WEBSITE PRIVACY INFORMATION
AGROKERI KFT. - hereinafter referred to as the Company, by publishing this data protection notice,the prior information obligation of the data subject on the processing of personal data required by
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL to summarize all
information under the relevant Articles of the Regulation, shall be made available to data subjects in
a transparent, comprehensible and easily accessible form, in a clear and comprehensible manner.
I. NAME OF THE DATA CONTROLLER
The Company informs the data subject that it qualifies as a data controller in the management of its
personal data.
COMPANY NAME: AGROKERI KFT.
HEADQUARTERS: 4481 Nyíregyháza, Szellő út. 18.
COMPANY REGISTRATION NUMBER: 15 09 075674
TAX NUMBER: 22611701-2-15
PHONE: +36 20 343 7884
NAME OF DATA PROTECTION OFFICER: PÉTER RIZÁN
NAME OF REPRESENTATIVE: PÉTER RIZÁN
E-MAIL: info@agrokeri.hu
WEBSITE: https://www.agrokeri.hu https://webshop.agrokeri.hu https://webshop.agrokeri.hu/
Personal data may be disclosed to employees of the Company with access rights related to the
relevant data management purpose, or to persons and organizations performing data processing
activities on the basis of service contracts for the Company, to the extent and to the extent necessary
for the performance of their activities.
II. NAME OF THE DATA PROCESSOR (S)
(1) The Company uses an external data processor entrusted with the personal data processed on the
basis of its voluntary consent for the purpose of operating and maintaining its website.
COMPANY NAME: GLS General Logistics Systems Hungary Csomag-Logistikai Kft.
HEADQUARTERS: 2351 Alsónémedi, GLS Európa u. 2.
COMPANY REGISTRATION NUMBER: 13-09-111755
TAX NUMBER: 12369410-2-44
PHONE:
E-MAIL: info@gls-hungary.com
WEBSITE: https://gls-group.eu/HU/hu/home
ACTIVITY: Logistics service
Privacy policy: link
COMPANY NAME: DomainTank Informatikai Kft.
HEADQUARTERS: 2120 Dunakeszi, Kadosa Pál u.3. 1/4
COMPANY REGISTRATION NUMBER: 13-09-153036
TAX NUMBER: 23753967-2-13
PHONE: 0670 / 397-9408
E-MAIL: ugyfelszolgalat@domaintank.hu
Data protection officer: László Malina
WEBSITE: https://domaintank.hu
ACTIVITY: Hosting service
Privacy policy: link
III. DEFINITIONS
1. personal data shall mean any information relating to an identified or identifiable natural person
(data subject); identify a natural person who, directly or indirectly, in particular on the basis of an
identifier such as name, number, location, online identifier or one or more factors relating to the
physical, physiological, genetic, mental, economic, cultural or social identity of the natural person
identifiable;
2. processing means any operation or set of operations on personal data or files, whether
automated or non-automated, such as collection, recording, systematisation, sorting, storage,
transformation or alteration, query, introspection, use, communication, transmission or
dissemination; by other means of access, coordination or interconnection, restriction, deletion or
destruction;
3. restriction of data processing means the marking of stored personal data with the aim of limiting
their future processing;
4. profiling means any form of automated processing of personal data in which personal data are
evaluated for the purpose of assessing certain personal characteristics of a natural person, in
particular his performance, economic situation, state of health, personal preferences, interests,
reliability, behavior, location or used to analyze or predict motion-related characteristics;
5. pseudonymisation means the processing of personal data in such a way that it is no longer
possible to determine to which specific natural person the personal data relate without the use of
additional information, provided that such additional information is stored separately and technical
and organizational measures are taken. ensure that this personal data cannot be linked to identified
or identifiable natural persons;
6. registration system means a set of personal data which is accessible in any way, whether
centralized, decentralized or functional or geographical, on the basis of defined criteria;
7. controller means the natural or legal person, public authority, agency or any other body which
alone or jointly with others determines the purposes and means of the processing of personal data;
where the purposes and means of the processing are determined by Union or Member State law, the
controller or the specific criteria for the designation of the controller may also be determined by
Union or Member State law;
8. processor means any natural or legal person, public authority, agency or any other body which
processes personal data on behalf of the controller;
9. recipient means a natural or legal person, public authority, agency or any other body to whom
personal data are disclosed, whether a third party or not. Public authorities that may have access to
personal data in the framework of an individual investigation in accordance with Union or Member
State law shall not be considered as recipients; the processing of such data by these public
authorities must comply with the applicable data protection rules in accordance with the purposes of
the processing;
10. third party means any natural or legal person, public authority, agency or any other body which
is not the data subject, controller, processor or persons who, under the direct control of the
controller or processor, authorized to deal with it;
11. data subject's consent means the voluntary, specific and duly informed and unambiguous
declaration of his or her will by means of a statement or unequivocal statement of consent to the
processing of personal data concerning him or her;
12. data protection incident means a breach of security resulting in the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data
which have been transmitted, stored or otherwise handled;
13. undertaking means any natural or legal person engaged in an economic activity, regardless of
the legal status of the entity, including partnerships and associations carrying on a regular economic
activity
IV. LEGAL BASIS FOR DATA PROCESSING
1. Consent of the data subject
(1) The lawfulness of the processing of personal data must be based on the data subject's consent or
have some other legitimate basis laid down by law.
(2) In the case of data processing with the consent of the data subject, the data subject may give his
or her consent to the processing of his or her personal data in the following form:
a) in writing, in the form of a statement giving consent to the processing of personal data:
b) by electronic means, by explicit conduct on the Company's website, by ticking a box or by making
technical adjustments when using information society services, and by any other statement or action
that, in that context, the data subject's consent to the processing of personal data clearly indicates
the intended treatment.
(3) Silence, a pre-ticked box or inaction do not therefore constitute consent. (4) The consent shall
cover all data processing activities carried out for the same purpose or purposes.
(5) If the data processing serves several purposes at the same time, the consent shall be given for all
data processing purposes. If the data subject's consent is given following an electronic request, the
request shall be clear and concise and shall not unnecessarily impede the use of the service for which
the consent is sought.
6. The data subject shall have the right to withdraw his or her consent at any time. Withdrawal of
consent shall not affect the lawfulness of the consent-based data processing prior to withdrawal. The
data subject must be informed before consent is given. Withdrawal of consent should be as simple as
giving it.
2. Performance of contract
(1) Processing shall be lawful if it is necessary for the performance of a contract to which the data
subject is a party or to take steps at the request of the data subject prior to the conclusion of the
contract.
(2) The consent of the data subject to the processing of personal data not necessary for the
performance of the contract shall not be a condition for the conclusion of the contract.
3. Fulfillment of a legal obligation to the controller or protection of the vital interests of the data
subject or of another natural person
(1) The legal basis of data processing is determined by law in case of fulfillment of a legal obligation,
so the consent of the data subject is not necessary for the processing of personal data.
(2) The data controller is obliged to inform the data subject about the purpose, legal basis and
duration of the data processing, about the person of the data controller, as well as about his or her
rights and legal remedies.
(3) In order to fulfill a legal obligation, the data controller shall be entitled to manage the data set
necessary for the fulfillment of a legal obligation to which he or she is subject after the withdrawal of
his or her consent.
4. Carrying out a task in the public interest or in the exercise of a public authority
conferred on the controller, enforcing the legitimate interests of the controller or a party.
(1) The controller, being able to do so for the personal personal audience, or any other third party
may create an interested legal basis for the processing, he felt that the interests, fundamental rights
and freedoms should not take precedence which would allow the basis for relations with the data
controller. the reasonable expectations of the general. Such legitimate interests may be involved, for
example, where there is a relevant and appropriate relationship with them and the data controllers,
for example in cases where the data is available to or for customers.
(2) The existence of a legitimate interest shall in any case be properly examined, in particular given
that, at the time when personal data were collected and in the context of the unpredictable and
perceptible manner in which the data may be processed for that purpose.
(3) The interests concerned and the fundamental rights may take precedence over the interests of
the controller if the treatments are of a personal nature and contain a moderate amount of
additional data.
V. RIGHTS OF THE PERSON CONCERNED WITH REGARD TO THE PROCESSING OF DATA
1. The Company shall provide a brief summary of the rights of the person concerned:
The data subject has the right to:
a) for information before the start of data processing,
(b) to receive feedback from the controller as to whether the processing of his or her personal data is
in progress and, if such processing is in progress, the right to access the personal data and the
following information,
c) request the correction or deletion of your data, receive a notification from the data controller that
this has happened,
d) request a restriction on data processing, receive a notification from the data controller that this
has happened,
e) data portability,
(f) to object if his personal data are processed for purposes of the public interest or on the basis of a
legitimate interest of the controller.
(g) be exempt from automatic decision-making, including profiling,
(h) to lodge a complaint with the supervisory authority. The data subject may exercise his / her right
to complain at the following contact details: National Data Protection and Freedom of Information
Authority, address: 1125 Budapest, Szilágyi Erzsébet fasor 22 / c., Phone: +36 (1) 391-1400, Fax: +36
(1) 391-1410, www: http: //www.naih.hu e-mail: ugyfelszolgalat@naih.hu
(i) an effective judicial remedy against the supervisory authority,
j) For effective judicial redress against the controller or processor
k) To report a data protection incident.
2. Detailed information on the rights of data subjects
2.1. Right to information:
(1) The data subject shall have the right to be informed of the information relating to the processing
prior to the commencement of the data processing activity.
(2) Information to be provided if personal data are collected from the data subject:
a. the identity and contact details of the controller and, if any, of the controller 's representative;
b. the contact details of the Data Protection Officer, if any;
c. the purpose of the intended processing of personal data and the legal basis for the processing;
d. in the case of processing based on Article 6 (1) (f) of the Regulation, the legitimate interests of the
controller or of a third party;
e. where applicable, the recipients of the personal data or the categories of recipients, if any;
f.
g. where applicable, the fact that the controller intends to transfer personal data to a third country
or an international organization and the existence or absence of a Commission decision on adequacy,
or Article 46, Article 47 or Article 49 (1) of the Regulation In the case of the transmission referred to
in the second subparagraph of paragraph 1 of this Article, an indication of the appropriate and
suitable guarantees and a reference to the means of obtaining or obtaining a copy of them.
(3) In addition to the information referred to in paragraph (1), the controller shall inform the data
subject of the following additional information at the time of receipt of the personal data, in order to
ensure fair and transparent data processing:
a. the period for which the personal data will be stored or, if that is not possible, the criteria for
determining that period;
b. the data subject's right to request from the controller access to, rectification, erasure or restriction
of the processing of personal data concerning him or her and to object to the processing of such
personal data and the data subject's right to data portability;
c. in the case of data processing based on Article 6 (1) (a) or Article 9 (2) (a) of the Regulation, the
right to withdraw the consent at any time, without prejudice to the lawfulness of the data processing
carried out prior to the withdrawal;
d. the right to lodge a complaint with the supervisory authority;
e. whether the provision of personal data is based on a law or a contractual obligation or a
precondition for concluding a contract, whether the data subject is obliged to provide personal data
and what the possible consequences of non-disclosure may be;
f. the fact of the automated decision-making referred to in Article 22 (1) and (4) of the Regulation,
including profiling, and at least in such cases understandable information on the logic used and the
significance of such processing and the expected outcome for the data subject; has consequences.
(4) If the personal data have not been obtained from the data subject, the controller shall provide
the data subject with the following information:
a. the identity and contact details of the controller and, if any, of the controller 's representative;
b. the contact details of the Data Protection Officer, if any;
c. the purpose of the intended processing of personal data and the legal basis for the processing;
d. the categories of personal data concerned;
e. the recipients of the personal data and the categories of recipients, if any;
f. where applicable, the fact that the controller intends to transfer personal data to a recipient in a
third country or to an international organization, and the existence or absence of a Commission
decision on adequacy, or Article 46, Article 47 or Article 49 of the Regulation ( In the case of the
transmission referred to in the second subparagraph of paragraph 1, the indication of the
appropriate and suitable guarantees and a reference to the means of obtaining or obtaining a copy
thereof.
(2) In addition to the information referred to in paragraph 1, the controller shall provide the data
subject with the following additional information necessary to ensure fair and transparent data
processing for the data subject:
a. the period for which the personal data will be stored or, if that is not possible, the criteria for
determining that period;
b. if the processing is based on Article 6 (1) (f) of the Regulation, the legitimate interests of the
controller or of a third party;
c. the data subject's right to request from the controller access to, rectification, erasure or restriction
of the processing of personal data concerning him or her and to object to the processing of personal
data, as well as the data subject's right to data portability;
d. in the case of processing based on Article 6 (1) (a) or Article 9 (2) (a) of the Regulation, the right to
withdraw the consent at any time, without prejudice to the lawfulness of the processing carried out
prior to the withdrawal;
e. the right to lodge a complaint with a supervisory authority;
f. the source of the personal data and, where applicable, whether the data come from publicly
available sources; and
g. the fact of the automated decision-making referred to in Article 22 (1) and (4) of the Regulation,
including profiling, and at least in these cases the understandable logic used and the significance of
such processing and the expected outcome for the data subject; has consequences.
(3) If the controller intends to carry out further processing of personal data for a purpose other than
that for which they were obtained, it shall inform the data subject of that different purpose and of
any relevant additional information referred to in paragraph 2 before further processing.
(4) Paragraphs 1 to 3 shall not apply if and to the extent that:
a. the data subject already has the information;
b. the provision of such information proves impossible or would require a disproportionate effort, in
particular for the purposes of archiving in the public interest, for scientific and historical research or
for statistical purposes, subject to the conditions and guarantees of Article 89 (1), or the obligation
referred to in paragraph 1 of this Article is likely to make it impossible or seriously jeopardize the
achievement of the purposes of such processing. In such cases, the controller shall take appropriate
measures, including making the information publicly available, to protect the rights, freedoms and
legitimate interests of the data subject;
c. the acquisition or disclosure of the data is expressly provided for by Union or Member State law
applicable to the controller, which provides for appropriate measures to protect the legitimate
interests of the data subject; obsession
d. personal data must remain confidential under an obligation of professional secrecy imposed by a
law of the Union or of a Member State, including a legal obligation of professional secrecy.
2.2. The data subject 's right of access
(1) The data subject shall have the right to receive feedback from the controller as to whether the
processing of his or her personal data is in progress and, if such processing is in progress, shall have
the right to access the personal data and the following information:
a. the purposes of data management;
b. the categories of personal data concerned;
c. the recipients or categories of recipients to whom the personal data have been or will be
communicated, including in particular recipients in third countries or international organizations;
d. where applicable, the intended period for which the personal data will be stored or, if that is not
possible, the criteria for determining that period;
e. the data subject's right to request the controller to rectify, delete or restrict the processing of
personal data concerning him or her and to object to the processing of such personal data;
f. the right to lodge a complaint with a supervisory authority;
g. if the data were not collected from the data subject, all available information on their source;
h. the fact of the automated decision-making referred to in Article 22 (1) and (4) of the Regulation,
including profiling, and at least in these cases the understandable logic used and the significance of
such processing and the data subject's expected consequences.
(2) Where personal data are transferred to a third country or to an international organization, the
data subject shall be entitled to be informed of the appropriate guarantees regarding the transfer in
accordance with Article 46.
(3) The data controller shall make a copy of the personal data which are the subject of the data
processing available to the data subject. For additional copies requested by the data subject, the
controller may charge a reasonable fee based on administrative costs. If the data subject has
submitted the request electronically, the information shall be provided in a widely used electronic
format, unless the data subject requests otherwise.
2.3. Right to rectification
(1) The data subject shall have the right, at his request, to have inaccurate personal data concerning
him rectified without undue delay. Taking into account the purpose of the data processing, the data
subject has the right to request that the incomplete personal data be supplemented, inter alia, by
means of a supplementary statement.
2.4. Right of cancellation (right to forget)
(1) The data subject shall have the right, at the request of the controller, to delete personal data
concerning him or her without undue delay and the controller shall delete personal data concerning
him or her without undue delay if any of the following reasons exist:
the. personal data are no longer required for the purpose for which they were collected or otherwise
processed;
b. the data subject withdraws the consent on which the processing is based pursuant to Article 6 (1)
(a) of the Regulation (consent to the processing of personal data) or Article 9 (2) (a) of the Regulation
(granting of explicit consent) and the processing has no other legal basis;
c. the data subject objects to the processing of the data pursuant to Article 21 (1) of the Regulation
(right to object) and there is no overriding legitimate reason for the processing or the processing of
the personal data for the purpose of obtaining a business pursuant to Article 21 (2) of the Regulation
protest) against data processing;
d. personal data have been processed unlawfully;
e. personal data must be deleted in order to fulfill a legal obligation under Union or Member State
law applicable to the controller;
f. personal data have been collected in connection with the provision of information society services
referred to in Article 8 (1).
(2) Where the controller has disclosed personal data and is required to delete it at the request of the
data subject, it shall take reasonable steps, including technical measures, taking into account the
available technology and the cost of implementation, to inform the controllers that the data subject
has requested them to delete the links to the personal data in question or a copy or duplicate of that
personal data.
(3) Paragraphs 1 and 2 shall not apply if the processing is necessary:
a. for the purpose of exercising the right to freedom of expression and information;
b. for the purpose of fulfilling an obligation under Union or Member State law applicable to the
controller to process personal data or performing a task carried out in the public interest or in the
exercise of official authority vested in the controller;
c. in accordance with Article 9 (2) (h) and (i) of the Regulation and Article 9 (3) of the Regulation on
grounds of public interest in the field of public health;
d. in accordance with Article 89 (1) of the Regulation, for archiving purposes in the public interest, for
scientific and historical research purposes or for statistical purposes, where the right referred to in
paragraph 1 is likely to make such processing impossible or seriously jeopardize; obsession
e. to file, enforce or defend legal claims.
2.5. Right to restrict data processing
(1) The data subject shall have the right, at the request of the controller, to restrict the processing if
one of the following conditions is met:
the. the data subject disputes the accuracy of the personal data, in which case the restriction shall
apply to the period of time that allows the controller to verify the accuracy of the personal data;
b. the processing is unlawful and the data subject opposes the deletion of the data and instead
requests that their use be restricted;
c. the controller no longer needs the personal data for the purpose of data processing, but the data
subject requests them in order to make, enforce or protect legal claims; obsession
d. the data subject has objected to the processing pursuant to Article 21 (1) of the Regulation; in that
case, the restriction shall apply for as long as it is established whether the legitimate reasons of the
controller take precedence over the legitimate reasons of the data subject.
(2) Where the processing is restricted pursuant to paragraph 1, such personal data, with the
exception of storage, shall be subject to the consent of the data subject or to the submission,
enforcement or protection of legal claims or the protection of the rights of other natural or legal
persons. , or in the overriding public interest of a Member State.
(3) The controller shall, at the request of the data subject at whose request the data processing has
been restricted pursuant to paragraph 1, inform him or her in advance of the lifting of the restriction
of the data processing.
2.6. Notification obligation related to the correction or deletion of personal data or
restrictions on data processing
(1) The controller shall inform any recipient to whom or with whom the personal data have been
communicated of the rectification, erasure or restriction of the processing, unless this proves
impossible or requires a disproportionate effort.
(2) At the request of the data subject, the controller shall inform those addressees.
2.7. The right to data portability
(1) The data subject shall have the right to receive personal data concerning him which he has made
available to a controller in a structured, widely used machine-readable format and to transmit such
data to another controller without prejudice to the the controller to whom you have made the
personal data available if:
a. data processing by consent pursuant to Article 6 (1) (a) of the Regulation (consent of the data
subject to the processing of personal data) or Article 9 (2) (a) of the Regulation (explicit consent of
the data subject to data processing), or Is based on a contract within the meaning of paragraph 1 (b);
and
b. data management is automated.
(2) In exercising the right to data portability pursuant to paragraph 1, the data subject shall have the
right, if technically feasible, to request the direct transfer of personal data between data controllers.
(3) The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to
Article 17 of the Regulation. That law shall not apply where the processing is necessary for the
performance of a task carried out in the public interest or in the exercise of official authority vested
in the controller.
(4) The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
2.8. Right to protest
(1) The data subject has the right to object at any time, for reasons relating to his or her situation, to
the processing of his or her personal data in the exercise of a public interest or public authority or to
the processing of data subjects or third parties (Article 6 (1) (e) or (f), including profiling based on
those provisions. In that case, the controller may not further process the personal data unless the
controller demonstrates that the processing is justified by compelling legitimate reasons which take
precedence over the interests, rights and freedoms of the data subject or which are necessary to
bring, assert or defend legal claims. are related.
(2) Where personal data are processed for the purpose of direct business acquisition, the data
subject shall have the right to object at any time to the processing of personal data concerning him
or her for that purpose, including profiling, in so far as it relates to direct business acquisition.
(3) If the data subject objects to the processing of personal data for the direct acquisition of business,
the personal data may no longer be processed for that purpose.
(4) The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data
subject at the latest at the time of first contact and shall be displayed in a clear manner and separate
from any other information.
(5) In connection with the use of information society services and by way of derogation from
Directive 2002/58 / EC, the data subject may also exercise the right to object by automated means
based on technical specifications.
(6) Where personal data are processed for scientific and historical research or statistical purposes in
accordance with Article 89 (1) of the Regulation, the data subject shall have the right to object to the
processing of personal data concerning him or her on grounds relating to his or her situation, except ,
if the data processing is necessary for the performance of a task performed in the public interest.
2.9. Right to exemption from automated decision-making
(1) The data subject shall have the right not to be covered by a decision based solely on automated
data processing, including profiling, which would have legal effects or similar effects on him or her.
(2) Paragraph 1 shall not apply if the decision:
a. necessary for the conclusion or performance of the contract between the data subject and the
controller;
b. is made possible by Union or Member State law applicable to the controller, which also lays down
appropriate measures to protect the rights and freedoms and legitimate interests of the data
subject; or
c. based on the express consent of the data subject.
(3) In the cases referred to in points (a) and (c) of paragraph 2, the controller shall take appropriate
measures to protect the rights, freedoms and legitimate interests of the data subject, including at
least the right of the data subject to request human intervention. express an objection to the
decision.
(4) The decisions referred to in paragraph 2 may not be based on the specific categories of personal
data referred to in Article 9 (1) of the Regulation, unless Article 9 (2) (a) or (g) applies and the data
subject concerned. appropriate measures have been taken to protect the rights, freedoms and
legitimate interests of
2.10. The data subject 's right to complain and to seek redress
Right to complain to the supervisory authority.
(1) The data subject shall have the right to complain to the supervisory authority, in accordance with
Article 77 of the Regulation, if he considers that the processing of personal data concerning him
infringes this Regulation.
(2) The data subject may exercise his right to complain at the following contact details:
National Data Protection and Freedom of Information Authority address: 1125 Budapest, Szilágyi
Erzsébet fasor 22 / c Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410 www: http://www.naih.hu e-
mail: ugyfelszolgalat@naih.hu
(3)The supervisory authority to which the complaint has been lodged shall inform the customer of
the progress of the complaint procedure and of the outcome thereof, including the right of the
customer to seek judicial redress under Article 78 of the Regulation.
2.11. Right to an effective judicial remedy against the supervisory authority
(1) Without prejudice to other administrative or non-judicial remedies, all natural and legal persons
shall have the right to an effective judicial remedy against a legally binding decision of the
supervisory authority.
(2) Without prejudice to other administrative or non-judicial remedies, any person concerned shall
have the right to an effective judicial remedy if the competent supervisory authority does not deal
with the complaint or does not inform the person concerned within three months of the complaint
under Article 77 of the Regulation. procedural developments or their outcome.
(3) Proceedings against the supervisory authority shall be brought before a court of the Member
State in which the supervisory authority has its seat.
(4) Where proceedings are instituted against a decision of a supervisory authority in respect of which
the Board has previously issued an opinion or taken a decision under the consistency mechanism, the
supervisory authority shall send that opinion or decision to the court.
2.12. The right to an effective judicial remedy against the controller or processor
(1) Without prejudice to available administrative or non-judicial remedies, including the right to
complain to the supervisory authority under Article 77, any person concerned shall have the right to
an effective judicial remedy if he considers that his personal data have not been processed in
accordance with this Regulation. their rights under this Regulation have been infringed.
(2) Proceedings against the controller or the processor shall be brought before a court of the
Member State in which the controller or the processor is established. Such proceedings may also be
instituted before a court of the Member State in which the data subject has his habitual residence,
unless the controller or processor is a public authority of a Member State acting in the exercise of its
official authority.
2.13. Restrictions
(1) Union or Member State law applicable to a controller or processor may restrict the application of
Articles 12 to 22 by means of legislative measures. Articles 34 and 34 and Articles 12 to 22. the scope
of the rights and obligations set out in Article 5, provided that the restriction respects the essential
content of fundamental rights and freedoms and is a necessary and proportionate measure to
protect in a democratic society:
a. national security;
b. national defense;
c. public safety;
d. the prevention, investigation, detection or prosecution of criminal offenses and the execution of
criminal sanctions, including protection against and prevention of threats to public security;
e. other important general interest objectives of general interest of the Union or of a Member State,
in particular important economic or financial interests of the Union or of a Member State, including
monetary, budgetary and fiscal matters, public health and social security;
f. protection of judicial independence and judicial proceedings;
g. in the case of regulated professions, the prevention, investigation, detection and prosecution of
ethical misconduct;
h. in the cases referred to in points (a) to (e) and (g), control, inspection or regulatory activity, even
occasionally, in the performance of public authority;
i. the protection of the data subject or the protection of the rights and freedoms of others;
j. enforcement of civil claims.
(2) The legislative measures referred to in paragraph 1 shall, where appropriate, contain detailed
provisions on at least:
the. the purposes of the data processing or the categories of data processing,
b. categories of personal data,
c. the scope of the restrictions imposed,
d. guarantees to prevent abuse or unauthorized access or transmission,
e. to define the controller or to define the categories of controllers,
f. the duration of the data retention and the applicable guarantees, taking into account the nature,
scope and purposes of the data processing or categories of data processing,
g. the risks to the rights and freedoms of data subjects, and
h. the right of data subjects to be informed of the restriction, unless this could adversely affect the
purpose of the restriction.
2.14. Information on the data protection incident
(1) Where a data protection incident is likely to pose a high risk to the rights and freedoms of natural
persons, the controller shall inform the data subject of the data protection incident without undue
delay.
(2) The information provided to the data subject referred to in paragraph 1 shall clearly and
intelligibly describe the nature of the data protection incident and shall include at least the name and
contact details of the data protection officer or other contact person providing further information,
the likely consequences of the data protection incident, the measures taken or planned by the
controller to remedy the data protection incident, including, where appropriate, measures to
mitigate any adverse consequences arising from the data protection incident.
(3) The data subject need not be informed as referred to in paragraph 1 if any of the following
conditions is met:
a. the controller has implemented appropriate technical and organizational protection measures and
these measures have been applied to the data affected by the data protection incident, in particular
those measures, such as the use of encryption, which make it incomprehensible to persons not
authorized to access personal data;
b. the controller has taken further measures following the data protection incident to ensure that the
high risk to the data subject's rights and freedoms referred to in paragraph 1 is no longer likely to
materialize;
c. information would require a disproportionate effort. In such cases, the data subject shall be
informed through publicly available information or a similar measure shall be taken to ensure that
the data subject is informed in an equally effective manner.
(4) If the controller has not yet notified the data subject of the data protection incident, the
supervisory authority may, after considering whether the data protection incident is likely to involve
a high risk, order the data subject to be informed or establish that one of the conditions referred to
in paragraph 3 is met.
VI. PROCEDURE TO BE APPLIED IN THE EVENT OF THE APPLICANT CONCERNED
(1) The Company shall facilitate the exercise of the data subject's rights, and the data subject may
not refuse to comply with the request to exercise the rights set out in this data protection notice,
unless he or she proves that the data subject cannot be identified.
(2) The Enterprise shall, without undue delay, and in any event within one month of receipt of the
request, inform the data subject of the action taken on the request. If necessary, taking into account
the complexity of the application and the number of applications, this time limit may be extended by
a further two months. The controller shall inform the data subject of the extension of the time limit,
indicating the reasons for the delay, within one month of receiving the request.
(3) If the data subject has submitted the request by electronic means, the information shall, as far as
possible, be provided by electronic means, unless the data subject requests otherwise.
(4) If the Undertaking fails to take action at the request of the data subject, it shall without delay, but
no later than one month from the receipt of the request, inform the data subject of the reasons for
non-action and that the data subject may lodge a complaint with the supervisory authority. right of
appeal.
(5) The Company shall provide the following information and measures to the data subject free of
charge: feedback on the processing of personal data, access to the processed data, correction,
supplementation, deletion, restriction of data processing, data portability, protest against data
processing, data protection incident information.
(6) If the data subject's request is clearly unfounded or - especially due to its repetitive nature -
excessive, the data controller, taking into account the administrative costs involved in providing the
requested information or action or taking the requested action: may charge a fee of HUF 5,000 or
refuse the request. action on the basis of
(7) The burden of proving that the request is manifestly unfounded or excessive is on the controller.
(8) Without prejudice to Article 11 of the Regulation, if the controller has reasonable doubts about
the application of Articles 15 to 21 of the Regulation. With regard to the identity of the natural
person submitting the application pursuant to Article 1, he may request the provision of additional
information necessary to confirm the identity of the data subject.
VII. PROCEDURE IN THE EVENT OF A PERSONAL DATA BREACH
(1) A data protection incident is a breach of security within the meaning of the Regulation which
results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
unauthorized access to, personal data transmitted, stored or otherwise handled.
(2) The loss or theft of a device containing a personal data (laptop, mobile phone) shall be considered
a data protection incident, as well as the loss or inaccessibility of the code used to decrypt the
encrypted file by the data controller, infection by ransomware. makes the data managed by the data
controller inaccessible until the payment of the ransom, the attack on the IT system, the publication
of e-mails containing incorrectly sent personal data, the publication of the address list, etc.
(3) If a data protection incident is detected, the representative of the Company shall immediately
conduct an investigation in order to identify the data protection incident and determine its possible
consequences. The necessary measures must be taken to remedy the damage.
(4) The data protection incident shall be reported to the competent supervisory authority without
undue delay and, if possible, no later than 72 hours after becoming aware of the data protection
incident, unless the data protection incident is not likely to endanger the rights and freedoms of
natural persons. viewed. If the notification is not made within 72 hours, the reasons for the delay
must be provided.
(5) The data processor shall report the data protection incident to the data controller without undue
delay after becoming aware of it.
(6) The notification referred to in paragraph 3 shall include at least:
a. the nature of the data protection incident, including, where possible, the categories and
approximate number of data subjects and the categories and approximate number of data affected
by the incident;
b. the name and contact details of the data protection officer or other contact person for further
information;
c. the likely consequences of the data protection incident must be described;
d. describe the measures taken or planned by the controller to remedy the data protection incident,
including, where appropriate, measures to mitigate any adverse consequences arising from the data
protection incident.
(7) If and where it is not possible to communicate the information at the same time, it may be
communicated at a later date without further undue delay.
(8) The data controller shall keep a record of data protection incidents, indicating the facts related to
the data protection incident, its effects and the measures taken to remedy it. This register allows the
supervisory authority to verify compliance with the requirements of Article 33 of the Regulation.
VIII. WEBSITE - RELATED DATA MANAGEMENT
Information about the data of visitors to the Company's website
(1) During visits to the Company's website, one or more cookies - a small packet of information sent
by the server to the browser and then returned by the browser to the server at each request to the
server - are sent to the computer of the person visiting the website. your browser will be uniquely
identifiable if the person visiting the website has given his or her express (active) consent to the
further browsing of the website after clear and unambiguous information.
(2) Cookies only work to improve the user experience and to automate the login process. The cookies
used on the website do not store personally identifiable information, and the Company does not
process personal data in this regard.
Registration, newsletter subscription
(1) The legal basis for data management is registration, in case of newsletter subscription, the data
subject's consent, which the data subject enters on the Company's website by ticking the box next to
the text registration or newsletter subscription.
(2) Stakeholder registration, in case of newsletter subscription: any natural person who wishes to
subscribe to the Company's newsletter or to register on the website and gives his / her consent to
the processing of his / her personal data.
(3) The scope of the managed data in case of newsletter subscription: name, e-mail address.
(4) The scope of the managed data in case of registration: name, address, e-mail address, telephone
number, login password.
(5) The purpose of data management in case of newsletter subscription: informing the data subject
about the services and products of the Company, the changes that have taken place in them,
informing about news and events.
(6) The purpose of data management in case of registration: contacting for the preparation of
concluding a contract, providing services available free of charge on the website to the data subject,
access to the non-public content of the website.
(7) Recipients of the data (who can get to know the data) in case of newsletter subscription,
registration: the head of the Company, the employee in charge of customer relations, the employees
of the data processor in charge of the operation of the website of the Company.
(8) Duration of data management in case of newsletter subscription, registration: in case of
newsletter subscription until unsubscription, in case of registration until cancellation at the request
of the data subject.
(9) The data subject may at any time unsubscribe from the newsletter or request the deletion of his
registration (personal data). The newsletter is unsubscribed by clicking on the unsubscribe link in the
footer of the e-mails sent to the person concerned, or by mail sent to the registered office of the
Company.
Data management related to direct marketing activities
(1) The legal basis for the direct marketing of the Company's data for marketing purposes is the
consent of the data subject, which is clear and explicit. The data subject's explicit, express prior
consent is given on the Company's website by ticking the box next to the consent to the direct
marketing request text after informing about the processing of his / her data.
(2) The data subject may also give his / her consent on paper, in accordance with Article 2 of these
Regulations. by completing the form in Annex.
(3) Stakeholder: any natural person who gives his or her explicit, express consent to the processing of
the Company's personal data for direct marketing purposes.
(4) The purposes of data management: advertisements related to the provision of services, the sale
of goods, sending offers, notification of promotions by electronic or postal means.
(5) Recipients of personal data: the head of the Company, employees performing customer service
tasks and marketing tasks on the basis of their job.
(6) The scope of personal data processed: name, address, telephone number, e-mail address.
(7) Duration of data processing: the processing of personal data for the purpose of direct marketing
by the data subject.
Webshop related data management
(1) The above provisions shall apply to the registration in the webshop, the data management
activities related to the subscription to the newsletter, and the information of the visitors.
(2) Online, electronic contracts (purchases) on the Company's website are in accordance with CVIII of
2001. therefore, the purpose of data management is to prove the fulfillment of the service provider's
obligation to provide consumer information required by law, to prove the conclusion of the contract,
to create the contract, to define, amend its content, to monitor its fulfillment, the invoicing of the
resulting fee (s) and the enforcement of related claims.
(3) In the case of purchases in the web store, the legal basis of data management is the fulfillment of
the contract and the fulfillment of a legal obligation.
(4) Categories of data affected by data management: customers' names, addresses, telephone
numbers, login passwords, bank account numbers.
(5) Categories of persons involved in data management: any natural person who registers in the
Company's web store, subscribes to a newsletter and makes a purchase.
(6) The categories of recipients of the data are the head of the Company, the employees performing
customer relations and sales-related tasks, the data processing staff performing the operation of the
Company's website, and the employees performing the accounting tasks of the Company, the data
processing employees performing these tasks.
(7) The place of data processing is the registered office of the Company.
(8) Duration of data processing: 5 years from the termination of the contract.
IX. DATA PROCESSING ACTIVITIES RELATED TO THE PERFORMANCE OF THE
CONTRACT
(1) The Company handles the personal data of the natural persons contracting with it - customers,
customers, suppliers - in connection with the contractual relationship. The data subject must be
informed about the processing of personal data.
(2) Stakeholders: all natural persons who enter into a contractual relationship with the Company.
(3) The legal basis of data management is the performance of a contract, the purpose of data
management is to maintain contact, enforce claims arising from the contract, and to ensure
compliance with contractual obligations.
(4) Recipients of personal data: the head of the Enterprise, the employees and data processors of the
Enterprise performing customer service and accounting tasks on the basis of their job.
(5) The scope of personal data processed: name, address, registered office, telephone number, e-
mail address, tax number, bank account number, entrepreneur card number, primary producer card
number.
(6) Duration of data processing: 5 years from the termination of the contract.
X. INFORMATION ON DATA MANAGEMENT RELATED TO THE APPLICATION OF
AN ELECTRONIC MONITORING SYSTEM
(1) Our company operates an electronic surveillance and recording system (camera system) in the
customer area / in the area belonging to it, in the units belonging to it. Upon entering the observed
area (room) indicated by this sign, the electronic surveillance system will record the image and action
of the person concerned.
(2) The legal basis for the camera surveillance is the voluntary consent of the data subject based on
the information provided by our Company in the form of warning signs. The consent of the data
subject may also be given in the form of express implied conduct. Such explicit conduct is when
entering or staying in a room / area monitored by an electronic monitoring and recording system. If
you do not wish to give your consent, do not enter the rooms / areas or units marked with a warning
sign.
(3) The purpose of the recordings shall be the protection of human life, physical integrity, personal
liberty, the protection of business secrets, the prevention and detection of infringements for the
protection of persons and property, the proof of infringements, the documentation of possible
accidents at the customer premises, and the protection of the private space available to the public
for the performance of the insurer's tasks. The camera surveillance system does not record sound.
(4) The legal basis for camera surveillance is the voluntary consent of the data subject on the basis of
information provided by the Company in the form of notice boards. The consent of the data subject
may also be given in the form of express implied conduct. Such explicit conduct is when entering or
staying in a room / area monitored by an electronic monitoring and recording system.
(5) The place of storage of the recordings (personal data) recorded by the electronic monitoring
system is the registered office of our company, the duration of the storage of the recordings is 3
working days from the preparation.
(6) The scope of the processed data: the touch image and other personal data recorded by the
operated camera system.
(7) The personal data recorded by means of camera recording may be obtained by: The head of an
enterprise, the employees operating the camera system, the data processor performing the
operation for the purpose of detecting violations and checking the operation of the system.
XI. DATA SECURITY PROVISIONS
(1) The Company may process personal data only in accordance with the activities set out in these
regulations, for the purpose of data processing.
(2) The Company shall ensure the security of data, in this connection it undertakes to take all the
technical and organizational measures that are strictly necessary for the enforcement of data
security legislation, data and confidentiality rules, and to establish the procedural rules necessary for
the enforcement of the legislation specified above.
(3) The Company shall protect the data against unauthorized access, alteration, transmission,
disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as
becoming inaccessible due to changes in the applied technology.
(4) The technical and organizational measures to be implemented by the Company in order to ensure
data security are set out in the Company's data protection regulations.
(5) The Company shall take into account the current state of the art when defining and applying data
security measures, and in the case of several possible data management solutions, it shall choose a
solution ensuring a higher level of protection of personal data, unless this would cause a
disproportionate difficulty.
XII. RULES RELATING TO DATA PROCESSING
1. General rules on data processing
(1) The rights and obligations of the data processor related to the processing of personal data shall
be determined by the data controller within the framework of law and special laws concerning data
processing.
(2) The Enterprise declares that in the course of its data processing activities it does not have the
competence to make a substantive decision on data processing, may process personal data only in
accordance with the data controller's instructions, may not process data for its own purposes, and is
obliged to process personal data store and preserve.
(3) The Enterprise shall be responsible for the lawfulness of the instructions given to the data
processor regarding the data processing operations.
(4) The obligation of the Enterprise is to provide the data subjects with information about the person
of the data processor and the place of data processing.
(5) The Enterprise does not authorize the data processor to use another data processor.
(6) The contract for data processing shall be in writing. Data processing cannot be entrusted to an
organization that has an interest in the business using the personal data to be processed.
Done at Nyíregyháza on June 1, 2018.