2. Section 13/A (3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (hereinafter: Elker Act):

The service provider may process personal data that are technically necessary for the provision of the service. If other conditions are identical, the provider must choose and in any case operate the means used in the provision of information society services in such a way that personal data are processed only to the extent strictly necessary for the provision of the service and for the fulfilment of the other purposes laid down in this Act, but only to the extent and for the duration necessary.

  1. Article 6(1)(c) in case an invoice is issued in accordance with bookkeeping legislation.
  1. In the event of enforcement of claims arising from the contract, 5 years pursuant to Article 6:21 of Act V of 2013 on the Civil Code.

Article 6:22 [Statute of limitations].

(1) Unless otherwise provided by this Act, claims shall be subject to a limitation period of five years.

(2) The limitation period starts to apply when the claim becomes due.

(3) The agreement to change the limitation period must be in writing.

(4) The agreement excluding the limitation period is null and void.

  1. Please be informed that
  • the data processing is necessary for the performance of a contract and the submission of an offer.
  • you are obliged to provide personal information so that we can fulfil your order.
  • failure to provide data will result in our inability to process your order.

 

Management of cookies

  1. The use of so-called ‘password-protected session cookies’, ‘shopping cart cookies’, ‘security cookies’, ‘essential cookies’, ‘functional cookies’ and ‘cookies responsible for the management of website statistics’ does not require prior consent from the data subject.
  2. The fact of data processing, the scope of the data processed: Unique identification number, dates, times
  3. Scope of data subjects: All data subjects visiting the website.
  4. Purpose of data processing: User identification and visitor tracking.
  5. Duration of data processing, data deletion deadline:
Type of cookie Legal basis for data processing Duration of Data processing
Session cookies

 

 Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Elker Act). Period until the end of the relevant visitor session
Permanent or saved cookies

 

 Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Elker Act). until the deletion of the data subject
Statistical cookies Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Elker Act). 1 month – 2 years
  1. The identity of the potential data controllers entitled to access the data: By using cookies, no personal data is processed by the data controller.
  1. Description of data subjects’ rights in relation to data processing: Data subjects have the possibility to delete cookies in the Tools/Settings menu of their browsers, usually under the Privacy settings.
  2. Legal basis for data processing: The data subject’s consent is not required where the sole purpose of the use of cookies is the transmission of communications over an electronic communications network or where the use of cookies is strictly necessary for the provision of an information society service expressly requested by the subscriber or user.
  3. Most browsers used by our users allow you to set which cookies should be saved and they allow (certain) cookies to be deleted again. If you restrict the saving of cookies on certain websites or do not allow third-party cookies, this may, under certain circumstances, lead to our website no longer being fully usable. Here you will find information on how to customise your cookie settings for common browsers:

Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu)

Internet Explorer (https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies)

Firefox (https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn

Safari (https://support.apple.com/kb/PH21411?locale=hu_HU)

 

The use of Google Analytics

  1. This website uses Google Analytics, a web analytics service provided by Google Inc. (‘Google’). Google Analytics uses ‘cookies’, which are text files placed on your computer, to help the website analyse how the User uses the visited website.
  2. The information generated by the cookies on the website used by the User is usually transferred to a Google server in the USA and stored there. By activating IP anonymisation on the website, Google will first shorten the User’s IP address within the Member States of the European Union or in other states participating in the Agreement on the European Economic Area.
  3. The full IP address will be transmitted to a Google server in the USA and shortened there only in exceptional cases. Google will use this information on behalf of the operator of this website to evaluate how the User has used the website, to compile reports on website activity for the website operator and to provide other services relating to website and internet usage.
  4. The IP address transmitted by the User’s browser within the framework of Google Analytics will not be merged with other data held by Google. The User may prevent the storage of cookies by selecting the appropriate settings on their browser, however, please note that in this case, not all functions of this website may be fully functional. Furthermore, you can prevent Google from collecting and processing information about the use of the website by the User (including your IP address) by means of cookies by downloading and installing the browser plug-in available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

 

The data processors used 

Delivery

  1.  Activity carried out by a data processor: Delivery of products, transport
  2.  Name of data processor and contact details:

NAME, ADDRESS, CONTACT DETAILS OF TRANSPORTER

  1.  The fact of data processing, the scope of the data processed: Delivery name, delivery address, telephone number, e-mail address.
  1.  Scope of data subjects: All data subjects requesting a home delivery.
  2.  Purpose of data processing: Home delivery of the ordered product.
  3.  Duration of data processing, data deletion deadline: Until the delivery is completed.
  4.  Legal basis for data processing: Article 6(1)(b).

Hosting provider

  1.  Activity carried out by a data processor: Hosting service
  2.  Name of data processor and contact details:

M.BIT Kft 1193 Budapest, Áram u. 21. +36 (30) 941-0842 info@mbit.hu

  1.  The fact of data processing, the scope of the data processed: All personal data provided by the data subject.
  1.  Scope of data subjects: All data subjects using the website.
  2.  Purpose of data processing: Making the website available and operating it properly.
  3.  Duration of data processing, data deletion deadline: Data processing shall continue until the termination of the agreement between the data controller and the hosting provider
    or until the data subject’s request for deletion to the hosting provider
    .
  4.  The legal basis for the processing of data: Article 6 (1) (c) and (f) and Article 13/A (3) of
    Act CVIII of 2001 on certain aspects of electronic commerce services and information society services
    . A legitimate interest is the proper operation of the website, protection against attacks
    and fraud.

Other data processors (if applicable)

 

THE RECIPIENTS TO WHOM THE PERSONAL DATA ARE DISCLOSED (DATA TRANSFER)

Newsletter, DM activity

  1. Pursuant to Article 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activities, the User may expressly consent in advance to the Service Provider contacting him/her with advertising offers and other mailings at the contact details provided at the time of registration.
  2. In addition, the Customer may, in accordance with the provisions of this notice, consent to the processing of personal data by the Service Provider for the purpose of sending advertising offers.
  3. The Service Provider will not send unsolicited commercial messages, and the User may unsubscribe from receiving such offers without any restriction or justification and free of charge. In this case, the Service Provider will delete all personal data necessary for sending advertising messages from its records and will not contact the User with further advertising offers. The User can unsubscribe from advertising by clicking on the link in the message.
  4. The fact of collection, the scope of the data processed and the purpose of the processing:
Personal data Purpose of data processing Legal basis
Name, e-mail address. Identification, enabling subscription to newsletter/special offers. Consent of the data subject,

Article 6(1)(a).

Article 6(5) of Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activities.
Date of subscription Performing a technical operation.
IP address at the time of subscription Performing a technical operation.
  1. Scope of data subjects: All data subjects who subscribe to the newsletter.
  1. Purpose of data processing: sending electronic messages containing advertising (e-mail, sms, push messages) to the data subject, providing information on current information, products, promotions, new features, etc.
  2. Duration of data processing, data deletion deadline: until the consent is withdrawn, i.e. until unsubscription.
  3. The identity of the potential data controllers entitled to access the data, the recipients of the personal data: Personal data may be processed by the sales and marketing staff of the controller, in compliance with the above principles.
  4. Description of data subjects’ rights in relation to data processing:
  • The data subject may request the data controller to access, rectify, erase or restrict the processing of personal data relating to him or her, as well as
  • object to the processing of their personal data; and
  • the data subject shall have the right to data portability and to withdraw consent at any time.
  1. The data subject may request access to, deletion, modification or restriction of the processing of personal data, portability or objection to the processing of their personal data in the following ways:
  • by post to the following address: Budapest Tábor u 5,
  • by e-mail to info@zoldpark100.hu,
  • by phone on +36 30 111 9988.
  1. The data subject may unsubscribe from the newsletter at any time, free of charge.
  1. Please be informed that
  • the data processing is based on your consent and the legitimate interest of the service provider
  • you are obliged provide personal data if you wish to receive newsletters from us.
  • failure to provide data will result in us not being able to send you a newsletter.
  • please note that you can withdraw your consent at any time by clicking on the unsubscribe button.
  • the withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

 

Handling complaints

  1. The fact of collection, the scope of the data processed and the purpose of the processing:
Personal data Purpose of data processing Legal basis
First and last name Identification, contact. Article 6(1)(c) and Article 17/A(7) of Act CLV of 1997 on Consumer Protection.
E-mail address Contact.
Telephone number Contact.
Billing name and address Identification, handling quality complaints, questions and problems with the products ordered.
  1. Scope of data subjects: All data subjects concerned who make a purchase on the website and who make a complaint about quality.
  1. Duration of data processing, data deletion deadline: Copies of the record of the complaint, the transcript and the reply to the complaint shall be kept for 5 years pursuant to Article 17/A (7) of Act CLV of 1997 on Consumer Protection.
  2. The identity of the potential data controllers entitled to access the data, the recipients of the personal data: Personal data may be processed by the sales and marketing staff of the controller, in compliance with the above principles.
  3. Description of data subjects’ rights in relation to data processing:
  • The data subject may request the data controller to access, rectify, erase or restrict the processing of personal data relating to him or her, and
  • the data subject shall have the right to data portability and to withdraw consent at any time
  1. The data subject may request access to, deletion, modification or restriction of the processing of personal data, or the portability of data in the following ways:
  • by post to the following address: Budapest Tábor u 5,
  • by e-mail to info@zoldpark100.hu,
  • by phone on +36 30 111 9988.
  1. Please be informed that
  • the provision of personal data is based on a legal obligation
  • the processing of personal data is a precondition for the conclusion of the contract.
  • you are obliged to provide personal information so that we can process your complaint.
  • failure to provide data will result in our inability to process your complaint.

 

Social media sites

  1. The fact of collection, the scope of the data processed: The name registered on Facebook/Twitter/Pinterest/Youtube/Instagram, and other social media sites, and the user’s public profile picture.
  2. Scope of data subjects: All data subjects who have registered on Facebook/Twitter/Pinterest/Youtube/Instagram and other the social media sites and have ‘liked’ the Service Provider’s social media site or contacted the data controller via the social media site.
  3. Purpose of data processing: Sharing, liking, following, promoting, or promoting certain content, products, promotions or the website itself on social media sites.
  4. The duration of the processing, the time limit for deletion of the data, the identity of the potential data controllers who have access to the data and the rights of the data subjects with regard to the processing: The data subject can find out about the source of the data, how it is processed, and the method and legal basis of the transfer on the relevant social media site. Data processing is carried out on social media sites, so the duration of data processing, the method of data processing and the possibility to delete and modify data are governed by the rules of the social media site concerned.
  5. Legal basis for data processing: the data subject’s voluntary consent to the processing of their personal data on social media sites.

Customer relations and other data processing

  1. If the data subject has any questions or problems when using our services, he or she can contact the data controller using the methods provided on the website (telephone, e-mail, social media sites, etc.).
  2. The Data Controller shall delete the data provided in e-mails, messages, telephone, Facebook, etc., together with the name and e-mail address of the interested party and any other personal data voluntarily provided by the interested party, after a maximum of 2 years from the date of the disclosure of data.
  3. Information on data processing not listed in this notice is provided at the time of collection.
  4. The Service Provider shall be obliged to provide information, disclose data, hand over data or make documents available in response to exceptional requests from public authorities or other bodies authorised by law.
  5. In such cases, the Service Provider shall disclose personal data to the requesting party only to the extent and to the extent strictly necessary for the purpose of the request, provided that the requesting party has indicated the exact purpose and scope of the data.

Rights of data subjects

  1. Right of access

You have the right to receive feedback from the data controller as to whether or not your personal data are being processed and, if such processing is taking place, you have the right to access your personal data and the information listed in the Regulation.

  1. Right to rectification

You have the right to have inaccurate personal data relating to you corrected by the data controller without undue delay at your request. Taking into account the purpose of the processing, you have the right to request that incomplete personal data be completed, including by means of a additional declaration.

  1. Right to erasure

You have the right to have personal data relating to you erased by the data controller without undue delay at your request, and the data controller is obliged to erase personal data relating to you without undue delay under certain conditions.

  1. Right to be forgotten

If the data controller has disclosed the personal data and is required to delete it, it will take reasonable steps, including technical measures, considering the available technology and the cost of implementation, to inform the data controllers that process the data that you have requested the deletion of the links to or copies of the personal data in question.

  1. Right to restriction of processing

You have the right to have the data controller restrict processing of your data at your request if one of the following conditions is met:

  • You contest the accuracy of the personal data, in which case the restriction applies for the period of time that allows the data controller to verify the accuracy of the personal data;
  • the data processing is unlawful and you object to the deletion of the data and instead request the restriction of their use;
  • the data controller no longer needs the personal data for the purposes of the processing, but you require them for the presentation, exercise or defence of legal claims;
  • You have objected to the processing; in this case, the restriction applies for the period until it is established whether the data controller’s legitimate claims prevail over your legitimate claims.
  1. Right to data portability

You have the right to receive personal data concerning you which you have provided to a data controller in a structured, commonly used, machine-readable format and the right to transmit such data to another data controller without hindrance from the data controller to whom you have provided the personal data (…)

  1. Right to object

In the case of data processing based on legitimate interest or public authority as legal grounds, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data by (…), including profiling based on the aforementioned provisions.

  1. Objection in case of direct marketing

Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such purposes, including profiling, if it is related to direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data will no longer be processed for such purposes.

  1. Automated decision-making on individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which would have legal effects concerning you or similarly significantly affect you.

The previous paragraph shall not apply in the case where the decision:

  • is necessary for the conclusion or performance of a contract between you and the data controller;
  • is made possible by EU or Member State law applicable to the data controller which also provides for adequate measures to protect your rights and freedoms and legitimate interests; or
  • Is based on your explicit consent.

Deadline for taking action

The data controller shall inform you of the action taken on such requests without undue delay and in any event within 1 month of receipt of the request.

If necessary, this can be extended by 2 months. The data controller will inform you of the extension of the deadline within 1 month of receipt of the request, stating the reasons for the delay.

If the data controller fails to act on your request, he/she will inform you without delay, and at the latest within one month of receipt of the request, of the reasons for the failure to act, of the possibility to lodge a complaint with a supervisory authority and of your right to judicial remedy.

Security of processing

The data controller and the data processor shall implement appropriate technical and organisational measures, considering the state of technology and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of data security appropriate to the level of risk, including, where applicable:

  1. the aliasing and encryption of personal data;
  2. ensuring the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data;
  3. in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;
  4. a procedure to regularly test, assess and evaluate the effectiveness of the technical and organisational measures taken to ensure the security of data processing.
  5. The data processed must be stored in such a way that it cannot be accessed by unauthorised persons. In the case of paper-based data storage, by establishing a system of physical storage and archiving, and in the case of data managed in electronic form, by applying a centralised access management system.
  6. The method of storing the data by information technology must be chosen in such a way that they can be erased, also taking into account any different deletion deadline, at the end of the deletion deadline or if otherwise necessary. The deletion must be irreversible.
  7. Paper-based storage media should be destroyed by shredding or by using an external organisation specialised in shredding. In the case of electronic data media, provision must be made for the physical destruction and, if necessary, the secure and irretrievable deletion of the data in advance, in accordance with the rules on the disposal of electronic data media.
  8. Data controller shall take the following specific data security measures:

To ensure the security of the personal data processed on a paper basis, the Service Provider applies the following measures (physical protection):

  1. Store documents in a secure, lockable, dry place.
  2. Where personal data processed on paper are digitised, the rules applicable to digitally stored documents apply
  3. The Service Provider’s data processing staff may only leave the premises where data processing is taking place if they lock the data storage media entrusted to them or by locking the premises.
  4. Personal data can only be accessed by authorised persons and cannot be accessed by third parties.
  5. The Service Provider’s building and premises are equipped with fire and property protection equipment.

IT security

  1. The computers and mobile devices (other data carriers) used during data processing are the property of the Service Provider.
  2. The computer system containing personal data used by the Service Provider is protected against viruses.
  3. To ensure the security of digitally stored data, the Service Provider uses data backups and archiving.
  4. The central server can only be accessed with the appropriate authorisation and only by designated persons.
  5. Data on computers can only be accessed with a username and password.

Informing the data subject about the data breach

Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject without unreasonable delay.

The information given to the data subject shall clearly and prominently describe the nature of the personal data breach and provide the name and contact details of the data protection officer or other contact person who can provide further information; describe the likely consequences of the personal data breach; describe the measures taken or envisaged by the data controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.

The data subject does not need to be informed if any of the following conditions are met:

  • the data controller has implemented appropriate technical and organisational protection measures and those measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data uninterpretable to persons not authorised to access the personal data;
  • the data controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to occur;
  • information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly disclosed information or a similar measure should be taken to ensure that the data subjects are informed in an equally effective manner.

In case the data controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after having considered whether the personal data breach is likely to present a high risk, order the data subject to be informed.

Data breach notification to the authority

The data breach incident shall be notified by the data controller to the competent supervisory authority pursuant to Article 55 without undue delay and, where possible, no later than 72 hours after the data breach incident has come to his/her attention, unless the data breach incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it must be accompanied by the reasons justifying the delay.

Review in case of mandatory data processing

If the duration of the mandatory data processing or the periodic review of its necessity is not specified by law, local government regulation or a binding legal act of the European Union, the data controller shall review, at least every three years from the start of processing, whether the processing of personal data processed by the controller or by a data processor acting on his/her behalf or under his/her instructions is necessary for the purposes of the processing.

The data controller shall document the circumstances and the result of this review, keep this documentation for ten years after the review and make it available to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as ‘the Authority’) upon request.

Complaints

A complaint against a possible infringement by the data controller can be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information:

1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: 1530 Budapest, P.O. Box: 5.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Closing remarks

The following legislation has been taken into account in the preparation of this information:

  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, rand repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR)
  • Act CXII of … on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.)
  • Act No CVIII of … on certain aspects of electronic commerce services and information society services (in particular Article 13/A)
  • Act XLVII of … on the prohibition of unfair commercial practices against consumers;
  • Act XLVIII of … on the basic conditions and certain restrictions of economic advertising (in particular Article 6)
  • Act XC of … on Electronic Freedom of Information
  • Act C of … on Electronic Communications (specifically Article 155)
  • Advisory Opinion 16/2011 on the EASA/IAB Recommendation on best practice for behavioural online advertising
  • Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements for prior information