Data Processing Policy

I. Data processor (Service provider)

Name of Service provider: Globero Ltd.
Official seat and mailing address: 28-30, E. ép. 2. em. 3.Józsefhegyi utca  1025 Budapest
Registering authorities: Budapest Metropolitan Court as Court of Registration
Company registry nr.: Cg. 01-09-292960
Tax Id.: 25298134-2-41
E-mail address: rendeles@globero.hu
Website: www.globero.hu
Customer service: +36 30 8989 547
Place and contact details for complaint management: 2-4 Batthyány utca, 7622 Pécs
+36 30 8989 547
rendeles@globero.hu
On working days from 10:00 to 16:00
Name of web hosting service provider: InfoComplex Ltd.
Address of web hosting service provider: 1 Edison utca, 7621 Pécs.
Name of web hosting service provider 2: Microsoft Hungary Ltd.
Address of web hosting service provider 2: 3 Graphisoft Park 31031 Budapest.

II. Privacy policy applied by the company

    1. A Service Provider, as data controller, undertakes to make sure that all data processing related to its activities complies with the requirements set forth in this Policy and in the national legislation in force and in the legal acts of the European
    2. Service Provider’s information related to data processing is continuously available in the footer of the opening page of globero.hu website hosted by the Service Provider.
    3. Service Provider is entitled to unilaterally amend the Information on Data processing. In the case of amending of the Information on Data processing, the Service Provider notifies the user by publishing the amendments on globero.hu. Users accept the amended Information on Data processing by using the service after the amendment has entered into force.
    4. Service Provider is committed to protecting the personal data of its clients and partners, and it pays particular attention to respecting the right to self-determination of its clients. Service Provider shall handle personal data confidentially and take all security, technical and organizational measures in order to guarantee the security of the data. The data processing practices of the Service Provider are contained in this Information on Data processing.
    5. The Privacy Policy of the Service Provider is in compliance with the current legislation on data protection, in particular with the following:
      Act CXII of 2011 on Information Self-Determination and Freedom of Information (Info Act);
      • Decree (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the repealing of EC Decree No 95/46 (General Data Protection Regulation, GDPR);
      • Act V of 2013 – on the Civil Code (Civil Code);
      • Act C of 2000 on Accounting (Accounting Act);
      • Act CXXXVI. of 2007 on the Prevention and Impending of Money Laundering and Financing Terrorism (AML Act.);
      • Act CVIII of 2001 Act on  certain issues of electronic commerce activities and Information Society Services (E-commerce. Act);
      • Act XLVIII. of 2008 on the basic terms and conditions and certain restrictions of economic advertising (El.Ad. Act.)
    6. Service Provider shall use the personal data based on the legal grounds included in the GDPR and exclusively for specific purposes.
    7. Service Provider undertakes to publish, record, and communicate clear, noticeable and unambiguous communication prior to the collection, recording and processing of any Personal Data of its users, informing them of the manner, purpose and principles of data collection. In the case of mandatory data provision, the Act ordering Data protection shall also be indicated. The data subject shall be informed of the purpose of the Data processing and of who will handle or process the Personal Data concerned.
    8. In all cases where the Company intends to use the Personal Data provided for a purpose other than the purpose for which it was originally collected, it shall inform the User thereof and obtain the prior explicit consent of the User for this purpose or provide him or her the opportunity to prohibit the use.

III. Legal grounds and purpose for data processing, and the scope of the data processed, duration of data processing, the persons having access to the personal data concerned

    1. The Service Provider’s data processing is based on the following Legal grounds [Article 6 (1) of the GDPR]:
      a) the data subject gave its consent to the processing of his or her personal data for one or more specific purposes (voluntary consent);
      b) the processing is necessary for the performance of a contract in which one of the parties is the data subject, or it is required to take action at the request of the data subject before the conclusion of the contract (performance of the contract);
      c) data processing is necessary to fulfil the legal obligation of the controller (legal obligation);
      d) data processing is necessary for the enforcement of the legitimate interests of the controller or a third party (legitimate interest).
    2. In the case of data processing based on voluntary consent, data subjects may withdraw their consent at any stage of the processing.
    3. A minor with no or limited legal capacity may not use any service through the system of the Service Provider.
    4. In some cases, the processing, storage and forwarding of the scope of data concerned is mandatory by law, of which users shall be notified separately.
    5. We call the attention of the data providers providing data to the Service Provider to the fact that in case of providing someone else’s personal data, data provider is obliged to obtain the consent of the data subject concerned.
    6. Personal data may only be processed for a specific purpose. At every stage of data processing, the purpose of data processing must be met, the recording and processing of data must be fair and lawful. Only those personal data can be processed that are essential for the purpose of data processing and are suitable to achieve the goal concerned. Personal data can only be managed to the extent and for the duration necessary to achieve the goal. Service Provider shall not use the personal data for purposes other than those specified.

IV. Online webshop service (purchase of products) – purchase transaction, logging in, notification (one-off purchase)

The purpose of data processing is to ensure the provision of the webshop service available on the website, ordering, providing services for the order, the documentation of the purchase and payment, and the fulfilment of the accounting obligation. Data processing also aims to identify the user as a buyer and deliver the service ordered, send notifications related to the product (such as product recall notifications, etc.), manage the payment through a payment service provider, register and distinguish the users from one another, transfer the logging in data to the shipping agent of the product, and perform the contract.

Legal grounds for data processing: performance of the contract, section b) of Article 6 (1) of the GDPR.

The range of data processed is surname and first names, phone number (optional if the buyer provides it for the receipt of notifications), email address, password given during preliminary registration, delivery address provided for home delivery, number, date and time of transaction, customer number, gift voucher number.

Deadline for deleting the data: 15 days after the delivery of the product ordered. In case a legal dispute arises concerning the purchase transaction, the Service Provider will keep the data for the duration of the dispute. The Legal grounds for this is the legitimate interest of the Service Provider, Section f) of Article 6 (1) of the GDPR.

Possible consequences of the failure of providing data: failure of the purchase transaction.

V. Registration

Purpose of data processing: By entering a password during preliminary registration, it is possible for the Users to enter their data only once and not for each purchase. Some services on the website are only available to registered Users. Such services include writing comments, rating comments, and follow-up. As a convenience service, users can edit their personal information, view and download their orders, invoices, and track their comments, in the account opening as a personal menu item on the website. Managing the diverse personal data stored in your account necessarily involves creating your profile.

Legal grounds for data processing: voluntary consent of the data subject, section a) of Article 6 (1) of the GDPR.

The range of data processed include: email address, password, and any personal information that the User has provided during the purchase or in the account: address, billing address, phone number for contact. The data processed may include the products purchased by the User in the course of his / her orders, the date of purchase, the invoice, the User’s comments and their rating, and the comments rated by the User.

Deadline for deleting the data: The Service Provider handles the data provided until the use of data for such purposes is prohibited by the User by unsubscribing.

Possible consequences of failure to provide data: users will not be able to use the convenience features and services of the website.

VI. Notification service

Purpose of data processing: The notification service allows customers, in addition to receive technical information on the product, to use notification services such as pre-shipment reminder, to review the product retrospectively, and to receive automatic bulletins (reminder of leaving the basket, products becoming available again, etc.).

Legal grounds for data processing: voluntary consent of the data subject, section a) of Article 6 (1) of the GDPR.

The range of managed data include: email, name, optional phone number if the buyer wants to receive notifications via text messages, Facebook Messenger ID to receive notifications via Messenger chatbot.

Deadline for deleting the data: The Service Provider handles the data provided until the use of data for such purposes is prohibited by the User by unsubscribing.

Possible Consequences of Failing to Provide Data: users will not be able to use the convenience features of the website, and they will not be notified of the changes.

VII. Invoicing

The purpose of data processing is to issue an accounting document for purchase transactions and to keep it until the statutory deadline.

Legal grounds for data processing: compliance with legal obligation, Section c) of Article 6 (1) of the GDPR.

Scope of the data processed include surname and first names, billing address specified for invoicing, number, date and time of the transaction, content of the document, tax ID for the invoice (if provided by the customer).

Deadline for deletion of data, duration of data processing: 8 years, or else the period specified in the current tax-legal and accounting legislation.

Possible consequences of failing to provide data: failure to purchase.

VIII. Personalized offers, creating your profile

Purpose of data processing: Profiling helps users to see relevant customized offers in the website and newsletter recommendations. Profiling helps the data processor to compile the best offer for their.

Legal grounds for data processing: voluntary consent of the data subject, section a) of Article 6 (1) of the GDPR.

Scope of the data processed: email, name, address, site-related information (date and duration of visit , pages viewed, click to other pages within the pates concerned, use of the search engine), use of shopping cart (order ID, products, product categories of products, their values), purchases (date of transaction, value, product, category, discount, payment method), technical information (IP address, cookie ID, type of browser, type of device, Google, Facebook, IDs, source page), details of using newsletter and Notification Message (e-mail opening date, device, links clicked through, shopping details), data associated with the use of the blog system (comments, ratings, click-through links.

Principles of profiling: The recommendation system offers a list of events that are supposed to be the most appropriate for the customer based on the data being processed, to be displayed on the website and included in the messages sent by the Service.

Deadline for deleting the data: The Service Provider handles the data provided until the use of data for such purposes is prohibited by the User by unsubscribing.

Possible Consequences of Failing to Provide Data: The Website and the Newsletters display offers that are not relevant to the User: users will not be able to use convenience services subject to registration.

IX. Electronic newsletter

Purpose of data processing: Send e-mail newsletters including advertisements as well to users interested. If a user subscribes for the newsletter, the Service Provider may send a newsletter to the user at a frequency decided by the service provider. The Service Provider shall endeavour to offer appropriate events to the readers of the newsletter they are probably interested in, based on the place of residence, their previous purchases and other data collected during profiling.

Legal grounds for data processing: voluntary consent of the data subject, section a) of Article 6 (1) of the GDPR.

The range of data processed include: name, email address, postal code, phone number, and data collected in profiling.

Deadline for deleting the data: The Service Provider handles the data provided until the use of data for such purposes is prohibited by the User by unsubscribing. One can cancel the newsletter by clicking the Unsubscribe link at the bottom of the newsletter. The personal data of the data subject concerned will be deleted within 10 working days of receiving the request.

Possible Consequences of Failing to Provide Data: Users will not receive notifications of products.

X. Managing Cookies

Cookies are alphanumeric information packages sent by the web server and stored on the user’s computer and stored for a predetermined period of validity. The use of cookies provides an opportunity to retrieve some data of a visitor and to monitor his or her use of the Internet. Cookies help to track the interests, Internet usage habits, website visit history of the User concerned, in order to make sure that the User’s shopping experience is optimal. As Cookies work as a kind of label that allows the website to recognize a visitor returning to the site, they can also store a valid username and password for that page. If the browser returns a previously saved cookie, the cookie provider has the option of linking the user’s current visit to the previous one, but only for its own content.

The information sent by cookies makes it easier to recognize the Internet browsers whereby Users can receive relevant and “personalized” content. Cookies make browsing more convenient, including online data security needs and relevant advertising. With the help of cookies, Service Provider can also create anonymous statistics about the habits of the visitors of the page, therefore it can personalize the look and content of the page even more.

The Service Provider’s website uses two types of cookies:

  • Temporary Cookies – are session-id cookies essential for using the web page. Their use is essential for navigating the website and for the functionality of the website. Failing to accept them result in the website or parts of it will not appear, browsing will be hindered, placing the items into the cart or online payment through the bank will not be implemented properly.
  • Permanent cookies are the ones that stay on the device for a long time, depending on the Web search engine setting, until they are deleted by the User. They include both internal and external cookies. In case of internal cookies, the Service Provider’s web server installs the cookie and the data is transferred to its own database. If the cookie is installed by the Service Provider’s web server, but the data is transferred to an external service provider, the cookie is considered external. Such external cookies include third-party cookies placed by third parties in the user’s browser (Google Analytics, Facebook Pixel). They will be placed in the browser if the website visited uses third party services. The purpose of a permanent cookie is to ensure the highest quality of the site in order to enhance the user’s experience.

While visiting the website, you can use the button on the cookie alert on the login page whereby Users are allowed to give consent to the permanent cookies being stored on the User’s computer and accessed by the Service Provider.

User can use the browser to configure and block cookies activity. Usually, one can manage cookies in the Tools / Options menu of the browser under the Privacy / History / Custom Settings menu, under cookies or tracing. However, please note that in the latter case, without the use of cookies, Users may not be able to use all the services of the website, especially the payment services. For more information about cookies, click the “More Info” button on the cookie alert bar on globero.hu.

The purpose of data processing is to execute payment transactions with the payment service provider, to identify users, to distinguish them from one another, to identify the current session of the users, to store the data provided during the process, to prevent data loss, to identify users, to track, and to perform the web analytics.

Legal grounds for data processing: voluntary consent of the data subject, section a) of Article 6 (1) of the GDPR.

The range of data processed include: identification number, date, time, and the page visited previously.

Duration of data processing: Temporary cookies are stored until the user closes all browsers of that type. Permanent cookies are stored for one year on the user’s computer or until deleted by the User.

Possible consequences of failing to provide data: incomplete use of the services of the website, failure of payment transactions, inaccuracy of analytical measurements.

XI. Statistics

The controller can use data for statistical purposes. The use of the data in a statistically aggregated form shall not contain the name or other identifier of the user concerned in any form.

XII. Data technically recorded during system operation

Data technically recorded include the data of the User’s logon computer that is generated during the use of the service and which are logged by the data processing system as a result of the technical processes (e.g.: IP address, session ID). Due to the operation of the Internet, the system automatically records the data to be recorded automatically without the User’s separate statement or action when Internet is used. The Internet fails to work without these automatic server-client communications. These data may not be linked to other User Personal Information except as required by law. Only the Data Controller has access to the data. Log files that are automatically and technically recorded during system operation are stored in the system for a reasonable period of time to ensure system operation.

XIII. Recording phone calls

Service Provider records incoming and outgoing telephone calls to customer service.

The purpose of data processing is to enforce the rights of the clients and the data controller, to provide evidence for the resolution of possible disputes, to provide evidence to support the possible non-recoverability of the claim, and to provide subsequent proof of the agreements, to meet quality-assurance and statutory obligations.

Legal grounds for data processing: voluntary consent of the data subject.

The range of data processed is: identification number, phone number to be called, number called, date of call, time of call, voice recording of the telephone conversation, and other personal information provided during the conversation. Deadline for data deletion: five years.

Possible consequences of failing to provide data: failing to provide telephone support by the service provider.

XIV. Service Provider’s correspondence with its Customers (emails)

If you wish to get in contact with our Company, you can contact the Service Provider in the information provided in this information sheet or on the website. The Service Provider shall delete all e-mails received including the sender’s name, e-mail address, date, time data and other personal data provided in the message after up to five years from the date of providing the data.

XV. Web analytics

Google Analytics, as an external service provider, helps to independently measure website traffic and other web analytics data. For detailed information on how your data is analysed, visit http://www.google.com/analytics . Google Analytics data is used by the Service Provider solely for statistical purposes, to optimize the operation of the site.

XVI. Other data processing

Information on data processing not listed in this policy is provided when the data are recorded. Please note that the based on the authorisation provided by the court, a prosecutor, an investigative authority, an infringement authority, administrative authorities, the National Authorities for Data Protection and Freedom of Information, the Hungarian National Bank, and other bodies authorised by the law, the Service Provider might be contacted to disclose, provide or transfer information or documents. The Service Provider shall disclose personal data to the authorities, if the authorities have specified the exact purpose and scope of the data, only to the extent strictly necessary for the purpose of the request.

The Data Controller shall not check the personal data provided to him. Only the person providing them is responsible for the accuracy of the data provided. Whenever a user enters an e-mail address, he or she is responsible for ensuring that only he or she uses the e-mail address provided. With regard to this responsibility, any liability related to logging in with a specific e-mail address is the sole responsibility of the user who registered the e-mail address. If the user provides someone else’s personal information, he / she is obliged to obtain the consent of the data subject concerned.

The scope of persons entitled to receive personal data include employees or subcontracted staff members of the Service Provider, employees of the courier service involved in the delivery of the products (if requested by the customer) and the Data Processors.

XVII. Transfer of Data, Name of Data Controllers

    1. By using the service, Users agree that the Service Provider may forward the data to the following partners. Legal grounds for data processing: performance of the contract, section b) of Article 6 (1) of the GDPR.
      The service provider providing the technical conditions for invoicing as Data Processor, which is as follows:
      – Profit Holding Hungary Ltd.
      address: 12 Felső Erdősor 1068 Budapest,. and 1 Liszt Ferenc tér 1. 7622 Pécs, Hungary
      • Tasks related to the sending of e-mails to the Users, or if the data subject has given permission for profiling, in the case of the related tasks, based on the contract concluded with the data controller are performed by
      – InfoComplex Limited Liability Company
      1, Edison u. 7630 Pécs and
      – Microsoft Hungary Liability Company
      3 Graphisoft Park 3. Budapest, as data controllers.
      • For the financial institutions involved in the payment process, Service Provider shall transfer the information required by the respective financial institution for the execution of the payment. The scope of data is different for each financial institution. The Service Provider will not receive the personal data provided at the financial institution’s own pages dedicated to retrieving information.
      • Service Provider will provide the data required by shipping service provider preforming the delivery including:
      – GLS Hungária Limited Liability Company
      18/B Széchenyi u., 1174 Budapest;
      – Rakta-Transzport Limited Liability Company
      2 Határhalom u. 2., 1173 Budapest;
      • BolkoDesign Limited Liability Company (31 Füzes dűlő 7631 Pécs) as data controller performs the analysis of the Service Provider’s web usage data, the blog system and the operation of the related commenting and rating system, and the mailing task of the tracking service.
    2. Service Provider, as Data Controller, is entitled and obliged to forward all personal data at its disposal to the competent authorities, which is required by law or a legally binding legal obligation. Data Controller cannot be held responsible for such disclosure of data and the resulting consequences.
    3. Service Provider performs any disclosure of data not specified above only with the prior and informed consent of the User.

XVIII. How personal data are stored; security of data processing

    1. The Service Provider’s computer systems and other data storage locations are found at its headquarters and at its data processors.
    2. The Service Provider selects and operates the IT tools used for providing the service and for the processing of personal data, so that:
      a) the data processed are accessible to authorized persons (availability);
    3. b) the authenticity and their authentication of the data are provided (authenticity of data processing);
    4. c) it can verify that the data are unchanged (data integrity);
    5. d) the data are protected against unauthorized access (data confidentiality).
  1. Service Provider protects the data by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and against unavailability due to accidental destruction, damage, or change in the technology applied.
  2. In order to protect the data files processed electronically in its various registers, the Service Provider shall ensure that the data stored –  unless permitted by law – are not directly linked and assigned to the data subjects.
  3. With regard to the state of the art, the Service Provider ensures the protection of data security by providing technical, organizational and corporate organizational measures that provide a level of protection appropriate to the risks associated with data processing.
  4. During the processing of data, Service Provider shall maintain
    a) confidentiality: protects the information so that it can only be accessed by authorized persons;
  5. b) integrity: protects the accuracy and completeness of the information and the processing method;
  6. c) Availability: makes sure that when an authorized user needs it, he can actually access the information he or she needs and have the related tools at his or her disposal.
  1. The IT system and network of the Service Provider and its partners are both protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flood, as well as against computer viruses, hacking and other attacks. The operator provides security at server-level and application-level security procedures.
  2. The Service Provider provides additional measures during automated processing of personal data to make sure that
    a) unauthorized data entry is prevented;
  3. b) the use of automatic data-processing systems by unauthorized persons using data transmission equipment is prevented;
  4. c) the bodies to which personal data have been transmitted or can be transmitted by means of data transmission equipment can be established and verified;
  5. d) the date and the person entering certain personal data into the relevant automatic data-processing systems can be established and verified;
  6. e) the systems installed can be restored in case of malfunction and the errors occurring during automated processing are reported.
  7. Service Provider shall take into account the state of the art when the measures for data security are set and applied. Of several possible data processing solution that one should be chosen that provides the highest level of protection for personal data, unless it would present disproportionate difficulties.
  8. Service Provider shall ensure the protection of data security by providing technical, organizational and corporate organizational measures that provide a level of protection appropriate to the risks associated with data processing.
  9. Electronic messages transmitted via the Internet are vulnerable to network threats, regardless of protocol (e-mail, web, ftp, etc.), which are aiming a unfair practices or disclosing or modifying information. Service provider shall do its best to provide measure in order to protect the information against such threats. It monitors systems to record any security deviations and to be able to provide evidence for all security incidents. System monitoring also allows one to check the effectiveness of the applied precautions. However, the Internet is not 100% secure, as is well known to users. Service Provider shall not be liable for any damage caused by the unavoidable attacks that may occur despite the expected greatest care.

XIX.  Rights of Data Subjects

    1. Data subjects may request information on the processing of their personal data and may request the correction of their personal data or, with the exception of mandatory data processing, the cancellation, revocation of their data and can exercise their right to protest in the manner indicated when the data were recorded, or at the contact details provided in section I of this Privacy Policy.
    2. A request for a change in personal data or for the deletion of personal data may be made by a written declaration in a private document of full probative value sent from the e-mail address registered or by post. Data subjects can also change some of their personal information by modifying their personal profile at the relevant page.
    3. Right to information: The Service Provider shall take appropriate measures to ensure that all the information referred to in Articles 13 and 14 of the GDPR on the processing of personal information as well as all information included in Articles 15 to 22 and 34 of the GDPR is provided to the data subjects in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner. The right to information can be exercised in writing through the contact details described in Section I of this Privacy Policy. Information may be given orally to the data subjects upon request after they verified their identity.
    4. The data subject’s right of access:The data subject has the right to receive feedback from the controller on whether his personal data are being processed and, if such processing is in progress, to have access to personal data and the following information:
      a) purposes of data processing;
    5. b) the categories of personal data concerned;
    6. c) the categories of recipients to whom the personal data were communicated, including in particular third-country recipients or international organizations;
    7. d) the intended duration of the storage of personal data;
    8. e) the right of rectification, erasure or restriction of data processing and the right to object;
    9. f) the right to lodge a complaint with the supervisory authority;
    10. g) information on data sources;
    11. h) the fact of automated decision-making, including profiling, as well as the logic applied and comprehensible information on the significance of such data processing and the expected consequences for the data subject. Requests for information sent by e-mail – unless the data subject identifies himself / herself in a different way – will only consider it credible by the Data Controller only if had been sent from the registered e-mail address of the User. In the case of transfer of personal data to a third country or some international organization, the data subject shall have the right to be informed of the appropriate guarantees regarding the transfer.
    12. Service Provider shall make a copy of the personal data subject to data processing available to the data subject. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. At the request of the data subject, the Service Provider shall provide the information in electronic form. The controller shall provide the information within a maximum of one month from the submission of the request.
    13. Right of rectification:Data subjects may request the rectification of inaccurate personal data processed by the Service Provider and the supplementation of incomplete data. Data Manager Corrects. If some personal data do not correspond to reality, and the right personal data are available to the data controller, he or she will correct the personal data concerned.
    14. Right of cancellation: Data subjects shall have the right to have the data controller delete, upon request, the personal data relating to him or her without any undue delay in case any of the following reasons prevail:
      a) personal data are no longer needed for the purpose for which they were collected or otherwise processed;
    15. b) the data subject’s consent is withdrawn by the data subject and there is no other legal grounds for the processing;
    16. c) the data subject objects to the processing of the data and there is no legal reason for the data processing to be given priority;
    17. d) personal data have been processed unlawfully;
    18. e) the personal data must be deleted in order to fulfil a legal obligation under Union or Member State law applicable to the controller;
    19. f) the collection of personal data took place related to providing information society services. Once the request for the deletion or modification of personal data has been fulfilled, the former (deleted) data may no longer be restored. No data deletion can be initiated if data processing is required for one of the following reasons: the fulfilment of an obligation under EU or national law requiring the processing of personal data applicable to the controller or else necessary for the submission, enforcement or protection of the legal requirements of the Service Provider.
    20. Right to restrict data processing: Upon request by the data subject, the Service Provider restricts data processing if any of the following conditions is met:
      a) the data subject disputes the accuracy of the personal data, in which case the restriction shall apply to the period of time allowing the accuracy of the personal data to be verified;
    21. b) the processing is unlawful and the data subject is against the deletion of the data and requests a restriction on their use instead;
    22. c) the controller no longer needs the personal data for the purposes of data processing, but the data subject requests them for the submission, enforcement or protection of his or her legal claims; or
    23. d) the data subject objected to the data processing; in this case, the restriction applies to the period until it is established whether the legitimate reasons given by the data controller have priority over the legitimate reasons of the data subject. If data processing is restricted, personal data may be processed, except for data storage, only with the consent of the data subject or for the submission, enforcement or protection of legal claims or for the protection of the rights of another natural or legal person. The Service Provider shall inform the data subject in advance of the lifting of the restriction of data processing.
    24. Right to data storage: Data subjects shall be entitled to receive personal data concerning them which are made available by them to the controller, in a structured, widely used machine-readable format and tp forward them to another data controller.
    25. Right of objection: Due to reasons related to their personal positions, Data subjects shall have the right to object at any time to the processing of their personal data for the legitimate interests of the controller or a third party, including profiling based on the provisions mentioned above. In the event of objection, the controller shall not process the personal data unless it is justified by compelling legitimate reasons that have priority over the interests, rights and freedoms of the data subject or which are related to the submission, enforcement or defence of legal claims. If the processing of personal data is performed for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of personal data relating to him or her for this purpose, including profiling, if related to direct marketing. In case of objection to the processing of personal data for the purpose of direct marketing, the data concerned must not be processed for this purpose.
    26. Automated decision-making in individual cases, including profiling:The data subject is entitled to be excluded from the scope of decisions based solely on automated data processing, including profiling, that would have legal effects on him or her or would be significantly affected. The above authorization is not applicable if the data processing is
      a) necessary for the conclusion or performance of a contract between the data subject and the controller;
    27. b) made possible by European Union or national law applicable to the controller, which also lays down appropriate measures for the protection of the rights and freedoms of the data subject and his or her legitimate interests; or
    28. c) based on the explicit consent of the data subject.
    29. Right of Withdrawal: The data subject is entitled to withdraw his consent at any time. Withdrawal of consent does not affect the legality of the consent-based data processing prior to revocation.
    30. Procedural Rules: Service Provider shall inform the data subject without undue delay, but in any case within one month of receipt of the request, of the measures taken in response to a request under Articles 15-22 of the GDPR. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Service Provider shall inform the data subject of the extension of the deadline by indicating the reasons for the delay within one month of receiving the request.

      If the data subject has submitted the application by electronic means, the information shall be provided by electronic means, unless otherwise requested by the data subject. If the Service Provider fails to take action in response to the request of the data subject, it shall, without delay, but within one month of receipt of the request the latest, inform the data subject of the reasons for not taking any action, and may submit the complaint to a supervisory authority and may exercise its right of appeal at court. The Service Provider shall provide the requested information free of charge. If the data subject’s request is clearly unfounded or, in particular due to its repetitive nature, is excessive, the Service Provider may charge a reasonable fee or refuse to take action based on of the administrative costs involved in providing the requested information taking the action requested.

The Service Provider shall inform all recipients of any rectification, erasure or data processing restrictions it has made with whom the personal data have been communicated, unless this proves impossible or requires a disproportionate effort. At the request of the data subject, the Service Provider shall inform him or her of these addressees.

Service Provider shall make a copy of the personal data subject to data processing available to the data subject. The Service Provider may charge reasonable fees based on administrative costs for additional copies requested by the data subject If the data subject has submitted the application electronically, the information shall be provided in electronic format, unless otherwise requested by the data subject.

  1. Indemnification and penalty:Any person who has suffered material or immaterial damage as a result of a breach of the Data Protection Regulation shall be entitled to compensation from the controller or the processor for the damage suffered. The data processor is only liable for damages caused by data processing if he or she has failed to comply with the statutory obligations specifically imposed on data processors, or if the data controller has ignored or acted contrary to the lawful instructions of the data controller. If multiple data controllers or multiple data processors, or both the data controller and the data processor, are involved in the same data processing and are responsible for the damage caused by the data processing, each controller or data processor is jointly and severally liable for the entire damage. The controller or data processor is exempt from liability if proves that he or she is not liable in any way for the event giving rise to the damage.

XX. Options for exercising one’s rights:

  1. Right of access to a court: The data subject may, in the event of a violation of his or her rights, file a suit against the data processor at the court. The court shall implement accelerated procedure in the case.
  2. Data Protection Authority Procedure:Complaints can be made to the Hungarian National Authority for Data Protection and Freedom of Information:

ANNEX

Definitions used in this Data Processing Policy

  1. personal data:any information relating to an identified or identifiable natural person (“data subject”); a  natural person is considered identifiable who can be identified directly or indirectly, in particular by reference to an identifier, such as name, number, positioning data, online identifier or one or more factors relating to the physical, physiological, genetic, intellectual, economic, cultural or social identity of a natural person;
  2. Data processing: any operation or set of operations performed in an automated or non-automated manner on personal data or files, such as collection, recording, systematization, distribution, storage, transformation or alteration, query, insight, use, communication, transfer or distribution or other means by making available to the public, coordination or association, restriction, deletion or destruction;
  3. Restriction of data processing: marking some personal data stored in order to restrict their future processing;
  4. Profiling: any form of automated management of personal data whereby personal data are used to evaluate certain personal characteristics associated with a natural person, in particular to analyse or predict features related to workplace performance, economic situation, health status, personal preferences, interest, reliability, behaviour, location or movement;
  5. controller (data controller) means a legal entity that defines the purposes and means of the processing of personal data independently or collectively with others;
  6. data processor means a legal entity which processes personal data on behalf of the controller
  7. addresseemeans any natural or legal person, public authority, agency or any other body to whom personal data are disclosed, regardless of the fact whether it is a third party or not;
  8. third party means any natural or legal person, public authority, agency or any other body which is not the same as the data subject, the controller, the data processor or any person authorised to process personal data under the direct control of the controller or processor;
  9. consent of the data subject: a voluntary, specific and clear indication of the will of the data subject whereby he or she expresses his / her consent to the processing of the personal data affecting him or her by means of an act explicitly confirming the statement in this effect;
  10. data processing means the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
  11. Data deletion: making data unrecognizable in such a way that their recovery is no longer possible
  12. EEA State means a Member State of the European Union and other States party to the Treaty on the European Economic Area, and those non-party States whose citizens enjoy the same legal status as the citizens of the countries taking part in the treaty on the European Economic Area, based on the international treaty between the states concerned.;
  13. data subject: means any natural person identified or identifiable, either directly or indirectly, based on personal data;
  14. User: the natural person who registers on the Service Provider’s website or purchases without registration;
  15. Third country: means any State which is not a EEA;
  16. disclosure: making personal data available to anyone;