The purpose of this Data Protection Policy is to inform the visitors of the website of sole proprietor Krisztina Rokob-Csonka. (www.greenrococo.com) about its data processing activities. This Data Protection Policy guides the data protection and data processing principles employed by Service Provider as a Data Controller on an obligatory basis.

The purpose of the Data Protection Policy is to inform you as the Data Subject about the ways Service Provider may use the data of the visitors of their website. This includes the method, the timing, the purpose and the reason for such use as well as the rights of the Data Subjects and their rights to an effective legal remedy.

This Data Protection Policy includes information on the personal data processed by the website (www.greenrococo.hu) of Service Provider, including newsletters and all services pertinent to the orders placed on products available on the webshop.

The provisions of this Data Protection Policy shall comply with the regulations ofRegulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: ‘GDPR’), Act CXII of 2011 on Informational Self-determination and Freedom of Information (hereinafter: ‘Privacy Act’), Act V of 2013 on the Civil Code (hereinafter: ‘Civil Code’), and Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter: ‘Advertising Act’).

 

GENERAL PROVISIONS

 

  1. PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

On our website, Your personal data shall be processed taking into consideration the following principles:

  • Your personal data shall be processed based on Your voluntary consent upon the preliminary communication provided by us, for purposes including the dissemination of a newsletter, the completion of orders placed at the webshop, and in certain cases, to pursue a lawful interest). In all instances, the data shall be processed only to the necessary extent, for a specific purpose. Processing of personal data may include collection, recording, systemization, storage, and usage.
  • Characteristics of data processing based on consent:
    • Voluntary: we shall provide the opportunity to all Data Subjects for a voluntary consent, by providing the chance to deny or withdraw such consent, without putting them at disadvantage.
    • Informed: the information provided to the customers must at all times include:
      • corporate information on the Data Controller,
      • the purpose of data processing,
      • the types of data processed,
      • the possibility to withdraw the consent (the possibility to unsubscribe from the newsletter),
      • the group of data that are indispensable to the completion of a contract or a service.
    • Shall have a specific purpose.
    • All purposesof data processing shall beclearly communicated.
    • It shall be the result of an explicit and positive process(electronic tickbox that has to be specifically selected by the customer during navigating on the website with the caption: ‘I read and accept the provisions of the Data Protection Policy.’).
    • The communication shall be unambiguous and easily comprehensible, placed at a visible location at the website greenrococo.com
    • The consent may be withdrawnand the right for such withdrawal shall always be communicated to the Data Subject (included in the Data Protection Policy and the option to cancel subscription shall be included in the electronic newsletter). The withdrawal shall be as simple as the provision of consent. After the Data Subject withdraws their consent, Service Provider shall no longer be entitled to process their data. At the moment of the withdrawal, Service Provider shall ensure that the data are deleted, except if there is another legal reason for Service Provider to continue processing of said data (including contractual obligations).
    • If Data Subject consented to the use of their personal data, the data may only be used for purposes that the Data Subject explicitly consented to. If the data processing had multiple purposes, Service Provider may not use the personal data for purposes to which the consent had already been withdrawn or any purpose, based on the characteristics of the withdrawal.

In certain cases, the processing of Your personal data is conducted compliant with the relevant regulations and, as such, is obligatory. When such cases occur, the Data Subjects are specifically informed. In other cases, our Organisation or another third party may have a legitimate interest for the data processing, in particular in connection with the operation, development or security of our website (Article 6 of GDPR).

During the processing of personal data the following principles are considered:

The underlying principles for personal data processing are governed by Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and the Privacy Act.

  • We shall process all personal data lawfully and fairly, with total transparency towards the data subject (‘lawfulness, fairness and transparency’).
  • Personal data are processed for specified, explicit and legitimate purposes (’purposelimitation’).
  • We shall ensure that data processing is adequate, relevant, and limited to what is necessary in relation to the purposesfor which they are processed (’data minimisation’).
  • We shall ensure that the data processed are accurate and, where necessary, kept up to date. We shall take every reasonable step to ensure that personal data that are inaccurate, with regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
  • Personal data shall be kept in a form which permits identificationof data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of the Data Subject (’storage limitation’).
  • Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (’integrity and confidentiality’).
  • The data controller shall be responsible for, and be able to demonstrate compliance with, all relevant regulations (‘accountability’).
  1. CORPORATE INFORMATION OF DATA CONTROLLER

Name of Service Provider: (registration number: 51751326).

Registered seat of Service Provider: H-9084 Győrság, Lalka u.6.

E-mail address of Service Provider: greenrococo@gmail.com

Website and webshop: www.greenrococo.com

Telephone number: +36205131376

VAT number: 56381148-1-28

Relevant Office of Government Issued Documents: Government Office of Győr-Moson-Sopron County, District Office of Győr. NAV Győr-Moson-Sopron Megyei Adó- és Vámigazgatósága, 9021 Győr, Szent István út 15-17.

Telefonszám: +36 (96) 616-000

Bank account number: OTP Bank 11773377-80584308.

 

Compliant to the provisions of Article 37 of GDPR, Service Provider as Data Controller shall not obliged to designate a data protection officer, but Data Subjects are entitled to receive information regarding the operation of our website or our data processing activities via our customer service.

 

Customer Service:

The customer service of Service Provider can be reached via e-mail at , or via telephone at +36 205131376 on weekdays (Monday through Friday) between 09:00 a.m. and 05:00 p.m.

Answers for Your questions regarding data processing shall be sent without undue delay, within 15 calendar days (within 30 days at maximum) to the contact provided. Service Provider is obliged to give an explanation upon the refutation of any such request.

We inform You that GDPR does not stipulate the maintenance of a national data protection registry to be managed by the authorities of the Member Nations.

 

  1. ENGAGEMENT OF DATA PROCESSORS

In order to perform its activities of Service Provider as Data Controller, we may engage Data Processors as per the provisions below. The employees, contributors, and contractual data processors of Service Provider may only proceed in compliance with their contract with Service Provider as Data Controller.

In case of data processing, Data Processors shall be considered Data Processors in terms of the data handed over by Service Provider as per the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR). Data Processors may collect, manage and process the personal data sent by Service Provider in compliance with the provisions of GDPR and they are obliged to demonstrate their compliance to the Data Controller. Data Controller shall supervise the work of the Data Processors. Data Processors may only engage with another data processor upon the prior approval of Data Controller.

In the case of the Data Processors named in this Data Protection Policy, the contractual provisions between them and the Data Controller ensure, with special regard to confidentiality after the expiry of the contract, that Data Processors may not process and use the personal data for purposes that are contradicting the consent of the Data Subjects. Those who contribute to the data processing and data processing activities of Service Provider, as well as the employees of Service Provider are entitled to know the personal data of the Data Subject, under the obligation of confidentiality after the expiry of the contract.

Our Organisation engages with the following Data Processorsand keeps the list of Data Processors up-to-date on our website:

 

  • Web hosting service: Websupport Magyarország Kft.
  • website: www.websupport.hu
  • address: 1132 Budapest, Victor Hugo utca 18-22.
  • telephone number: +36 22 78 76 74 (H-P 7:30-17:00)
  • e-mail address: support@websupport.hu

 

Shipment partner(s)

  • Express One Hungary Kft
  • website: https://expressone.hu
  • address: 1238 Budapest, Európa utca 12.
  • Telephone number: +36 1 8 777 400(+36 29) 886 700

 

We ship to the following countries: Hungary, Austria, Belgium, Bulgaria, Croatia, Czech Republic, Finland, France, Germany, Italy, Luxembourg, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain.

Accounting and tax advisory partners

Service Provider exchanges the personal data of the Data Subjects with the contracted accounting firm for data processing necessary for accounting and tax purposes.

 

 

  1. PERSONAL DATA PROCESSED AT www.greenrococo.com

4.1 VISITING THE WEBSITE

Purpose of data processing: proper and high-quality operation of the website, continuous monitoring and development of the quality of our services, identification of online attackers of our website, measurement of the website’s traffic, statistical analysis.

Legal basis of data processing:Lawful interest of Service Provider pursuant to Point f) of Subsection (1) of Article 6 of GDPR and Subsection (1) of Section 5 of the Privacy Act.

Data Subjects:Visitors of the website.

Time period of data processing:The IP addresses automatically recorded by Data Controller are stored for a maximum of 7 days.

Mode of data processing: automated data processing.

4.2 NEWSLETTERS

Purpose of data processing: Data subjects may subscribe to the newsletter on the website www.greenrococo.hu, before, during, or after using the services of Service Provider, or using any other mode, pursuant to the provisions of this Data Protection Policy.

Identification of the Data subject, communication and sending the newsletter (upon consent). Communication about news, special offers, new products or services. Data Controller shall monitor the possible changes in the European and national regulations and shall amend this Data Protection Policy if necessary in order to comply with the regulations on lawful data processing, while also informing the Data Subjects about such changes via the website and the newsletter.

Legal basis of data processing:Consent of the Data Subject pursuant to Point a) of Subsection (1) of Article 6 of GDPR and Subsection (1) of Section 5 of the Privacy Act.

Consent to data processing and the personal data processed:During the registration process, Users explicitly consent to Data Controller managing their personal data pursuant to the provisions of this Data Protection Policy. Users may voluntarily give the following data (on a voluntary basis, albeit necessary to use the services):

  • name,
  • date of birth (to verify being over 16 or 18 years of age),
  • e-mail address.

Data Subjects:Every natural person intending to be informed about the news, discounts, special offers of Service Provider and subscribing to the newsletter service for this purpose.

Time period of data processing:until cancellation of the subscription from the newsletter. Data Controller may only process the personal data recorded for this purpose until the Data Subject unsubscribes from the newsletter’s mailing list. Data subjects may unsubscribe from the newsletter at any moment, through the link at the bottom of the newsletter, as well as by directly sending a request for cancellation of subscription togreenrococo@gmail.com or a letter with the same content by post to H-9084 Győrság, Lalka u.6.

Data Controller may keep anonymous statistics on the traffic of the newsletters based on the clicks on the links in the newsletters.

Mode of data processing: electronic,automated data processing.

Data source:directly from the Data Subjects.

Data communication: Communicated to a third party as a Data Processor. The details of the Data Processors are provided in this Data Protection Policy.

Service Provider provides organisational and technical measures to ensure the security of the data processed.

4.3 WEBSHOP SERVICE

Purpose of data processing: The operation of the webshop service (www.greenrococo.hu) includes setting up, managing and modifying contracts between the parties, monitoring the completion of contractual obligations, delivering the products or providing the services ordered, invoicing the sales price and validating the claims arising from the contract, documenting the compliance with the completion, performing accounting-related obligations.

Legal basis of data processing:Besides the use of the webshop service, the legal basis for data processing is the contract signed by the Data Subject and performed by the Service Provider with the consent of the Data Subject pursuant to Point c) of Subsection (1) of Article 6 of GDPR, Section 13/A of the Act CVIII of 2001 on certain issues of electronic commerce activities and information society services (hereinafter: ‘Act on E-Commerce’) and Section 169 of Act C of 2000 on Accounting.

Data processing is necessary for the performance of the contract.

Personal data processed:

The personal data content of the contract signed by the User (data necessary enter into a contract):

  • name,
  • e-mail address,
  • online identification number,
  • customer purchase data (product, quantity, price, time and date),
  • payment data (payment deadline, bank account number, debit or credit card number, e-wallet, cash on delivery etc.),
  • one-off or permanent discounts, participation in special offers,
  • delivery data: delivery date, delivery address (post code, city, name and type of public domain, number, floor, door) or data for the delivery point,
  • invoicing name (full name in case of natural persons),
  • invoicing address (post code, city, name and type of public domain, number, floor, door).

Time period of data processing:Data that are used for the performance of the contracts are stored for 5 years. Invoices issued and the documents that were used for the issuance are stored for 8 years.

 

  1. ADMINISTRATION, CUSTOMER COMPLAINT MANAGEMENT

Purpose of data processing: Answering the questions of the Data Subjects, complaint management.

Legal basis of data processing: performing a legal obligation pursuant to Point c) of Subsection (1) of Article 6 of GDPR and to the Act CLXV of 2013 on complaints and notification of general interest. Communication between the Service Provider and the Data Subject via the provided contact details is based upon consent given by the Data Subject, pursuant to Point a) of Subsection (1) of Article 6 of GDPR and Subsection (1) of Section 5 of the Privacy Act.

Personal data processed:

  • name,
  • e-mail address,
  • telephone number,
  • mailing address,
  • other personal notes.

Data are stored for 5 years for legal obligations. In case of consent, the data are stored for 90 days or until the withdrawal of the consent.

5.1 DIRECT MARKETING SERVICE

Purpose of data processing: Based on the analysis of the consumer habits, Service Provider creates and sends tailor-made offers for the customers, as well as sends information brochures about the products and services of our company.

Legal basis of data processing: the consent given by the Data Subjectpursuant toSubsection (1) of Section 5 of the Privacy Act.

Users may give their consent to Data Controller to use their personal data for marketing purposes by accepting the conditions during the registration process or when modifying the personal data given for the newsletter / direct marketing activities (this constitutes an explicit intent for consent). In these cases, until the withdrawal of consent, we process the personal data of the Data Subject for the purpose of sending direct marketing and newsletters as well as sending promotional and other packages, information brochures and special offers (pursuant to Section 6 of the Advertising Act). The User may give their consent for direct marketing and newsletter purposes together or separately and they may withdraw them free of charge at any time. The erasure of the registration shall always be considered as a withdrawal of consent. Withdrawals of consent for the purpose of sending direct marketing and newsletters shall not be automatically considered a withdrawal of consent for data processing on the website. The registration of the withdrawal of consent shall be done within 30 days due to technical reasons.

Personal data processed:

Consent to data processing:During the registration process, the Users explicitly consent to Data Controller processing their personal data in compliance with the provisions of this Data Protection Policy. Users may voluntarilygive the following data(on a voluntary basis, albeit necessary for the use of the service):

  • name,
  • date of birth (to verify being over 16 or 18 years of age),
  • e-mail address.
  • miscellaneous data: telephone number (optional).

Time period of data processing: until the cancellation of the direct marketing service.

Mode of data processing: automated data processing.

 

  1. EXTERNAL SERVICE PROVIDERS

Below, those external service providers are listed with whom neither Service Provider as Data Controller, nor its operators have a contractual relationship, nor do they cooperate with regard to data processing. Nonetheless, they have access to the websites of Service Provider, either with the explicit consent of Data Subject (for example: connecting one’s personal profile to the Service) or without it and they may collect data of them or their activity on the website of Service Provider. Occasionally, these data may be sufficient to identify the Data Subjects, either in themselves or together with other data collected by the same external service provider. Such external service providers include (but not limited to) Google LLC, Facebook Ireland LTD., Infogram Software Inc, Instagram LLC.,  PayPal Holdings Inc., Pinterest Europe Ltd., Playbuzz Ltd., Twitter International Company, Vimeo INC., Yahoo! EMEA Ltd., YouTube LLC.

Service Provider does not know neither the data transmitted to them, nor the purpose of its use by Facebook or any other external service provider. These external service providers process personal data in compliance with their respective data protection policies.

 

  1. WHAT COOKIES DO WE USE AND HOW DO WE MANAGE THEM?

Cookies are small data files that are sent from the website to the computer of the User during browsing and they are saved and stored by the browsers. As a default setting in the most common used browsers (Chrome, Firefox, etc.), downloading and using cookies are permitted, but You may change the browser settings to refuse and block cookies, as well as to delete the cookies that are stored on Your computer.

Analytics Cookie

The website is using the Google Analytics system of Google Inc. (hereinafter: ‘Google’) to analyse site traffic. This system stores cookies on Your information device to analyse our site traffic to help us improve the customer experience that our website provides. The data relevant to the website’s traffic (together with time and date of the visit and Your IP address) are transferred to the servers of Google USA and stored there. Google is using these data to evaluate and create reports on Your site visit habits, while simultaneously offer other services relevant to the usage of the website and the internet. If a User is opposed to Google Analytics creating reports on their site visits, a browser add-on may be installed that blocks Google Analytics. This add-on prevents the JavaScript scripts of Google Analytics (ga.js, analytics.js, and dc.js) from sending visitor information to Google. The Users who installed this add-on are exempt from participating in website content experiments as well.

If You wish to block the online activities of Google Analytics, look up the opt-out page of Google Analytics (http://tools.google.com/dlpage/gaoptout) and install the add-on in Your browser. For further information on the installation and uninstallation of the add-on, please, refer to the Help function of Your browser.

Targeted or advertising cookie

In order to ensure that our visitors receive marketing information that are most suited to their interests, we may use targeted or advertising cookies. This action shall require Your explicit consent that may be given by clicking on the appropriate button in the corresponding text box on the website. These cookies collect detailed information on Your browsing habits. If you have confirmed that you wish to continue receiving e-mails, marketing information and special offers from us, the cookies will work as follows:

  • They collect information regarding which articles and / or services you searched for on our website. This way they create a database that enables us to identify You and Your settings, so that You will not be required to provide this information the next time You visit our website and helps us to identify You if You replied to an e-mail sent by us.
  • They can restrict the number of times a given advertisement may be viewed and they are able to measure the efficiency of advertising campaigns.

Third-party cookies

We may visualize certain contents on our website by using external internet services. This may result in the storage of cookies that we have no supervision of and, thus, no control over the activities of these websites and domains that may collect data regarding Your use of such embedded contents.

Session cookies

Session cookies are indispensable for navigation on our website, for the operation of the essential functions of the website and for the access to protected content. These cookies store information of filled-out data sheets as well as occasionally Your preferred language, without collecting any information of You that may help us to identify You, being used for marketing purposes, or recording Your browsing history. These cookies shall be automatically erased when the website is closed and the session is finished.

Functional cookie

In order to enhance customer experience, functional cookies observe the device that You opened the website on, record Your previous customer decisions (for example: user name, password, preferred language, region, whether You had signed in during a previous session, any changes You made in the customizable elements of the website such as text size and font) to enable us to offer You tailor-made functions. These cookies do not record Your activities on other websites and we may not use them to send You ads when You are browsing different websites.

DATA PROCESSING PROVISIONS IN DETAIL

 

  1. Data Subject submits their personal data voluntarily on our website during subscription to the newsletter, using the webshop service or complaint management, or communication with Service Provider. It is the responsibility of the Data Subject to ensure that the data provided are real, correct and precise.
  2. If Data Subject submits the personal data of another person, Service Provider shall automatically assume that Data Subject possesses the necessary consent and authorisation to perform this action.
  3. Data Subject may withdraw the consent for data processing free of charge at any time. Service Provider as Data Controller shall exercise the withdrawal of consent within 30 days. However, Service Provider as Data Controller shall reserve the right to process certain data to ensure the performance of its legal obligations or the realization of its lawful interests after the consent was withdrawn.
  4. Service Provider shall store every e-mail address contacting greenrococo@gmail.com for 90 days after the issue relevant to the e-mail is resolved, except if Data Subject explicitly requests otherwise. After 90 days, the e-mail addresses shall be erased, except if the lawful interest of Data Controller vindicates further data processing, until the lawful interest exists.
  5. If the use of personal data is deemed illegal, if the Data Subject commits felony or if the information system is attacked, Service Provider as Data Controller shall be entitled to immediately erase the personal data of the Data Subject. However, if a felony or violation of the Civil Code is suspected, Service Provider as Data Controller shall be entitled to keep the personal data until the legal procedure ends.
  6. If a legal court or any other authority orders the erasure of personal data in a legally binding way, Service Provider as Data Controller shall erase the personal data.
  7. Legal courts, prosecutor’s offices or other authorities (Hungarian National Authority for Data Protection and Freedom of Information, law enforcement authorities, tax authority, for instance) may request Service Provider to hand over information or to make documents available. In such cases, Service Provider shall be obliged to perform its data reporting to the extent necessary for the purpose of the request.
  8. Service Provider shall protect the personal data of the Data Subject with the adequate technical measures. Service Provider shall ensure the security and accessibility of the data and shall protect them from unauthorized access, alteration, damage, disclosure, and any other unauthorized use. The applied technical measures include the use of password protection and anti-virus softwares.

 

RIGHTS OF THE CUSTOMER

Your rights and available legal remedies:

You have the right to:

  • receive informationregarding the processing of your personal data,
  • receive accessto the stored personal data of yours,
  • ask for rectificationif the data stored are incorrect, imprecise or incomplete,
  • request the erasureof Your personal data if they are no longer needed or their processing is illegal,
  • objectto the use of Your personal data for marketing purposes or other purposes deriving from their particular situation,
  • request the restriction of the processing of their personal data in clearly specified cases,
  • receive the personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller (‘data portability’),
  • not be subject to a decision concerning them and affecting them significantly that is based solely on automated data processing, but to be made by natural persons. User has the right to give their opinion and to appeal the decision (Chapter III of GDPR).

In compliant with the provisions of Article 37 of GDPR, Service Provider as Data Controller shall not be obligated to designate a data protection officer, but Data Subjects are entitled to ask questions regarding the operation of our website or our data processing activities via our customer service.

Our customer service:

Our customer service can be reached via the contact details given in ‘CORPORATE INFORMATION OF DATA CONTROLLER’.

Upon Your request, You may receive informationon the following areas:

  • Your personal data,
  • the source of data,
  • purpose of data processing,
  • legal basis for data processing,
  • time period of data processing, together with the governing circumstances and regulations,
  • name, contact details and activity relevant to data processing of the Data Processor(s),
  • circumstances and impact of a possible personal data breach, as well as the measures done to prevent and resolve such a breach.

The communication shall be free of charge. The communication may only be denied by Service Provider if it contradicts the relevant regulations. In such cases, Service Provider shall name the relevant legal provision and inform the Data Subject about their opportunity to lodge a court appeal or to turn to an authority.

If the Data Subject believes that their personal data are incorrect, incomplete or imprecise, they may request Service Provider as Data Controller to rectify the data. We shall comply with such a request without undue delay within 15 calendar days (within 30 days at maximum). If the request can not be granted, the Data Subject shall receive a written statement setting out the reasons.

You have the right to objectthe processing of your personal data and you may request Service Provider as Data Controller to erase Your personal data.

Service Provider shall be obliged to inform You about your right to object upon the first communication.

If Service Provider processes Your personal data based on Your consent or a contract, you may receive Your personal data from Service Provider upon request. If it is technically feasible, You may also request your personal data to be sent to a different companythat You wish to use the services of.

You may use your right to restriction of data processingwhen it is not evident whether the erasure of the data is necessary and the timing of the erasure is not obvious either. You are entitled to request restriction of data processing when one of the following applies:

  • You contest the accuracy of the personal data,
  • You opposes the erasure of the personal data,
  • the Data Controller no longer needs the personal data for the purposes of the processing, but they may not be erased due to legal reasons,
  • the decision regarding the objection against processing filed by You is still pending.

Where processing has been restricted, such personal data shall only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A Data Subject who has obtained restriction of processing shall be informed by the Data Controller before the restriction of processing is lifted.

You may file an appeal regarding data processing at the competent court, file a complaint at the supervisory authority, or engage in proceedings (https://naih.hu/panaszuegyintezes-rendje.html).

Supervisory Authority: Hungarian National Authority for Data Protection and Freedom of Information

Registered seat: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Mailing address: 1530 Budapest, Pf.: 5.

Telephone number: +36-1-391-1400

Fax number: +36-1-391-1410

E-mail address: ugyfelszolgalat@naih.hu

Website: https://naih.hu/

In order to accelerate the cooperation and the resolution of any possible problems with data processing, we kindly ask you to contact Service Provider before appealing to the supervisory authority or the competent court!

PERSONAL DATA BREACH

If any part of the personal data is disclosed to unauthorized people, Data Controller shall immediately notify the supervisory authority: the Hungarian National Authority for Data Protection and Freedom of Information. The Data Controller shall do the notification without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The notification of the personal data breach shall at least:

  1. describe the nature of the personal data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
  2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  3. describe the likely consequences of the personal data breach;
  4. describe the measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  5. Communication of a personal data breach to the Data Subjects
  6. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the data subject without undue delay.
  7. The notification shall be the responsibility of the data protection officer.
  8. The communication to the Data Subjects shall not be required if any of the following conditions are met:
    1. the Data Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
    2. the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialise;
    3. the communication would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.

Service Provider shall keep a record of personal data breaches, irrespective of whether they are communicated.

Abbreviations of the legislations relevant to this Data Protection Policy and our corporate communication activities:

Constitution of Hungary (in force since 25 April 2011)

Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)

Act CXII of 2011 on Informational Self-determination and Freedom of Information (‘Privacy Act’)

Act V of 2013 on the Civil Code

Act CVIII of 2001 on certain issues of electronic commerce activities and information society services (‘Act on E-Commerce’)

Act C of 2003. on Electronic Communications

Act CLV of 1997 on Consumer Protection

Act CLXV of 2013 on Complaints And Notification Of General Interest.

Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter: ‘Advertising Act’)

Data Controller shall monitor the possible changes in the European and national regulations on data processing and shall amend this Data Protection Policy if necessary in order to comply with the regulations on lawful data processing, while simultaneously informing the You about such changes via the website.