Updated Policy, Effective: From 2024.03.13 until revoked
1. Introduction
QLM Logistics Solutions Ltd. (registered office: 2045 Törökbálint, Tópark Street 3, tax number: 14549412-2-13, company registration number: 13-09-127440) and QLM Development Center Ltd. (registered office: 2045 Törökbálint, Tópark Street 3, tax number: 24208422-2-13, company registration number: 13-09-228340) (hereinafter: the Service Providers, Data Controllers) provide the following information in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (dated 27 April 2016), and fully comply with the provisions set forth herein.
The present data management notice regulates the data management of the following websites:mima.hu
The Privacy Policy is available at the following page:
https://mima.hu/privacy-policy/
Amendments to the Policy take effect upon publication at the above address.
2. Data Controllers and Their Contact Information
Name: QLM Logistics Solutions Ltd.
Registered Office: 2045 Törökbálint, Tópark Street 3
Email: info@mima.hu
Phone: +36 23 800 420
Website: https://mima.hu
3. Definitions
3.1 “Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
3.2 “Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
3.3 “Data Controller”: the natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the data controller or the specific criteria for its designation may be provided for by Union or Member State law;
3.4 “Data Processor”: the natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the data controller;
3.5 “Recipient”: the natural or legal person, public authority, agency, or any other body to whom or to which the personal data is disclosed, whether or not it is a third party. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing;
3.6 “The data subject’s consent”: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
3.7 “Data protection incident”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
4. Principles Relating to the Processing of Personal Data
4.1 Personal data shall be:
4.1.1 processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”);
4.1.2 collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes in accordance with Article 89(1) (“purpose limitation”);
4.1.3 adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
4.1.4 accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
4.1.5 kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of data subjects (“storage limitation”);
4.1.6 processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”);
The data controller shall be responsible for, and be able to demonstrate compliance with, the above principles (“accountability”).
5. Data Processing Activities
5.1 Data Processing Related to Service Orders and Applications
5.1.1 The Fact of Data Collection, Scope of Processed Data, and Purpose of Data Processing:
| Személyes adat | Az adatkezelés célja |
|---|---|
| Vezeték- és keresztnév | A kapcsolatfelvételhez, a vásárláshoz és a szabályszerű számla kiállításához szükséges. |
| E-mail cím | Kapcsolattartás. |
| Telefonszám | Kapcsolattartás, a számlázással, vagy a szállítással kapcsolatos kérdések hatékonyabb egyeztetése. |
| Számlázási név és cím | A szabályszerű számla kiállítása, továbbá a szerződés létrehozása, tartalmának meghatározása, módosítása, teljesítésének figyelemmel kísérése, az abból származó díjak számlázása, valamint az azzal kapcsolatos követelések érvényesítése. |
| Jelszó | Ügyfélkapu fiókba történő biztonságos belépés biztosítása. |
| A megrendelés / jelentkezés időpontja | Technikai művelet végrehajtása. |
| A megrendeléskori / jelentkezéskori IP címe | Technikai művelet végrehajtása. |
In the case of the email address, it is not required to contain personal data.
5.1.2 Scope of Data Subjects: all individuals ordering a service or registering for a consultation on the websites.
5.1.3 Duration of Data Processing, Data Deletion Deadline: immediately upon deletion of the registration, except for accounting records, which must be retained for 8 years in accordance with Section 169 (2) of Act C of 2000 on Accounting.
“The accounting document that directly or indirectly supports the accounting records (including the general ledger accounts, analytical or detailed records) must be retained in a readable form and retrievable by reference to the accounting entries for at least 8 years.”
5.1.4 Potential Data Controllers Authorized to Access the Data, Recipients of Personal Data: Personal data may be processed by the data controller’s sales, marketing, and financial staff, in compliance with the above principles.
5.1.5 Description of the Data Subjects’ Rights Related to Data Processing:
The data subject may request access to, rectification, erasure, or restriction of processing of personal data relating to them from the data controller, and
– may object to the processing of such personal data, as well as
– has the right to data portability and the right to withdraw consent at any time.
5.1.6 The data subject may initiate access to, deletion, modification, or restriction of personal data, data portability, or objection to data processing through the following means:
– by mail at 2045 Törökbálint, Tó Park Street 3,
– by email at info@mima.hu,
– by phone at +36 23 800 420.
5.1.7 Legal Basis for Data Processing:
5.1.7.1 The data subject’s consent, Article 6 (1) point (a) of the GDPR, Section 5 (1) of the Info Act,
5.1.7.2 Section 13/A (3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter: E-commerce Act):
“The service provider may process personal data that is technically essential for the provision of the service. The service provider must select and operate the tools used for providing the information society services in such a way that personal data is processed only when it is absolutely necessary for the provision of the service and the fulfillment of other objectives set out in this Act, and only to the extent and for the duration necessary.”
5.1.7.3 In the case of issuing invoices in accordance with accounting regulations, Article 6 (1) point (c) of the GDPR.
5.1.8 We inform you that
– the data processing is based on your consent.
– you are required to provide the personal data in order for us to fulfill the ordered service/application in accordance with the contract.
– failure to provide the data will result in our inability to process the ordered service/application.
5.2 Complaint Handling
5.2.1 The Fact of Data Collection, Scope of Processed Data, and Purpose of Data Processing: complaint handling
5.2.2 Scope of Data Subjects: all individuals who order a service on the websites and file a complaint regarding quality issues.
5.2.3 Duration of Data Processing, Data Deletion Deadline: The records of the filed complaint, transcripts, and copies of the responses must be retained for 5 years in accordance with Section 17/A (7) of Act CLV of 1997 on Consumer Protection.
5.2.4 Potential Data Controllers Authorized to Access the Data, Recipients of Personal Data: Personal data may be processed by the data controller’s sales and marketing staff, in compliance with the above principles.
5.2.5 Description of the Data Subjects’ Rights Related to Data Processing:
The data subject may request access to, rectification, erasure, or restriction of processing of personal data relating to them from the data controller, and
– may object to the processing of such personal data, as well as
– has the right to data portability and the right to withdraw consent at any time.
5.2.6 The data subject may initiate access to, deletion, modification, or restriction of personal data, data portability, or objection to data processing through the following means:
– by mail at 2045 Törökbálint, Tópark Street 3,
– by email at info@mima.hu,
– by phone at +36 23 800 420.
5.2.7 Legal Basis for Data Processing: the data subject’s consent, Article 6 (1) point (c) of the GDPR, Section 5 (1) of the Info Act, and Section 17/A (7) of Act CLV of 1997 on Consumer Protection.
5.2.8 We inform you that
– the provision of personal data is based on a contractual obligation.
– the processing of personal data is a prerequisite for the conclusion of the contract.
– you are required to provide the personal data in order for us to handle your complaint.
– failure to provide the data will result in our inability to process the complaint submitted to us.
5.3 Social Media Pages
5.3.1 The Fact of Data Collection, Scope of Processed Data: The registered name on social media pages such as Facebook/LinkedIn, etc., and the user’s public profile picture.
5.3.2 Scope of Data Subjects: all individuals who have registered on social media platforms such as Facebook/LinkedIn, etc., and have “liked” or follow the websites.
5.3.3 Purpose of Data Collection: sharing or “liking” certain content elements, products, promotions, or the website itself on social media pages, as well as promoting the website.
5.3.4 Duration of Data Processing, Data Deletion Deadline, Potential Data Controllers Authorized to Access the Data, and Description of the Data Subjects’ Rights Related to Data Processing: The data subject can find information about the source of the data, how it is processed, the method of transfer, and its legal basis on the respective social media platform. The data processing takes place on the social media platforms, so the duration, method, as well as the data deletion and modification options are governed by the regulations of the respective social media platform.
5.3.5 Legal Basis for Data Processing: the data subject’s voluntary consent to the processing of their personal data on social media platforms.
5.4 Customer Relationships and Other Data Processing Activities
5.4.1 If any questions arise or if the data subject encounters any issues while using the services of the data controller, they can contact the data controller through the methods provided on the website (phone, email).
5.4.2 For data processing activities not listed in this notice, information will be provided at the time of data collection.
5.4.3 In the case of exceptional authority requests or requests from other bodies based on legal authorization, the Service Provider is obligated to provide information, disclose data, transfer data, or make documents available.
5.4.4 In these cases, the Service Provider will only disclose personal data to the requesting party – provided that the exact purpose and scope of the data are specified – to the extent and in the manner necessary to achieve the purpose of the request.
5.5 Newsletter, Direct Marketing Activities
5.5.1 According to Section 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities, the User may give prior and explicit consent to being contacted by the Service Provider with advertising offers and other communications via the contact details provided during registration.
5.5.2 Furthermore, the User may, in accordance with the provisions of this notice, consent to the processing of their personal data by the Service Provider for the purpose of sending advertising offers.
5.5.3 The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from receiving offers at any time, without restriction or justification, free of charge. In this case, the Service Provider will delete all personal data of the User that is necessary for sending advertising messages from its records and will not contact the User with further advertising offers. The User can unsubscribe from advertisements by clicking the link in the email messages.
5.5.4 The Fact of Data Collection, Scope of Processed Data, and Purpose of Data Processing:
| Személyes adat | Az adatkezelés célja |
|---|---|
| Vezeték- és keresztnév | Azonosítás, a hírlevélre való feliratkozás lehetővé tétele. |
| E-mail cím | Azonosítás, a hírlevélre való feliratkozás lehetővé tétele. |
| A feliratkozás időpontja | Technikai művelet végrehajtása. |
| A feliratkozáskori IP cím | Technikai művelet végrehajtása. |
5.5.5 Scope of Data Subjects: all individuals who have subscribed to the newsletter / direct marketing activities.
5.5.6 Purpose of Data Processing: sending electronic messages (email, SMS, push notifications) containing useful professional content, knowledge materials, and advertisements to the data subject, providing information about current news, products, promotions, new features, etc.
5.5.7 Duration of Data Processing, Data Deletion Deadline: Data processing lasts until the withdrawal of consent, i.e., until the unsubscription.
5.5.8 Potential Data Controllers Authorized to Access the Data, Recipients of Personal Data: The personal data may be processed by the data controller’s sales and marketing staff, in compliance with the above principles.
5.5.9 Description of the Data Subjects’ Rights Related to Data Processing:
The data subject may request access to, rectification, erasure, or restriction of processing of personal data relating to them from the data controller, and
– may object to the processing of such personal data, as well as
– has the right to data portability and the right to withdraw consent at any time.
5.5.10 The data subject may initiate access to, deletion, modification, or restriction of personal data, data portability, or objection to data processing through the following means:
– by mail at 2045 Törökbálint, Tópark Street 3,
– by email at info@mima.hu,
– by phone at +36 23 800 420.
5.5.11 The data subject may unsubscribe from the newsletter / direct marketing activities at any time, free of charge.
5.5.12 Legal Basis for Data Processing: the data subject’s consent, Article 6 (1) point (a) of the GDPR, Section 5 (1) of the Info Act, and Section 6 (5) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities:
“The advertiser, advertising service provider, or the entity publishing the advertisement – within the scope defined in the consent – maintains a record of the personal data of individuals who have given their consent. The data recorded in this register, which pertains to the recipient of the advertisement, may only be processed in accordance with the terms specified in the consent, until its withdrawal, and may be transferred to a third party only with the prior consent of the data subject.”
5.5.13 We inform you that
– the data processing is based on your consent.
– you are required to provide the personal data if you wish to receive newsletters from us.
– failure to provide the data will result in our inability to send you newsletters / direct marketing communications.
6. Data Processors Engaged
6.1 Hosting Service Provider
6.1.1 Activity Provided by the Data Processor: Reseller hosting service
6.1.2 Name and Contact Information of the Data Processor:
MikroTek Hungary Ltd.
Address: 2049 Diósd, Homokos Street 113
Phone: +36 30 205 8057
Email: info@mikrotek.hu
Website: https://mikrotek.hu
6.1.3 The Fact of Data Processing, Scope of Processed Data: all personal data provided by the data subject.
6.1.4 Scope of Data Subjects: all individuals using the websites.
6.1.5 Purpose of Data Processing: to make the website available and ensure its proper operation.
6.1.6 Duration of Data Processing, Data Deletion Deadline: Data processing lasts until the termination of the agreement between the data controller and the hosting service provider, or until the data subject submits a deletion request to the hosting service provider.
6.1.7 Legal Basis for Data Processing: the User’s consent, Section 5 (1) of the Info Act, Article 6 (1) point (a) of the GDPR, and Section 13/A (3) of Act CVIII of 2001 on Electronic Commerce Services and Certain Issues of Information Society Services.
6.2 Newsletter Service Provider
6.2.1 Activity Provided by the Data Processor: Online newsletter sending service
6.2.2 Name and Contact Information of the Data Processor:
MailChimp c/o The Rocket Science Group, LLC
Address: 675 Ponce De Leon Ave NE, Suite 5000,
Atlanta, GA 30308 USA
Website: https://mailchimp.com
All further information regarding data processing is detailed in section 5.2 and its subsections.
7. Cookie Management
7.1 The Fact of Data Processing, Scope of Processed Data: unique identification number, dates, and times.
7.2 Scope of Data Subjects: all individuals visiting the websites.
7.3 Purpose of Data Processing: identification of users and tracking of visitors.
7.4 Duration of Data Processing, Data Deletion Deadline:
| Cookie típusa | Adatkezelés jogalapja | Adatkezelés időtartama | Kezelt adatkör |
|---|---|---|---|
| Munkamenet cookie-k (session) | Az elektronikus kereskedelmi szolgáltatások, valamint az információs társadalmi szolgáltatások egyes kérdéseiről szóló 2001. CVIII. törvény (Elkertv.) 13/A. § (3) bekezdése | A vonatkozó látogatói munkamenet lezárásáig tartó időszak | connect.sid |
7.5 Potential Data Controllers Authorized to Access the Data: The data controller does not process personal data through the use of cookies.
7.6 Description of the Data Subjects’ Rights Related to Data Processing: The data subject has the option to delete cookies through the browser’s Tools/Settings menu, usually under the Privacy settings.
7.7 Legal Basis for Data Processing: The data subject’s consent is not required if the sole purpose of using cookies is for the transmission of communication over an electronic communications network or if it is strictly necessary for the service provider to provide an information society service that has been explicitly requested by the subscriber or user.
8. Use of Google AdWords Conversion Tracking
8.1 The data controller uses the online advertising program “Google AdWords” and, within this framework, utilizes the Google Conversion Tracking service. Google Conversion Tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
8.2 When the User reaches a website via a Google advertisement, a cookie required for conversion tracking is placed on their computer. These cookies have a limited validity and do not contain any personal data, meaning that the User cannot be identified through them.
8.3 When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User clicked on the advertisement.
8.4 Each Google AdWords customer receives a different cookie, so these cookies cannot be tracked across websites of different AdWords customers.
8.5 The information obtained by Google and the data controller through the conversion tracking cookies is used to create conversion statistics for customers who have chosen Google AdWords conversion tracking. This allows customers to learn about the number of users who clicked on their advertisement and were directed to a page with the conversion tracking tag. However, they do not have access to information that would allow them to identify any individual user.
8.6 If the User does not wish to participate in conversion tracking, they can refuse by disabling the ability to set cookies in their browser. In this case, the User will not appear in the conversion tracking statistics.
8.7 For more information, as well as Google’s privacy statement, please visit the following page: https://www.google.de/policies/privacy/
9. Use of Google Analytics
9.1 The data controller uses Google Analytics, which is a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies,” text files that are stored on the User’s computer, which help analyze the use of the website visited by the User.
9.2 The information created by cookies related to the websites used by the User is usually transferred to and stored on a Google server in the USA. By activating IP anonymization on the website, Google will shorten the User’s IP address within the member states of the European Union or other countries that are party to the Agreement on the European Economic Area before processing it.
9.3 The full IP address will only be transmitted to and shortened on a Google server in the USA in exceptional cases. On behalf of the website operator, Google will use this information to evaluate how the User has used the website, to prepare reports related to the website’s activity for the website operator, and to provide further services related to website and internet usage.
9.4 Within the framework of Google Analytics, the User’s IP address transmitted by the browser is not combined with other data by Google. The User can prevent the storage of cookies by adjusting the settings of their browser, but please note that in this case, some features of this website may not be fully functional. Furthermore, the User can prevent Google from collecting and processing data related to their use of the website through cookies (including the IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu
10. Privacy provisions regarding the use and application of LinkedIn.
10.1 The data controller has integrated certain modules of LinkedIn Corporation on this website.
10.2 The operator of LinkedIn is LinkedIn Corporation (2029 Stierlin Court, Mountain View, CA 94043, USA). For privacy matters outside the United States, LinkedIn Ireland (Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland) is responsible.
10.3 Each time a page on our website with a LinkedIn module (LinkedIn plug-in) is opened, the module prompts the browser used by the data subject to download the appropriate display of the LinkedIn module. Further information about LinkedIn plug-ins can be found at https://developer.linkedin.com/plugins. During this technical process, LinkedIn becomes aware of which specific subpages of our website the data subject has visited.
10.4 If the data subject is simultaneously logged into LinkedIn, LinkedIn will recognize which specific subpages of our website the data subject visits every time they open a page on our website and during their entire stay on our site. The LinkedIn module collects this information and associates it with the data subject’s LinkedIn account. If the data subject clicks any LinkedIn button placed on our website, LinkedIn will associate this information with the data subject’s LinkedIn account and store this personal data.
10.5 If the data subject is logged into LinkedIn when opening our website, LinkedIn will always receive information through the LinkedIn module, regardless of whether the data subject clicks on the LinkedIn module, if the data subject visits our website. If the data subject does not want this information to be transmitted to LinkedIn, they can prevent it by logging out of their LinkedIn account before opening our website. It is possible to opt out of email or SMS messages and targeted ads, as well as manage ad settings, at https://www.linkedin.com/psettings/guest-controls. LinkedIn also uses services from providers such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua, and Lotame, which may place cookies on devices. These cookies can be rejected at https://www.linkedin.com/legal/cookie-policy. LinkedIn’s valid privacy provisions can be found at https://www.linkedin.com/legal/privacy-policy. LinkedIn’s cookie policy is available at https://www.linkedin.com/legal/cookie-policy.
11. Privacy provisions regarding the use and application of YouTube.
11.1 The data controller has integrated certain modules of YouTube on this website.
11.2 The operator of YouTube is YouTube, LLC (901 Cherry Ave., San Bruno, CA 94066, USA). YouTube, LLC is a subsidiary of Google Inc. (1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA).
11.3 The YouTube module initiates the automatic download of the appropriate YouTube module display every time a page operated by the data controller, which contains YouTube modules (YouTube videos), is opened. Further information about YouTube can be found at https://www.youtube.com/intl/hu/yt/about/. During this technical process, YouTube and Google become aware of which specific subpages of our website the data subject has visited.
11.4 If the data subject is simultaneously logged into YouTube, YouTube will recognize which specific subpages of our website the data subject visits every time they open a page on our website and during their entire stay on our site. YouTube and Google collect this information and associate it with the data subject’s YouTube account.
11.5 If the data subject is logged into YouTube when opening our website, YouTube and Google will always receive information through the YouTube module, regardless of whether the data subject clicks on the YouTube video or not, if the data subject visits our website. If the data subject does not want this information to be transmitted to YouTube and Google, they can prevent it by logging out of their YouTube account before opening our website. The privacy provisions provided by YouTube at https://policies.google.com/privacy?hl=hu&gl=hu explain the collection, processing, and use of personal data by YouTube and Google.
12. Facebook Pixel application.
12.1 Our website may use the Facebook Pixel. This is an invisible image embedded in the pages of our website, which is stored on Facebook’s servers. Every time you open one of our pages where this “pixel” is embedded, the pixel is downloaded to your device from the respective Facebook server. Facebook receives the following data: your IP address and specific parameters of your device (e.g., type, operating system, specific software, and hardware).
12.2 Although we cannot link this information to you personally, Facebook can do so if you have a Facebook profile. In this case, Facebook acts as the data controller. Therefore, we recommend that you review Facebook’s privacy policy to understand how the information collected by Facebook is processed, including for advertising purposes.
12.3 We only receive statistical information from Facebook, not your personal data.
12.4 If you do not wish to receive certain promotional information, you can set your advertising preferences on your personalized Facebook page. Finally, in the settings of your mobile device, you can also indicate that device data should not be shared with third parties. Learn more about the Facebook Pixel.
13. Application of Hotjar.
13.1 We strive to provide a good user experience on our website. To support this, we use the Hotjar website analytics tool to track visitors’ activities on our website (e.g., mouse movements, clicks, etc.). When visiting the website, the cookies placed on the computing device can be removed by the visitor at any time, or they can disable the use of cookies in the browser they are using.
In order to ensure that visitors cannot be identified, Hotjar only operates on the parts of the website where visitors’ personal data is not required. We do not run the website analytics tool on the sections of the website where data fields need to be filled out, which is why visitors cannot be identified by us.
The data stored by the application includes your browser and device information (country, anonymized IP address, type of device used, screen size, browser type, operating system type, time of visit).
You can disable the collection and storage of data in your own browser. More information about this can be found at the following link: https://www.hotjar.com/opt-out.
The stored data is retained for one year.
14. Rights of the data subjects.
14.1 Right of access: You have the right to obtain feedback from the data controller on whether your personal data is being processed, and if such processing is underway, you are entitled to access the personal data and the information listed in the regulation.
14.2 Right to rectification: You have the right to request the data controller to rectify any inaccurate personal data concerning you without undue delay. Taking into account the purposes of the data processing, you are also entitled to request the completion of incomplete personal data, including through a supplementary statement.
14.3 Right to erasure: You have the right to request the data controller to erase your personal data without undue delay, and the data controller is obligated to erase your personal data without undue delay under certain conditions.
14.4 Right to be forgotten: If the data controller has made personal data public and is required to delete it, they will take reasonable steps, taking into account available technology and the cost of implementation — including technical measures — to inform other data controllers processing the data that you have requested the deletion of links to, or copies or duplicates of, the personal data in question.
14.5 Right to restriction of processing: You have the right to request the data controller to restrict the processing of your data if any of the following conditions are met:
– You dispute the accuracy of the personal data, in which case the restriction applies for the period that allows the data controller to verify the accuracy of the personal data;
– The processing is unlawful, and you oppose the deletion of the data and instead request the restriction of its use;
– The data controller no longer needs the personal data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims;
– You have objected to the processing; in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the data controller override your legitimate grounds.
14.6 Right to data portability: You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, commonly used, machine-readable format, and you have the right to transmit this data to another data controller without hindrance from the data controller to whom the personal data was provided.
14.7 Right to object: You have the right to object at any time to the processing of your personal data based on your specific situation, including profiling based on the aforementioned provisions.
14.8 Right to object in the case of direct marketing: If the processing of personal data is for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for this purpose, including profiling, insofar as it is related to direct marketing. If you object to the processing of personal data for direct marketing purposes, your personal data can no longer be processed for this purpose.
14.9 Automated decision-making in individual cases, including profiling: You have the right not to be subject to a decision based solely on automated processing – including profiling – that has legal effects on you or similarly significantly affects you.
The previous paragraph does not apply if the decision is:
– Necessary for the conclusion or performance of a contract between you and the data controller;
– Authorized by Union or Member State law applicable to the data controller, which also establishes appropriate safeguards for the protection of your rights and freedoms, as well as your legitimate interests; or
– Based on your explicit consent.
15. Deadline for action.
15.1 The data controller will inform you of the actions taken in response to the above requests without undue delay, and in any case within 30 calendar days from the receipt of the request.
15.2 If necessary, this period may be extended by an additional 60 calendar days. The data controller will inform you of the extension, specifying the reasons for the delay, within 30 calendar days from the receipt of the request.
15.3 If the data controller does not take action in response to your request, they will inform you without undue delay, but no later than 30 calendar days from the receipt of the request, about the reasons for not taking action, as well as your right to lodge a complaint with a supervisory authority and to exercise your right to judicial remedy.
16. Data processing security.
16.1 The data controller and the data processor shall implement appropriate technical and organizational measures, taking into account the state of science and technology, the cost of implementation, as well as the nature, scope, circumstances, and purposes of the data processing, and the risks to the rights and freedoms of individuals, which vary in likelihood and severity, to ensure a level of data security appropriate to the risk, including, where applicable:
– The pseudonymization and encryption of personal data;
– Ensuring the ongoing confidentiality, integrity, availability, and resilience of the systems and services used for the processing of personal data;
– In the event of a physical or technical incident, the ability to restore access to personal data and its availability in a timely manner;
– A procedure for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures taken to ensure the security of data processing.
17. Information to the data subject about a data protection incident.
17.1 If the data protection incident is likely to result in a high risk to the rights and freedoms of individuals, the data controller shall inform the data subject of the data protection incident without undue delay.
17.2 The information provided to the data subject must clearly and understandably describe the nature of the data protection incident, and provide the name and contact details of the data protection officer or other contact person for further information. It must outline the likely consequences of the data protection incident, and describe the measures taken or planned by the data controller to address the incident, including, where applicable, measures aimed at mitigating any adverse effects resulting from the incident.
17.3 The data subject does not need to be informed if any of the following conditions are met:
– Az adatkezelő megfelelő technikai és szervezési biztonsági intézkedéseket alkalmazott, és ezeket az intézkedéseket alkalmazták az adatvédelmi incidens által érintett adatokra, különösen olyan intézkedéseket, mint a titkosítás alkalmazása, amelyek lehetetlenné teszik az adatok illetéktelen személyek általi hozzáférését;
– Az adatvédelmi incidens után az adatkezelő további intézkedéseket tett annak biztosítására, hogy a korábban az érintett jogaira és szabadságaira vonatkozóan jelentett magas kockázat már nem valószínű, hogy bekövetkezik;
– Az információ nyújtása aránytalan erőfeszítést igényelne. Ilyen esetekben az érintettek tájékoztatása nyilvánosan elérhető információk vagy hasonló intézkedések útján történhet, amelyek biztosítják a hatékony kommunikációt az érintettekkel.
17.4 If the data controller has not yet informed the data subject about the data protection incident, the supervisory authority, after considering whether the data protection incident is likely to result in a high risk, may order the data subject to be informed.
18. Reporting a data protection incident to the authority.
18.1 The data controller shall report the data protection incident to the competent supervisory authority without undue delay, and if possible, no later than 72 hours after becoming aware of the incident, in accordance with Article 55, unless the data protection incident is unlikely to result in a risk to the rights and freedoms of individuals.
18.2 If the notification is not made within 72 hours, the reasons for the delay must be provided along with the notification.
19. Right to lodge a complaint.
19.1 A complaint regarding any potential violation by the data controller can be filed with the National Authority for Data Protection and Freedom of Information:
National Authority for Data Protection and Freedom of Information
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, P.O. Box 5.
Phone: +36 1 391 1400
Fax: +36 1 391 1410
Email: ugyfelszolgalat@naih.hu
20. Conclusion.
In preparing this notice, we have taken into account the following regulations:
– Regulation (EU) 2016/679 of the European Parliament and the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the repeal of Directive 95/46/EC (General Data Protection Regulation)
– Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Infotv.)
– Act CVIII of 2001 on certain issues of electronic commerce services and information society services (mainly Section 13/A)
– Act XLVII of 2008 on the prohibition of unfair commercial practices towards consumers
– Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activities (especially Section 6)
– Act XC of 2005 on electronic freedom of information
– Act C of 2003 on electronic communications (specifically Section 155)
– EASA/IAB recommendation on best practices for behavior-based online advertising (Opinion No. 16/2011)
– Recommendation by the National Authority for Data Protection and Freedom of Information regarding the data protection requirements of preliminary information
– Regulation (EU) 2016/679 of the European Parliament and the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and the repeal of Directive 95/46/EC.
