Epicurea.eu Privacy Policy

Horizonte Hungary Zrt.

This is an automatically generated English translation of the Hungarian legal document. In case of any discrepancies, the Hungarian version shall prevail for legal purposes.

 

Data Protection Notice

 

Introduction

TheHorizonte Hungary Zrt. (1062 Budapest, Bajza utca 56. 2nd floor, door 2, tax number: 24794699-2-42, company registration number/registration number: 01-10-047963) (hereinafter referred to as: Service Provider, data controller) submits itself to the following regulations:

In accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation), we provide the following information.

This data protection regulation regulates the data processing of the following sites/mobile applications: https://epicurea.eu

The data processing information is available from the following page: https://epicurea.eu/adatvedelem

The amendments to the policy will enter into force upon publication at the above address.

The data controller and its contact details

Name: Horizonte Hungary Zrt.

Registered office: 1062 Budapest, Bajza utca 56. 2nd floor, 2nd door

Email:  epicurea@horizonte.as

Telephone:  +36 1 701 0958

 

Definitions

 

1. “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. “data processing” means any operation or set of operations which is performed on personal data or on data sets, whether or not by automated means, such as collection, recording, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. “data controller” means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
4. “processor” means the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
5. “recipient” means the natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether or not a third party. Public authorities which have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
6. “the data subject’s consent” means any freely given, specific, adequately informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her;
7. “data breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
8. “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular performance at work, economic situation, health,
   used to analyse or predict characteristics relating to personal preferences, interests, reliability, behaviour, location or movements.

Principles for the processing of personal data

1. be processed lawfully and fairly and in a manner that is transparent to the data subject (“lawfulness, fairness and transparency”);
2. be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the initial purpose in accordance with Article 89(1) (“purpose limitation”);
3. be adequate and relevant in relation to the purposes for which the processing is carried out and limited to what is necessary (“data economy”);
4. be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes of the processing, are erased or rectified without delay (“accuracy”);
5. storage must be in a form which permits identification of data subjects only for the time necessary to achieve the purposes for which the personal data are processed; personal data may be stored for a longer period only if the personal data are processed for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of data subjects (‘storage limitation’);
6. the processing shall be carried out in such a way that appropriate technical or organisational measures are applied to ensure the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (‘integrity and confidentiality).

The controller shall be responsible for compliance with the above and shall be able to demonstrate such compliance (‘accountability).

The controller declares that its processing is in accordance with this Regulation is carried out in accordance with the principles set out in point 1.

Data processing related to the operation of the web store / use of services

1. The fact of data collection, the scope of the processed data and the purpose of data processing:

Personal data	Purpose of data processing	Legal basis
User name	Identification, enabling registration.	Article 6 (1) (a) of the GDPR.
Password	Serves for secure login to the user account.
First and last name	For contact, the necessary for the purchase, for the issuance of a proper invoice, for the exercise of the right of withdrawal.	Article 6 (1) (b) of the GDPR.
Email address	Contact.
Phone number	Contact, more efficient coordination of issues related to invoicing or delivery.
Billing name and address	Issuance of a proper invoice, as well as the creation of the contract, definition of its content, modification, monitoring of its performance, invoicing of fees arising from it, and the enforcement of claims related to it.	6. Article (1) (c) The legal obligation is Article 169 (2) of Act C of 2000 on Accounting)
Delivery name and address	Enable home delivery.	Article 6 (1) (b) of the GDPR.
Date of purchase/registration	Performance of technical operation.	Elker tv. 13/A. § (3)
IP address at the time of purchase/registration	Performance of technical operations.

2. Scope of data subjects: All data subjects registered/purchased on the webshop website. Neither the username nor the e-mail address need to contain personal data.

3. Duration of data processing, deadline for data deletion: If one of the conditions set out in Article 17(1) of the GDPR applies, it will last until the data subject requests deletion. The data controller shall inform the data subject electronically of the deletion of any personal data provided by the data subject pursuant to Article 19 of the GDPR. If the data subject's request for deletion also extends to the e-mail address provided by him/her, the data controller shall also delete the e-mail address after informing. Except in the case of accounting documents, since according to Section 169 (2) of Act C of 2000 on Accounting, this data must be retained for 8 years. The contractual data of the data subject may be deleted upon the expiry of the civil law limitation period based on the data subject's request for deletion.

The accounting documents (including general ledger accounts, analytical and detailed records) directly and indirectly supporting the accounting settlement must be kept in a readable form for at least 8 years, in a retrievable manner based on the reference to the accounting records.

4. The person of the potential data controllers authorized to view the data, the recipients of the personal data: The data controller and its authorized employees may process the personal data, respecting the above principles.

5. Description of the rights of the data subjects in relation to data processing:

• The data subject may request from the data controller access to the personal data concerning him or her, their correction, deletion or restriction of processing, and
• the data subject has the right to data portability, as well as the right to withdraw consent at any time.

6.The data subject can initiate access to personal data, deletion, modification or restriction of processing, and data portability in the following ways:

• by post to 1062 Budapest, Bajza utca 56. 2. em. 2. ajtó,
• by e-mail to epicurea@horizonte.as,
• by telephone at +36 1 701 0958.

7.Legal basis for data processing:

1. Article 6(1)(b) of the GDPR,

2. Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter referred to as the Elker Act):

The service provider may process personal data that are technically indispensable for the provision of the service for the purpose of providing the service. All other conditions being the same, the service provider must select and in any case operate the means used in the provision of the information society service in such a way that personal data are processed only if this is absolutely necessary for the provision of the service and for the fulfilment of other purposes specified in this Act, but even then only to the extent and for the period necessary.

3. In the case of issuing invoices in accordance with accounting legislation, Article 6(1)(c)

4. In the case of enforcing claims arising from a contract, the limitation period is 5 years, according to Section 6:22 of Act V of 2013 on the Civil Code.

Section 6:22 [Limitation]

(1) Unless otherwise provided in this Act, claims shall expire after five years.

(2) The limitation period shall begin when the claim becomes due.

(3) An agreement to change the limitation period shall be in writing.

(4) An agreement excluding limitation is void.

8. We inform you that

• data processing is necessary for the performance of the contract and the provision of an offer.
• You are required to provide personal data in order to fulfill your order.
• Failure to provide data will result in the inability to process your order.

Cookie management

1. It is not necessary to request prior consent from the data subjects for the use of the so-called "password-protected session cookies", "shopping cart cookies", "security cookies", "necessary cookies", "functional cookies", and "cookies responsible for managing website statistics".

2. The fact of data processing, the scope of data processed: Unique identification number, dates, times.

3. The scope of data subjects: All data subjects visiting the website.

4. Purpose of data processing: Identifying users, tracking visitors, ensuring customized operation.

5. Duration of data processing, deadline for data deletion:

Cookie type	Legal basis for data processing	Data processing Duration
Session cookies, or other cookies that are essential for the operation of the website	No data processing is performed using the cookie.	The period until the relevant visitor session is closed, i.e. it remains on the computer only until the browser is closed.
Statistical, marketing cookies	Article 6 (1) (a) of the GDPR	1 day - 2 years, in accordance with the cookie notice, or until the data subject withdraws their consent.

6. Potential data controllers authorized to access the data: Personal data may be accessed by the data controller.

7. Description of the data subjects' rights regarding data processing: The data subject has the option to delete cookies in the Tools/Settings menu of the browser, usually under the Privacy settings.

8. Most browsers used by our users allow you to set which cookies should be saved and to delete (specific) cookies again. If you restrict the saving of cookies on specific websites or do not allow third-party cookies, this may, under certain circumstances, mean that our website can no longer be used in its entirety. Here you can find information on how to customize cookie settings for common browsers:

Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu)

Internet Explorer (https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies)

Firefox (https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn)

Safari(https://support.apple.com/hu-hu/guide/safari/sfri11471/mac)

Using Google Ads conversion tracking

1. The data controller uses the online advertising program called "Google Ads", and within its framework, it uses Google conversion tracking service. Google Conversion Tracking is an analytics service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
2. When a User reaches a website via a Google ad, a cookie required for conversion tracking is placed on their computer. These cookies have a limited validity and do not contain any personal data, so the User cannot be identified by them.
3. When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User clicked on the ad.
4. Each Google Ads customer receives a different cookie, so they cannot be tracked through the websites of Ads customers.
5. The information – obtained using conversion tracking cookies – is used to compile conversion statistics for Ads customers who have opted for conversion tracking. Customers are informed about the number of users who clicked on their ads and were redirected to a page with a conversion tracking tag. However, they do not receive information that could identify any user.
6. If you do not want to participate in conversion tracking, you can refuse it by disabling the installation of cookies in your browser. You will then not be included in the conversion tracking statistics.
7. Based on Google Consent Mode v2, Google also uses two new cookie types: ad_user_data and ad_personalization, which are based on the consent of the data subject and which relate to the use and sharing of data. ad_user_data is used to provide consent for the use of user data by Google for advertising purposes. ad_personalization controls whether data can be used to personalize ads (e.g. remarketing). The data controller ensures the acquisition and withdrawal of appropriate consents on the cookie banner / panel. Withdrawal of consent does not affect the lawfulness of data processing based on consent before withdrawal.
8. Further information and Google's privacy statement are available on the following page: https://policies.google.com/privacy

Google Analytics

1. This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are saved on your computer and help the website operator analyze how you use the website.
2. The information generated by the cookies about your use of the website is usually transmitted to and stored by Google on a server in the USA. If IP anonymization is activated on the website, Google will first shorten your IP address within the member states of the European Union or in other states that are party to the Agreement on the European Economic Area.
3. The full IP address will only be transmitted to a Google server in the USA and shortened there in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how the User uses the website, to compile reports on website activity for the website operator and to provide other services relating to website and internet usage.
4. Within the framework of Google Analytics, the IP address transmitted by the User's browser will not be merged with other data held by Google. The User can prevent the storage of cookies by setting their browser accordingly; however, please note that in this case not all functions of this website may be fully usable. You can also prevent Google from collecting and processing the data generated by cookies and relating to your use of the website (including your IP address) by downloading and installing the browser plug-in available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

Newsletter, DM activity based on consent

1. Pursuant to Section 6 of Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activity, the User may give prior and express consent to the Service Provider contacting him with advertising offers and other mailings at the contact details provided upon registration.

2. Furthermore, the Customer, taking into account the provisions of this information, may consent to the Service Provider processing his personal data necessary for sending advertising offers.

3. The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from receiving offers free of charge, without restriction or justification. In this case, the Service Provider will delete all personal data necessary for sending advertising messages from its records and will not contact the User with further advertising offers. The User may unsubscribe from advertisements by clicking on the link in the message.

4. The fact of data collection, the scope of the processed data and the purpose of data processing:

Personal data	Purpose of data processing	Legal basis
Name, e-mail address.	Identification, enabling subscription to the newsletter/promotional coupons.	Consent of the data subject, Article 6(1)(a) Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities, Section 6(5).
Date of subscription	Performance of technical operation.
IP address at the time of subscription	Performance of technical operation.

5. The scope of the data subjects: All data subjects who subscribe to the newsletter.

6. Purpose of data processing: sending electronic messages containing advertising (e-mail, SMS, push message) to the data subject, providing information about current information, products, promotions, new features, etc.

7. Duration of data processing, deadline for data deletion: Data processing lasts until consent is withdrawn (unsubscribe, request for deletion by the data subject), or the newsletter is terminated.

8. Persons of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller, as well as its sales and marketing staff, in compliance with the above principles.

9. Description of the rights of the data subjects in relation to data processing:

• The data subject may request from the data controller access to the personal data concerning him/her, their rectification, erasure or restriction of processing, and
• may object to the processing of his/her personal data and
• the data subject has the right to data portability and to withdraw consent at any time.

10. The data subject may initiate access to personal data, their deletion, modification or restriction of processing, data portability or objection in the following ways:

• by post to 1062 Budapest, Bajza utca 56. 2. em. 2. door,
• by e-mail at epicurea@horizonte.as,
• by phone at +36 1 701 0958.

11. The data subject may unsubscribe from the newsletter at any time, free of charge.

12. We inform you that

• data processing is based on your consent.
• You are required to provide personal data if you wish to receive a newsletter from us.
• Failure to provide data will result in us not being able to send you a newsletter.
• We inform you that you can withdraw your consent at any time by clicking unsubscribe.
• Withdrawal of consent does not affect the lawfulness of data processing based on consent prior to withdrawal.

Complaint handling

1. The fact of data collection, the scope of the processed data and the purpose of data processing:

Personal data	Purpose of data processing	Legal basis
Surname and first name	Identification, contact.	6. Article (1) paragraph c) (the relevant legal obligation: Section 17/A. (7) of Act CLV of 1997 on Consumer Protection)
E-mail address
Contact.
Telephone number
Contact.
Billing name and address	Identification, quality complaints, questions and problems related to the ordered products/services treatment.

2. Scope of data subjects: All data subjects who make a purchase on the website and have a quality complaint or complaint.

3. Duration of data processing, deadline for data deletion: The minutes, transcript and copies of the response to the complaint must be kept for 3 years pursuant to Section 17/A. (7) of Act CLV of 1997 on Consumer Protection.

4. Possible data controllers authorized to access the data, recipients of personal data: Personal data may be processed by the data controller and its authorized employees, in compliance with the above principles.

5.Description of the rights of data subjects in relation to data processing:

• The data subject may request from the data controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and
• the data subject has the right to data portability and to withdraw consent at any time

6. The data subject can request access to, erasure, modification or restriction of processing of personal data, or data portability in the following ways:

• by post to 1062 Budapest, Bajza utca 56. 2nd floor, door 2,
• by e-mail to epicurea@horizonte.as,
• by telephone at +36 1 701 0958.

7. We inform you that

• the provision of personal data is based on a legal obligation.
• the processing of personal data is a prerequisite for concluding a contract.
• it is mandatory to provide personal data so that we can handle your complaint.
• failure to provide data has the consequence that we cannot handle your complaint.

Recipients to whom personal data are disclosed

“recipient” means the natural or legal person, public authority, agency or any other body to whom or to which personal data are disclosed, regardless of whether it is a third party.

1. Data processors (those who process data on behalf of the data controller)

The data controller uses data processors to facilitate its own data processing activities and to fulfill its contractual obligations with the data subject and obligations imposed by law.

The data controller places great emphasis on using only data processors who provide adequate guarantees for the implementation of appropriate technical and organizational measures to ensure compliance with the requirements of the GDPR and the protection of the rights of data subjects.

The data processor and any person acting under the control of the data controller or the data processor who has access to personal data shall process the personal data contained in this policy only in accordance with the instructions of the data controller.

The data controller is legally responsible for the activities of the data processor. The data processor is only liable for damages caused by data processing if it has not complied with the obligations expressly imposed on data processors as specified in the GDPR, or if it has ignored the lawful instructions of the data controller or acted contrary to them.

The data processor does not have any substantive decision-making power regarding the processing of the data.

The data controller may use a hosting service provider to provide the IT background and a courier service to deliver the ordered products as a data processor.

2. Certain data processors

Data processing activity	Name, address, contact details
Hosting service	Hetzner Online GmbH Industriestr.25, 91710 Gunzenhausen, Germany Tel.: +49 (0)9831 505-0 E-mail: info@hetzner.com
Other data processor (e.g. online invoicing, web development, marketing)	Zoho CRM Zoho Corporation Pvt. Ltd. Tel.: +91 (44) 69656060 E-mail: privacy@zohocorp.com Billingo Billingo Technologies Zrt. Head office: 1133 Budapest, Árbóc utca 6. III. floor E-mail: hello@billingo.hu

 

“third party” means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or processor, are authorised to process personal data.

3. Data transfer to third parties

Third-party data controllers process the personal data we provide in their own name and in accordance with their own data protection regulations.

Data controller's activities	Name, address, contact information
Hosting service	Hetzner Online GmbH Industriestr. 25, 91710 Gunzenhausen, Germany Tel.: +49 (0)9831 505-0 E-mail: info@hetzner.com
Other data processor (e.g. online invoicing, web development, marketing)	Zoho CRM Zoho Corporation Pvt. Ltd. Tel.: +91 (44) 69656060 E-mail: privacy@zohocorp.com Billingo Billingo Technologies Zrt. Head office: 1133 Budapest, Árbóc utca 6. III. floor E-mail: hello@billingo.hu

 

“third party” means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or processor, are authorised to process personal data.

3. Data transfer to third parties

Third-party data controllers process the personal data we provide in their own name and in accordance with their own data protection regulations.

Data controller's activities	Name, address, contact details
Transportation	GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. 2351 Alsónémedi, Európa u. 2. info@gls-hungary.com Phone number: 06-29-88-66-94
Online payment	OTP Mobil Szolgáltató Kft. Head office: 1138 Budapest, Váci út 135-139. B. ép. 5. em. E-mail: ugyfelszolgalat@simple.hu  Phone: +36 1/20/30/70 3-666-611

Social media

1. The fact of data collection, the scope of the data processed: Twitter/Pinterest/Youtube/Instagram/TikTok/Linkedin etc. registered name on social media sites, and the user's public profile picture.
2. Scope of data subjects: All data subjects who have registered with Twitter/Pinterest/Youtube/Instagram/TikTok/Linkedin etc. on social media sites and "liked" the Service Provider's social media site, or contacted the data controller via the social media site.
3. Purpose of data collection: Sharing, "liking", following and promoting certain content elements, products, promotions or the website itself on social media sites.
4. Duration of data management, deadline for data deletion, identity of potential data controllers entitled to access the data and description of the data subjects' rights related to data management: The data subject can find out about the source of the data, its management, the method of transfer and its legal basis on the given social media site. Data processing is carried out on social media sites, so the duration, method of data processing, and the possibilities for deleting and modifying data are subject to the regulations of the given social media site.
5. Legal basis for data processing: the data subject's voluntary consent to the processing of his/her personal data on social media sites.

Facebook / Meta joint data processing

The Data Controller has a Facebook / Meta profile for the activity. The data processing for statistical purposes implemented on the Facebook social media site is the joint data processing of the Data Controller and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2 Dublin Ireland). The details of the joint data processing agreement are provided in the data controller appendix of the Facebook Page Analytics function. The appendix is ​​available
at the following link: https://www.facebook.com/legal/terms/page_controller_addendum

The data controller communicates in private messages on the social network only if you contact us there.

1. Categories of data subjects

• the data subject who has registered on the social network and "liked" the Data Controller's profile page,
• the data subject who contacts the Data Controller in a private message on the social network.

2. Purpose of data processing

The purpose of data processing is to share and promote the data controller's activities and services on the Facebook social network. The Data Controller may use the data provided by the data subject in the private message to respond to the message, otherwise the Data Controller does not collect data through the social network or extract data from it.

3. Legal basis for data processing

Data processing is based on Article 6(1)(a) of the GDPR, the legal basis for data processing is the consent of the data subject to the processing of his/her personal data on the Facebook social network.

4. Scope of data processed

• registered name of the data subject,
• public profile picture of the user concerned
• other public data provided and shared by the data subject on the social network

5. Source of the processed personal data: The source of the processed data is the data subject.

6. Withdrawal of consent: You can withdraw your consent to data processing at any time, delete your post or comment. Data processing takes place through social networks, which are operated by a third party. If you withdraw your consent, the Data Controller will delete the conversation with you. The withdrawal of consent does not affect the lawfulness of data processing based on consent prior to its withdrawal.

The data subject can request access to, erasure, modification or restriction of processing of personal data, or data portability in the following ways:

• by post to 1062 Budapest, Bajza utca 56. 2nd floor, door 2,
• by e-mail to epicurea@horizonte.as,
• by telephone at +36 1 701 0958.

7. Duration of data processing

• until the data subject withdraws their consent,
• if there is an exchange of messages, then 2 years.

8. Transmission of personal data, recipients and categories of recipients:  For the concept of recipient, see: GDPR Article 4, point 9. The Data Controller shall only transfer the Data Subject's personal data to state bodies, authorities - in particular courts, prosecutors' offices, investigative authorities and infringement authorities, the National Data Protection and Freedom of Information Authority - in exceptional cases and on the basis of a legal obligation.

9. Possible consequences of failure to provide data

In the event of failure to provide data, the Data Subject will not be able to find out about the Data Controller's activities and services via the Facebook social network, or send a message to the Data Controller via Facebook Messenger.

10. Automated decision-making (also profiling): During data processing, automated decision-making, including profiling, will not take place.

11. Joint Data Controller Agreement with Facebook Ireland Ltd.:

The Page Analytics feature displays aggregated data that provides insight into how data subjects use the Facebook Page. Facebook Ireland Limited (“Facebook Ireland”) and the Controller are joint controllers in relation to the processing of analytics data. The Page Analytics Addendum sets out Facebook’s responsibilities and the Controller’s responsibilities in relation to the processing of analytics data. Facebook Ireland assumes primary responsibility for the processing of analytics data under the GDPR and that it complies with all relevant obligations under the GDPR in relation to the processing of analytics data. Facebook Ireland also makes an extract of the Page Analytics Addendum available to all data subjects. The Controller ensures that it has an appropriate legal basis under the GDPR for the processing of analytics data, identifies the controller of the Page, and complies with all other relevant legal obligations. Facebook Ireland is solely responsible for the processing of personal data in connection with the Page Analytics feature, except for data within the scope of the Page Analytics Addendum. The Page Analytics Addendum does not grant the Data Controller the right to request personal data of Facebook users that Facebook Ireland processes in connection with Facebook, including Page Analytics data. The Data Controller cannot act on behalf of Facebook Ireland when fulfilling data protection requests and cannot respond.

Customer relations and other data processing

1. If the data controller has any questions or problems while using our services, the data subject may contact the data controller via the methods provided on the website (telephone, e-mail, social media, etc.).
2. The data controller will respond to the received e-mails, messages, telephone, Meta, etc. The data provided, together with the name and e-mail address of the interested party and other voluntarily provided personal data, will be deleted no later than 2 years after the data was provided.
3. We will provide information about data processing not listed in this information when the data is collected.
4. In exceptional cases, upon request by the authorities or upon request by other bodies based on legal authorization, the Service Provider is obliged to provide information, communicate or transfer data, or make documents available.
5. In these cases, the Service Provider will only provide the requesting party with personal data to the extent and insofar as it is absolutely necessary to achieve the purpose of the request.

Rights of the data subjects

1. Right of access

You have the right to obtain from the controller information as to whether or not your personal data are being processed and, where such processing is taking place, access to the personal data and the information listed in the Regulation.

2. Right to rectification

You have the right to obtain from the controller, at your request, the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purpose of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

3. Right to erasure

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller is obliged to erase personal data concerning you without undue delay under certain conditions.

4. Right to be forgotten

Where the controller has made the personal data public and is obliged to erase them, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the data that you have requested the erasure of links to, or copies or replications of, those personal data.

5. Right to restriction of processing

You have the right to obtain from the controller restriction of processing where one of the following conditions applies:

• You contest the accuracy of the personal data, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data;
• The processing is unlawful and you oppose the erasure of the data and request the restriction of their use instead;
• The controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
• You have objected to the processing; in which case the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the controller override your legitimate grounds.

6. The right to data portability

You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to whom the personal data were provided (...)

7. The right to object

In the case of processing based on legitimate interest or public authority as legal grounds, you have the right to object at any time to the processing of your personal data by (...), including profiling based on those provisions, on grounds relating to your particular situation.

8. Objection to direct marketing

If personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling, insofar as it is related to direct marketing. If you object to the processing of personal data for direct marketing purposes, your personal data will no longer be processed for such purposes.

9. Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The previous paragraph shall not apply if the decision:

• is necessary for entering into, or the performance of, a contract between you and the controller;
• is permitted by Union or Member State law applicable to the controller and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• Based on your explicit consent.

Time limit for action

The controller shall inform you of the action taken in response to the above requests without undue delay, but in any case within 1 month of receipt of the request.

If necessary, this may be extended by 2 months. The controller shall inform you of the extension of the deadline, indicating the reasons for the delay, within 1 month of receipt of the request.

If the controller does not take action on your request, it shall inform you without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to take action and of the possibility of lodging a complaint with a supervisory authority and exercising its right to a judicial remedy.

Security of data processing

The controller and the processor shall implement appropriate technical and organisational measures, taking into account the state of the art and technology and the costs of implementation, the nature, scope, circumstances and purposes of the data processing and the risk of varying likelihood and severity to the rights and freedoms of natural persons, in order to guarantee a level of data security appropriate to the degree of the risk, including, inter alia, where applicable:

1. the pseudonymisation and encryption of personal data;
2. the continued confidentiality, integrity, availability and resilience of systems and services used to process personal data;
3. the ability to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident;
4. a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures taken to ensure the security of data processing.
5. Processed data must be stored in a way that prevents unauthorised access to them. In the case of paper-based data carriers, by establishing a physical storage and archiving system, and in the case of data managed in electronic form, by applying a central authorization management system.
6. The method of storing data using IT methods must be chosen in such a way that their deletion - taking into account any possible different deletion deadline - can be carried out when the data deletion deadline expires, or if necessary for other reasons. The deletion must be irreversible.
7. Paper-based data carriers must be deprived of personal data using a document shredder or by using an external organization specializing in document destruction. In the case of electronic data carriers, physical destruction must be ensured in accordance with the rules on the disposal of electronic data carriers, or, if necessary, the secure and irretrievable deletion of the data in advance.
8. The data controller takes the following specific data security measures:

In order to ensure the security of personal data processed on paper, the Service Provider applies the following measures (physical protection):

1. The documents must be placed in a secure, well-locked dry room.
2. If personal data processed on paper is digitized, the rules governing digitally stored documents must be applied.
3. The Service Provider's data processing employee may only leave the room where data processing is taking place during his/her work by locking the data carriers entrusted to him/her or by closing the given room.
4. Personal data may only be accessed by the person authorized to do so. authorized persons may know them, and third parties may not access them.
5. The building and premises of the Service Provider are equipped with fire protection and property protection equipment.

 IT protection

1. The computers and mobile devices (other data carriers) used during data processing are the property of the Service Provider.
2. The computer system containing personal data used by the Service Provider is equipped with virus protection.
3. In order to ensure the security of digitally stored data, the Service Provider uses data backups and archiving.
4. The central server machine may only be accessed by persons with appropriate authorization and designated for that purpose.
5. The data on the computers can only be accessed with a username and password.

Informing the data subject about the data protection incident

If the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject without undue delay.

The information provided to the data subject must clearly and intelligibly describe the nature of the data protection incident and provide the name and contact details of the data protection officer or other contact person who can provide further information; the likely consequences of a data protection incident must be described; describe the measures taken or planned by the controller to address the personal data breach, including, where applicable, measures to mitigate the potential adverse consequences resulting from the personal data breach.

The data subject does not need to be informed if any of the following conditions are met:

• the controller has implemented appropriate technical and organisational security measures and those measures have been applied to the data affected by the personal data breach, in particular measures such as encryption that make the data unintelligible to persons not authorised to access the personal data;
• the controller has taken additional measures following the personal data breach which ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialise in the future;
• the provision of information would require a disproportionate effort necessary. In such cases, the data subjects shall be informed by means of publicly available information or similar measures shall be taken to ensure that the data subjects are informed in an equally effective manner.

If the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after considering whether the personal data breach is likely to result in a high risk, order the data subject to be informed.

Notification of a personal data breach to the authority

The controller shall notify the personal data breach to the supervisory authority competent pursuant to Article 55 without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons justifying the delay must be attached.

Review in case of mandatory data processing

If the duration of mandatory data processing or the periodic review of its necessity is not specified by law, a local government decree, or a binding legal act of the European Union, the data controller shall review at least every three years from the start of data processing whether the processing of personal data processed by it or by a data processor acting on its behalf or on its instructions is necessary for the achievement of the purpose of data processing.

The data controller shall document the circumstances and results of this review, retain this documentation for ten years after the review and make it available to the National Data Protection and Freedom of Information Authority (hereinafter: the Authority) upon request.

Complaint option

A complaint against a possible violation of the data controller can be filed with the National Data Protection and Freedom of Information Authority:

National Data Protection and Freedom of Information Authority
1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf. 9.
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

Conclusion

When preparing this information, we took into account the following legislation:

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 127/2008 (GDPR);
• Act CXII of 2011 – on the right to informational self-determination and freedom of information (hereinafter referred to as the Infotv.);
• Act CVIII of 2001 – on certain issues of electronic commerce services and services related to the information society (especially Section 13/A);
• Act XLVII of 2008 – on the prohibition of unfair commercial practices towards consumers;
• Act XLVIII of 2008 – on the basic conditions and certain limitations of economic advertising activities (especially Section 6);
• Act XC of 2005 on electronic freedom of information;
• Act C of 2003 on electronic communications (specifically Section 155);
• Act No. 16/2011 opinion on the EASA/IA Recommendation on best practice in online behavioural advertising;
• Recommendation of the National Data Protection and Freedom of Information Authority on data protection requirements for prior information.