Terms and Conditions

NAME: Dorfmeister Ltd.

HEADQUARTERS: 1192. Bercsényi Street 28.

TRADE REGISTER NUMBER: 01-09-952113

TAX NUMBER: 23083013-2-43

PHONE: +36 70 3 555570

REPRESENTATIVE NAME: Réka Schott E-MAIL: schott.reka-floraldesign@hotmail.com

WEBSITE: www.schottrekafloraldesign.com

Entered into force: 2024.04.24.

Applicable: from 24.04.2024

TABLE OF CONTENTS PURPOSE OF THE POLICY SCOPE OF THE POLICY

Personal scope

Temporal scope

III. DEFINITIONS

PRINCIPLES LEGAL BASIS FOR DATA PROCESSING

The data subject's consent

Contract fulfillment

Fulfillment of the legal obligation of the data controller

Protection of the vital interests of the data subject or other natural person

Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Pursuit of the legitimate interests of the controller or a third party

PERSONS ENTITLED TO ACCESS THE DATA

VII. RIGHTS OF THE DATA SUBJECT

Right to information

The data subject's right of access

The data subject's right to rectification and erasure

3.1. Right to rectification

3.2. Right to erasure (“right to be forgotten”)

Right to restriction of data processing

Notification obligation related to the correction or deletion of personal data or the restriction of data processing

The right to data portability

The right to protest

Right to be exempt from automated decision-making

The data subject's right to complain and seek legal redress

9.1. Right to lodge a complaint with a supervisory authority.

9.2. Right to an effective judicial remedy against the supervisory authority

9.3. Right to an effective judicial remedy against the controller or processor Limitations

Information about a data breach

VIII. PROCEDURE TO BE APPLIED IN CASE OF A DATA SUBJECT'S REQUEST

PROCEDURE TO BE USED IN THE EVENT OF A PERSONAL DATA BREACH

EMPLOYMENT-RELATED DATA PROCESSING

Data processing prior to the establishment of the Employment Relationship

1.1. Data processing during the application process for the recruitment of employees

1.2. Data processing during the job suitability assessment Data processing during the employment relationship

2.1. Data processing within the framework of labor registration

2.2. Monitoring the employee's employment-related behavior

2.2.1. Data processing related to electronic monitoring system

2.2.2. Data processing related to the use of the e-mail account provided by the Company to the employee

2.2.3. Monitoring the use of laptops, tablets, and phones provided to employees

 

2.2.4. Monitoring employee internet use at work

2.2.5. Case-by-case data processing concerning employees

2.2.6. Data processing related to workplace entry and exit

OTHER ACTIVITIES INVOLVED IN DATA PROCESSING AND DATA SETS PROCESSED

Data processing based on legal obligation

1.1. Data processing related to the fulfillment of anti-money laundering obligations

1.2. Data processing necessary to fulfill accounting obligations

1.3. Data processing related to the fulfillment of tax and contribution obligations Data processing carried out during requests for information and quotations Data processing related to the website operated by the Company

3.1. Information regarding the data of visitors to the Company's website

3.2. Registration, newsletter subscription

3.3. Data processing related to direct marketing activities

Data processing activity related to the performance of a contract Contact details of natural person representatives of legal entity clients, buyers, suppliers

Data processing related to entry and exit to the Foundation's headquarters

Data processing related to electronic surveillance system

XII. RULES RELATING TO DATA PROCESSING

General rules regarding data processing

Data processing activities performed by the Company

XIII. PROVISIONS ON DATA SECURITY

Principles of implementing data security.

Protection of the Company's IT records

Protection of the Company's paper records

ANNEX XIV. OTHER PROVISIONS – DATA PROCESSORS THE PURPOSE OF THE REGULATION IS TO

By publishing this data protection notice, Ad Novas Kft. (hereinafter referred to as: company or data processor) complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation) (hereinafter referred to as: Regulation).

SCOPE OF THE RULES

Personal scope The scope of this policy covers the company and the natural persons to whom its data processing activities apply.

The data processing activity set out in this policy is directed at the personal data of natural persons.

The scope of the regulation does not cover the processing of personal data that concerns legal persons, or in particular businesses that have been established as legal persons, including the name and form of the legal person, as well as the contact details of the legal person. Temporal validity This regulation is valid from the date of its establishment until further notice or until the date of withdrawal of the regulation.

III. DEFINITIONS “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; “processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; “restriction of processing”: the marking of stored personal data with a view to restricting their future processing; ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics relating to performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; ‘pseudonymisation’ means the processing of personal data in such a way that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is stored separately and technical and organisational measures are taken to ensure that the personal data cannot be attributed to an identified or identifiable natural person; ‘filing system’ means a set of personal data, whether centralised, decentralised or organised by functional or geographical means, which is accessible on the basis of specific criteria; "controller" means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific aspects of the designation of the controller may also be determined by Union or Member State law; "processor" means the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. This

For the purposes of the Regulation, the data processor is primarily the Foundation. “recipient”: the natural or legal person, public authority, agency or any other body to whom or with whom the personal data are communicated, regardless of whether it is a third party.

Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by such public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing; ‘third party’ means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or persons who, under the direct control of the controller or the processor, are authorised to process personal data; ‘consent of the data subject’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; "data breach": a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; "genetic data": any personal data relating to the inherited or acquired genetic characteristics of a natural person, which contain unique information concerning the physiology or state of health of that person and which result primarily from the analysis of a biological sample taken from that natural person; "biometric data": any personal data relating to the physical, physiological or behavioural characteristics of a natural person obtained by means of specific technical procedures, which allow or confirm the unique identification of the natural person, such as facial image or dactyloscopic data; "health data": personal data relating to the physical or mental health of a natural person, including data relating to healthcare services provided to the natural person, which contain information about the health of the natural person; "undertaking": a natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships and associations engaged in regular economic activity.

PRINCIPLES (1) The company takes the following principles into account when processing data: lawfulness, fair procedure and transparency; purpose limitation; data economy; accuracy; limited storage; integrity and confidentiality (2) In view of the above: Personal data may only be processed for specific purposes, in order to exercise a right and fulfill an obligation. Data processing must comply with the purpose of data processing at all stages, and the collection and processing of data must be fair and lawful. Only personal data that is essential for the purpose of data processing and suitable for achieving the purpose may be processed. Personal data may only be processed to the extent and for the period necessary for the purpose to be achieved. The company records that it stores the personal data it processes at its registered office in the form of an electronic file or on paper-based documents, while maintaining the legal requirements regarding data security. This provision applies to all data processing and data processing activities carried out by the Foundation.

LEGAL BASIS FOR DATA PROCESSING Consent of the data subject

(1) The lawfulness of the processing of personal data must be based on the consent of the data subject or on some other legitimate basis established by law.

(2) In the case of data processing based on the consent of the data subject, the data subject may give his/her consent to the processing of his/her personal data in the following form: a) in writing, in the form of a declaration giving consent to the processing of personal data, b) electronically, by explicit conduct on the company's website, by ticking a checkbox, or by making relevant technical settings when using information society services, as well as any other declaration or action which, in the given context, clearly indicates the data subject's consent to the planned processing of his/her personal data.

(3) Silence, a pre-ticked box or inaction therefore does not constitute consent.

(4) Consent shall cover all data processing activities carried out for the same purpose or purposes.

(5) Where data processing serves multiple purposes, consent shall be given for all purposes of data processing. Where the data subject gives his/her consent following an electronic request, the request shall be clear and concise and shall not unnecessarily hinder the use of the service for which consent is requested.

(6) The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal. The data subject shall be informed of this before consent is given. The withdrawal of consent shall be made as easy as the granting of consent.

Contract fulfillment

(1) Data processing is considered lawful if it is necessary for the performance of a contract to which the data subject is a party, or if it is necessary to take steps at the data subject's request prior to entering into a contract.

(2) The consent of the data subject to the processing of personal data that is not necessary for the performance of the contract shall not be a condition for concluding the contract. Compliance with the legal obligation applicable to the data controller

(1) The legal basis for data processing is determined by law in the event of compliance with a legal obligation, so the consent of the data subject is not required for the processing of his or her personal data.

(2) The data controller is obliged to inform the data subject about the purpose, legal basis, duration of data processing, the identity of the data controller, as well as about his/her rights and legal remedies.

(3) The data controller is entitled to process the data subject's consent after the withdrawal of the data subject's consent in order to comply with a legal obligation. Protection of the vital interests of the data subject or another natural person Performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller Enforcement of the legitimate interests of the data controller or of a third party

(1) The legitimate interests of the controller, including the controller to whom the personal data may be disclosed, or of a third party, may constitute a legal basis for processing, provided that the interests, fundamental rights and freedoms of the data subject are not overridden by them, taking into account the reasonable expectations of the data subject in the light of the relationship between the data subject and the controller. Such legitimate interests may exist, for example, where there is a relevant and appropriate relationship between the data subject and the controller, for example where the data subject is a client or employee of the controller.

(2) In order to establish the existence of a legitimate interest, it is necessary to carefully examine, among other things, whether the data subject can reasonably expect, at the time and in the context of the collection of personal data, that data processing may take place for the given purpose.

(3) The interests and fundamental rights of the data subject may take precedence over the interests of the controller if personal data are processed in circumstances in which the data subject does not expect further processing.

PERSONS ENTITLED TO ACCESS THE DATA

(1) Personal data may be accessed by the company's employees with access rights related to the relevant data processing purpose, as well as by persons and organizations performing data processing activities for the company based on service contracts, to the extent determined by the company and to the extent necessary for the performance of their activities.

(2) The list of data processors is contained in Annex 1 to the regulations.

VII. RIGHTS OF THE DATA SUBJECT Right to information

(1) The data subject has the right to receive information related to data processing prior to the commencement of activities aimed at processing his or her data.

(2) Information to be provided where personal data are collected from the data subject: the identity and contact details of the controller and, where applicable, the controller's representative; the contact details of the data protection officer, where applicable; the purposes of the intended processing of the personal data and the legal basis for the processing; in the case of processing based on point (f) of Article 6(1) of the Regulation, the legitimate interests of the controller or a third party; where applicable, the recipients or categories of recipients of the personal data; where applicable, the fact that the controller intends to transfer the personal data to a third country or to an international organisation, and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Articles 46, 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy of them or to their availability.

(3) In addition to the information referred to in paragraph (2), the controller shall, at the time of obtaining the personal data, inform the data subject of the following additional information in order to ensure fair and transparent processing: the period for which the personal data will be stored or, where that is not possible, the criteria for determining that period; the data subject's right to request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data, as well as the data subject's right to data portability; in the case of processing based on Article 6(1)(a) or Article 9(2)(a) of the Regulation, the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal; the right to lodge a complaint with a supervisory authority; whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for entering into a contract, and whether the data subject is obliged to provide the personal data, as well as the possible consequences of not providing the data; the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in these cases, intelligible information on the logic involved and the significance of such processing and the foreseeable consequences for the data subject.

(4) Where the personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: the identity and contact details of the controller and, where applicable, of the controller's representative; the contact details of the data protection officer, where applicable; the purposes of the intended processing of the personal data and the legal basis for the processing; the categories of personal data concerned; the recipients or categories of recipients of the personal data, where applicable; where applicable, the fact that the controller intends to transfer the personal data to a recipient in a third country or to an international organisation, and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46, Article 47 of the Regulation or the second subparagraph of Article 49(1), an indication of the appropriate and suitable safeguards, as well as a reference to the means of obtaining a copy of them or to their availability.

(5) In addition to the information referred to in paragraph (4), the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing for the data subject: the period for which the personal data will be stored or, where that is not possible, the criteria for determining that period; where the processing is based on point (f) of Article 6(1) of the Regulation, the legitimate interests of the controller or a third party; the data subject's right to request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of personal data, as well as the data subject's right to data portability; in the case of processing based on point (a) of Article 6(1) or point (a) of Article 9(2) of the Regulation, the right to withdraw consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal; the right to lodge a complaint with a supervisory authority; the source of the personal data and, where applicable, whether the data originate from publicly available sources; and the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in such cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

(6) If the controller intends to process personal data for a purpose other than that for which they were collected, it shall inform the data subject of that purpose and of any relevant additional information referred to above prior to the further processing.

(7) Paragraphs (5) to (6) shall not apply if and to the extent that: the data subject already has the information (in which case paragraph (1) shall not apply either); providing the information in question proves impossible or would involve a disproportionate effort, in particular in the case of processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, subject to the conditions and safeguards laid down in Article 89(1) of the Regulation, or where the obligation referred to in paragraph (1) of this Article is likely to render impossible or seriously jeopardise the achievement of the purposes of such processing. In such cases, the controller shall take suitable measures to safeguard the rights, freedoms and legitimate interests of the data subject, including making the information publicly available; the collection or disclosure of the data is expressly provided for by Union or Member State law to which the controller is subject, which lays down suitable measures to safeguard the legitimate interests of the data subject; or the personal data must remain confidential pursuant to an obligation of professional secrecy laid down in Union or Member State law, including a statutory obligation of confidentiality.

The data subject's right of access

(1) The data subject shall have the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed and, where such processing is taking place, access to the personal data and to the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; where applicable, the envisaged period for which the personal data will be stored or, where that is not possible, the criteria for determining that period; the right of the data subject to obtain from the controller rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data; the right to lodge a complaint with a supervisory authority; where the data were not collected from the data subject, any available information as to their source; the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

(2) If personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

(3) The controller shall provide the data subject with a copy of the personal data which are the subject of the processing. For further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request electronically, the information shall be provided in a widely used electronic format, unless the data subject requests otherwise. The data subject's right to rectification and erasure 3.1.

The right to rectification

(1) The data subject shall have the right to obtain from the controller, at his request, the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to obtain from the controller the completion of incomplete personal data, including by means of a supplementary statement. 3.2. Right to erasure (‘right to be forgotten’) (1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall be obliged to erase personal data concerning him or her without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws his or her consent pursuant to point (a) of Article 6(1) of the Regulation (consent to the processing of personal data) or Article 9 of the Regulation

(2) point (a) of Article 21(1) of the Regulation (right to object) to the processing of personal data and there is no other legal basis for the processing; the data subject objects to the processing of personal data pursuant to Article 21(1) of the Regulation (right to object) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the Regulation (objection to the processing of personal data for commercial purposes); the personal data have been processed unlawfully; the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject; the personal data were collected in connection with the offering of information society services referred to in Article 8(1) of the Regulation. (2) Where the controller has made personal data public and is obliged to erase them at the request of the data subject, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the data that the data subject has requested the erasure of links to, or copies or replications of, the personal data concerned.

(3) Paragraphs (1) and (2) shall not apply where processing is necessary: for the exercise of the right to freedom of expression and information; for compliance with an obligation to process personal data to which the controller is subject under Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the field of public health in accordance with points (h) and (i) of Article 9(2) of the Regulation and Article 9(3) of the Regulation; for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, where the right referred to in paragraph (1) would likely render impossible or seriously jeopardise such processing; or for the establishment, exercise or defence of legal claims.

Right to restriction of data processing

(1) The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or the data subject has objected to processing pursuant to Article 21(1) of the Regulation; in which case the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the controller override those of the data subject.

(2) Where processing is restricted pursuant to paragraph 1, such personal data may, with the exception of storage, only be processed with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important reasons of public interest of the Union or of a Member State.

(3) The controller shall inform the data subject at whose request the processing has been restricted pursuant to paragraph (1) in advance of the lifting of the restriction of the processing. Notification obligation in relation to the rectification or erasure of personal data or the restriction of processing (1) The controller shall inform all recipients to whom the personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. (2) The controller shall inform the data subject of these recipients upon request.

The right to data portability

(1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where: the processing is based on point (a) of Article 6(1) of the Regulation (the data subject's consent to the processing of personal data) or on Article 9 of the Regulation

(2) point a) of paragraph (2) (the data subject's explicit consent to the processing) or on the basis of a contract pursuant to Article 6(1)(b) of the Regulation; and the processing is carried out by automated means. (2) In exercising the right to data portability pursuant to paragraph (1), the data subject shall have the right to request the direct transmission of personal data between controllers, where technically feasible.

(3) The exercise of the right referred to in paragraph (1) shall be without prejudice to Article 17 of the Regulation. That right shall not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

(4) The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others. Right to object (1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her carried out in the public interest or in the exercise of official authority vested in him or her or to processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party (processing based on point (e) or (f) of Article 6(1) of the Regulation), including profiling based on those provisions. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

(2) If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling where it is related to direct marketing.

(3) If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for this purpose.

(4) The right referred to in paragraphs (1) and (2) shall be expressly brought to the attention of the data subject at the latest during the first contact, and the information relating to it shall be displayed clearly and separately from all other information.

(5) In connection with the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may also exercise the right to object by automated means based on technical specifications.

 

(6) Where personal data are processed for scientific and historical research purposes or for statistical purposes pursuant to Article 89(1) of the Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right to be exempt from automated decision-making

(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2) Paragraph 1 shall not apply where the decision: is necessary for entering into, or the performance of, a contract between the data subject and the controller; is permitted by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or is based on the data subject's explicit consent.

(3) In the cases referred to in points (a) and (c) of paragraph (2), the controller shall take suitable measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to obtain human intervention on the part of the controller, to express his or her point of view and to object to the decision.

(4) The decisions referred to in paragraph (2) shall not be based on special categories of personal data referred to in Article 9(1) of the Regulation, unless point (a) or (g) of Article 9(2) applies and suitable measures have been taken to safeguard the rights, freedoms and legitimate interests of the data subject. Right of the data subject to lodge a complaint and obtain a remedy 9.1.

Right to lodge a complaint with a supervisory authority.

(1) The data subject shall have the right, pursuant to Article 77 of the Regulation, to lodge a complaint with the supervisory authority if, in the opinion of the data subject, the processing of personal data concerning him or her infringes this Regulation.

(2) The data subject may exercise his/her right to file a complaint at the following contact details: National Data Protection and Freedom of Information Authority Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c; Telephone: +36 (1) 391-1400; Fax: +36 (1) 391-1410; http://www.naih.hu; e-mail: ugyfelszolgalat@naih.hu

(3) The supervisory authority to which the complaint has been submitted shall inform the customer of the procedural developments related to the complaint and its outcome, including the fact that the customer has the right to a judicial remedy pursuant to Article 78 of the Regulation. 9.2.

Right to an effective judicial remedy against the supervisory authority

(1) Without prejudice to other administrative or non-judicial remedies, every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.

(2) Without prejudice to other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject of the procedural developments or the outcome of a complaint lodged pursuant to Article 77 of the Regulation within three months.

(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

(4) Where proceedings are brought against a decision of the supervisory authority in relation to which the Board has previously issued an opinion or taken a decision within the framework of the consistency mechanism, the supervisory authority shall be obliged to send that opinion or decision to the court. 9.3. Right to an effective judicial remedy against the controller or processor

(1) Without prejudice to any available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation, each data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of personal data concerning him or her not being in accordance with this Regulation.

(2) Proceedings against a controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its official authority.

Restrictions

(1) Union or Member State law applicable to the controller or processor may, by means of legislative measures, restrict the scope of the rights and obligations set out in Articles 12 to 22 and Article 34 of the Regulation and in relation to the rights and obligations set out in Articles 12 to 22 of the Regulation, where the restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: national security; defence; public security; the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security; the protection of judicial independence and judicial proceedings; the prevention, investigation, detection and prosecution of ethical misconduct in regulated professions; in the cases referred to in points (a) to (e) and (g), monitoring, inspection or regulatory activities linked to the exercise of official authority, even occasionally; the protection of the data subject or the rights and freedoms of others; the exercise of civil law claims.

2. The legislative measures referred to in paragraph 1 shall, where appropriate, contain detailed provisions on at least: the purposes of the processing or the categories of processing, the categories of personal data, the scope of the restrictions imposed, the safeguards against misuse or unauthorised access or transfer, the definition of the controller or categories of controllers, the period of data storage and the applicable safeguards, taking into account the nature, scope and purposes of the processing or categories of processing, the risks to the rights and freedoms of data subjects and the right of data subjects to be informed of the restriction, unless this would adversely affect the purpose of the restriction.

Information about a data breach

(1) Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay.

(2) The information provided to the data subject referred to in paragraph (1) shall describe in a clear and comprehensible manner the nature of the data protection incident and shall include at least: the name and contact details of the data protection officer or other contact person who can provide further information, the likely consequences of the data protection incident, the measures taken or planned by the controller to remedy the data protection incident, including, where applicable, measures to mitigate any adverse consequences resulting from the data protection incident.

(3) The data subject shall not be required to be informed as referred to in paragraph 1 if any of the following conditions are met: the controller has implemented appropriate technical and organisational protection measures and those measures have been applied to the data affected by the personal data breach, in particular measures such as the use of encryption which render the data unintelligible to persons not authorised to access the personal data; the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph 1 is unlikely to materialise; providing information would involve a disproportionate effort. In such cases, the data subject shall be informed by means of publicly available information or a similar measure ensuring that the data subject is informed in an equally effective manner.

(4) If the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after considering whether the personal data breach is likely to involve a high risk, order the data subject to be informed or determine that one of the conditions referred to in paragraph (3) is met.

 

VIII. PROCEDURE TO BE APPLIED IN CASE OF A DATA SUBJECT'S REQUEST

(1) The company facilitates the exercise of the data subject's rights and may not refuse to fulfill the data subject's request to exercise his or her rights as set out in this policy, unless it proves that it is unable to identify the data subject.

(2) The company shall inform the data subject of the measures taken in response to the request without undue delay, but in any case within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The data controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay.

(3) If the data subject has submitted the request electronically, the information shall be provided electronically, if possible, unless the data subject requests otherwise.

(4) If the company does not take action following the request of the data subject, it shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to take action and of the fact that the data subject may lodge a complaint with the supervisory authority and exercise his/her right to a judicial remedy.

(5) The company provides the information specified in Article 13 and 14 of the Regulation, detailed in Section 1 of Chapter VI of this Regulation, and the information and measures specified in Articles 15–22 and 34 of the Regulation (feedback on the processing of personal data, access to processed data, correction, completion, deletion of data, restriction of data processing, data portability, objection to data processing, information about a data protection incident) to the data subject free of charge.

(6) If the data subject's request is clearly unfounded or excessive – in particular due to its repetitive nature – the data controller may, taking into account the administrative costs involved in providing the requested information or communication or taking the requested action: charge a fee of HUF 5,000 or refuse to take action based on the request.

(7) The burden of proving that the request is manifestly unfounded or excessive shall be on the data controller.

(8) Without prejudice to Article 11 of the Regulation, where the controller has reasonable doubts as to the identity of the natural person making a request pursuant to Articles 15 to 21 of the Regulation, he may request the provision of further information necessary to confirm the identity of the data subject.

PROCEDURE TO BE USED IN THE EVENT OF A DATA PROTECTION INCIDENT

(1) A data breach, within the meaning of the Regulation, is any breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

(2) Examples of data protection incidents include: the loss or theft of a device (laptop, mobile phone) containing personal data, the loss or inaccessibility of the code used to decrypt a file encrypted by the data controller, infection by ransomware, which makes the data managed by the data controller inaccessible until the ransom is paid, an attack on the IT system, the publication of an email or address list containing personal data sent in error, etc.

(3) In the event of a data breach, the company representative shall immediately conduct an investigation to identify the data breach and determine its possible consequences. The necessary measures shall be taken to prevent any damage.

(4) The controller shall notify the personal data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons justifying the delay.

(5) The data processor shall notify the data controller of the data protection incident without undue delay after becoming aware of it.

(6) The notification referred to in paragraph (3) shall at least: describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data affected by the breach; provide the name and contact details of the data protection officer or other contact person who can provide further information; describe the likely consequences of the personal data breach; describe the measures taken or planned by the controller to remedy the personal data breach, including, where applicable, measures to mitigate any adverse consequences resulting from the personal data breach.

(7) If and to the extent that it is not possible to communicate the information simultaneously, it may be communicated in parts at a later date without further undue delay.

(8) The controller shall keep records of data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it. This record shall enable the supervisory authority to verify compliance with the requirements relating to the notification obligation.

EMPLOYMENT-RELATED DATA PROCESSING

Data processing prior to the establishment of the employment relationship 1.1. Data processing prior to the establishment of the employment relationship Data processing prior to the establishment of the employment relationship is carried out in connection with the preceding application procedure and the assessment of suitability for the job. 1.1. Data processing during the application procedure for the recruitment of employees

(1) The legal basis for data processing during the application procedure for the recruitment of employees is the consent of the data subject.

(2) The purposes of data processing: assessing applications, concluding an employment contract.

(3) Data subject to data processing: name, address, place of birth, date, education, professional qualifications, telephone number, e-mail address, image, CV, application. Data subject to data processing also includes the qualification and definition of characteristics recorded in relation to the applicant.

(4) Categories of persons affected by data processing: persons applying for a job.

(5) Recipients of personal data: the person exercising the employer's authority, the employee(s) performing human resources tasks.

(6) Duration of data processing: after the employee has been selected, the purpose of data processing for unselected applicants ceases, therefore the personal data of the applicants must be deleted immediately.

(7) The obligation to delete also exists if the data subject changes his/her mind during the application process and withdraws his/her application. The applicant must be informed of the outcome of the selection decision. 1.2. Data processing during the job suitability assessment

(1) Pursuant to Section 10(1) of the Employment Act, only two types of suitability tests may be applied to employees: suitability tests that are prescribed by a rule relating to employment, and tests that are not prescribed by a rule relating to employment but are necessary for the exercise of the right or the fulfillment of the obligation specified in the rule relating to employment.

(2) In both cases of aptitude testing, employees must be informed in detail, including what skills and abilities the aptitude test aims to assess, and what means and methods the test will be conducted with. If a law requires the test to be conducted, employees must also be informed of the title of the law and the exact location of the law.

(3) The legal basis for data processing is the legitimate interest of the employer.

(4) Purpose of data processing: determining suitability for a job, establishing an employment relationship.

(5) The persons authorised to process personal data with regard to the examination results are the professional carrying out the examination and the person examined. The employer may only receive information on whether or not the person examined is fit for work and what conditions are to be provided for this. However, the employer may not be made aware of the details of the examination or its full documentation.

(6) Duration of processing of personal data related to the aptitude test: 3 years after the termination of the employment relationship.

Data processing during the employment relationship

Data processing within the framework of labor registration

(1) The company processes the personal data of employees listed below, managed in the labor register, based on the legitimate interest of the employer, fulfillment of a legal obligation, and performance of a contract.

(2) The scope of personal data of the employee managed by the company in the employment register: name, birth name, date of birth, mother's name, address, citizenship, tax identification number, social security number, pensioner's registration number (in the case of a retired employee), telephone number, e-mail address, identity card number, official ID card number proving address, bank account number, start and end date of starting work, job title, copy of the document proving educational qualifications and professional qualifications, photograph, CV, amount of salary, data related to salary payment and other benefits, debt to be deducted from the employee's salary based on a final decision or law or written consent, and the entitlement to this, evaluation of the employee's work, method and reasons for termination of employment, certificate of good conduct depending on the job title, summary of job suitability tests, name of the fund in the case of membership in a private pension fund or voluntary mutual insurance fund, identification number and membership number of the employee, passport number in the case of a foreign employee; name and number of the document certifying the right to work, data recorded in the records of accidents that have occurred to the employee; data recorded by the camera and access control system used for security and property protection purposes at the Company, and by the location systems.

(3) The scope of persons affected by data processing: employees of the company.

(4) The recipients of the personal data recorded above are: the person exercising the employer's authority, the company's employees performing human resources, accounting and payroll tasks, and data processors.

(5) Purpose of data management: maintaining contact, asset protection, fulfilling obligations arising from employment, payroll accounting (payment of wages), exercising rights arising from employment, establishing and terminating employment, providing data related to employment, and keeping records.

(6) Duration of data processing: 3 years after the termination of the employment relationship. 2.2. Monitoring the employee's employment-related behavior

(1) The employer may monitor the employee only in the context of his/her conduct related to the employment relationship. The monitoring and the means and methods used in the process may not violate human dignity. The employee's private life may not be monitored.

(2) The employer shall inform the employee in advance of the use of technical means used to monitor the employee.

2.2.1. Data processing related to electronic monitoring system

(1) The company uses a camera surveillance system at its headquarters for the purpose of personal and property protection. Cameras may not be operated for the primary, express purpose of monitoring employees and their activities. It is considered illegal to use an electronic surveillance system that has the purpose, even if not declarative, of influencing employees' behavior at work.

(2) It is prohibited to install cameras in rooms where surveillance may violate human dignity, in particular in changing rooms, showers, toilets or, for example, in medical rooms or waiting rooms. In addition, it is also prohibited to use electronic surveillance systems in rooms designated for employees to take breaks during work, such as the employee lunchroom.

(3) If no one is legally allowed to be in the workplace area (especially outside working hours or on public holidays), the entire workplace area (such as changing rooms, toilets, rooms designated for breaks) may be monitored.

(4) The company may use the electronic surveillance system exclusively for the purpose of monitoring parts of buildings, premises and areas owned (or used) by the company, or the events occurring there, but not for the purpose of monitoring public areas. The camera's viewing angle may be directed to an area consistent with its purpose.

(5) If the camera surveillance is directed at an area where both employees and customers (visitors) may be present, then the employer must of course also ensure the placement of the information sign pursuant to Section 28(2)(d) of the Szvtv.

(6) The company shall place a clearly visible information board on the use of the electronic surveillance system, thereby fulfilling its obligation to provide prior information. The information shall be provided for each camera, specifying precisely the purpose for which the given camera was placed in the given area and the area or equipment to which the camera's viewing angle is directed. The information shall cover the legal basis for data processing, the identification of the person (legal or natural) operating the electronic surveillance system, the place and duration of storage of the recording, the circle of persons authorized to view the data, as well as the persons and bodies to whom and in what cases the recording may be transmitted, the rights of employees in connection with the electronic surveillance system and how they can exercise their rights, and the means of enforcement they may use in the event of a violation of their right to informational self-determination.

(7) The storage period for recordings (personal data) recorded by the electronic surveillance system is 3 working days from the date of creation.

(8) The legal basis for workplace camera surveillance is the legitimate interest of the employer (Article 6(f) of the Regulation), or the voluntary consent of the data subject based on the information posted by the company in the form of signs.

(9) The data subject's consent may also be given in the form of suggestive conduct. Suggestive conduct is particularly the case if the data subject enters or remains in the units covered by the camera surveillance system.

(10) Scope of processed data: image of the data subject recorded by the operated camera system and other personal data.

(11) Recipients of personal data recorded by camera recording: company manager, employees operating the camera system, data processor providing operation for the purpose of detecting violations and monitoring the operation of the system. 2.2.2. Data processing related to the use of the e-mail account provided by the company to the employee

(1) The company provides employees with an e-mail account so that employees can keep in touch with each other or correspond with customers, other persons and organizations on behalf of the company.

 

(2) The company's employees are not permitted to use the e-mail accounts described above for private purposes. The employer's manager is entitled to check the content of the employees' company e-mail accounts and the correspondence conducted by the employees every six months.

(3) Before checking the use of the email account, the employer must inform the employees of the interest in which the employer's action is being taken.

(4) The employer shall apply a tiered control system, taking into account the principle of gradualism, in which the protection of personal data can be adequately enforced and the control must affect the privacy of employees to the least extent possible.

(5) When checking the use of an e-mail account, the presence of the employee must be ensured as a general rule.

(6) In order to maintain the lawful control of the e-mail account, the employer must provide detailed information to the employees in advance. In the information, the employer must include, among other things: – for what purpose and for what employer interests the e-mail account may be controlled (and of course, the employee must be informed before the specific control of the interest of the employer for which the control is carried out), – who on behalf of the employer may carry out the control, – according to what rules the control may be carried out (compliance with the principle of gradualism) and what is the procedure, – what rights and legal remedies the employees have in relation to the data processing associated with the control of the e-mail account.

(7) The first step in the verification is to check the email address and the subject of the letter, followed by a higher-level, more detailed check of the use of the email account.

(8) The employer is not entitled to check the content of private e-mails stored in the e-mail account, even if the employee has been informed in advance of the fact of the check. The employee must be requested to delete private e-mails; if the employee does not comply with the request or is unable to delete the personal data due to his/her absence, the employer is entitled to delete the personal data immediately during the check and may at the same time apply labor law consequences against the employee for violating the regulations on the use of company e-mail.

(9) The employer is entitled to send information to employees via the email system every six months regarding the prohibition of using the company email account for private purposes.

(10) The legal basis for the employer's control of the e-mail account provided to the employee is the legitimate interest of the employer, and its purpose is to monitor the fulfillment of the employee's obligations and to monitor compliance with the prohibition on the use of e-mail accounts for private purposes. 2.2.3. Monitoring the use of laptops, tablets, and phones provided to the employee

(1) The employer may provide employees in certain positions with a "company" laptop, tablet, or phone to perform their work.

(2) The employer prohibits employees from using the above-mentioned devices for personal purposes. According to the above provision, the management, storage and use of any personal data, such as photos, passwords for employee personal accounts, identifiers, e-mails, private applications, or use for private conversations on the above-mentioned devices is prohibited.

(3) The provisions set out in point 2.2.2 shall apply to the inspection of the above-mentioned devices, the persons performing the inspection, the legal basis and the purpose of data processing.

2.2.4. Monitoring employee internet use at work

(1) The employer does not allow the employee to use the Internet for personal purposes during work hours; the employee is only entitled to use the World Wide Web for the performance of his/her job duties.

(2) The employer shall monitor compliance with this provision as set out in point 2.2.2. and shall apply the labor law consequences set out therein.

(3) The legal basis for data processing related to the employee’s use of the internet at work is:

The guidelines are set out in point 2.2.2.

2.2.5. Case-by-case data processing concerning employees

(1) The employer organizes team-building trainings and other events, in which employees are given the opportunity to participate, in order to develop communication between employees, promote more effective cooperation between employees, increase their level of trust, and strengthen mutual respect and commitment.

(2) The legal basis for data processing carried out during the activity specified in point (1) is the employee's consent.

(3) The purpose of data management is to improve communication between employees, to promote more effective cooperation between employees and to increase their level of trust, and to strengthen respect and commitment towards each other.

 

(4) Scope of stakeholders: all employees who participate in the training or other event.

(5) Scope of personal data: image and voice of employees.

(6) Deadline for deletion of data: 6 months after withdrawal of consent or publication in the employer's internal system.

(7) Persons entitled to access the data (categories of recipients): none.

2.2.6. Data processing related to workplace entry and exit

(1) In the case of operating an access control system (non-electronic), information must be posted about the identity of the data controller and the method of data management.

(2) The scope of personal data that can be processed: the natural person's name, address, vehicle registration number, time of entry and exit.

(3) Legal basis for data processing: enforcement of the employer's legitimate interests.

(4) The purpose of processing personal data is: asset protection, contract performance, and monitoring the fulfillment of employee obligations.

(5) Recipients of personal data and categories of recipients: managers authorized to exercise employer rights at the Company, employees of the Company's asset protection agent as data processor.

(6) Duration of processing of personal data: 6 months.

OTHER ACTIVITIES AND DATA SETS PROCESSED Data processing based on legal obligation 1.1. Data processing related to the fulfillment of anti-money laundering obligations

(1) Pursuant to Section 6 (1) of Act LIII of 2017 on the Prevention and Interference with Money Laundering and Terrorist Financing, the company is obliged to identify and verify the identity of a natural person acting on behalf of or on behalf of the client upon the establishment of a business relationship, in the event of data, facts or circumstances indicating money laundering or terrorist financing, if customer due diligence has not yet been carried out; and if there is any doubt regarding the authenticity or adequacy of previously recorded customer identification data.

(2) During identification, the company is obliged to record the following data: the surname and first name of the natural person acting on behalf of or on behalf of the client; his/her surname and first name at birth; his/her citizenship; his/her place and date of birth; his/her mother's maiden name; his/her residential address, or in the absence thereof, his/her place of residence; the type and number of the identification document.

(3) The scope of data processing: natural persons acting on behalf of the client or on his behalf.

(4) The company's manager or employee designated for customer due diligence is entitled to access personal data. The company is entitled to process personal data recorded during customer due diligence for 8 years from the termination of the contract (business relationship).

1.2. Data processing necessary to fulfill accounting obligations

(1) The legal basis for processing the data of the company's natural person customers, buyers and suppliers is the fulfillment of a legal obligation (Act CXXVII of 2007, Section 159 (1)). The purpose of using the data is to determine the mandatory data content of the invoice, issue an invoice and perform related accounting tasks.

(2) The scope of data processing: the company's natural person clients, buyers, and suppliers.

(3) Scope of processed data: name, address, tax number of the company's natural person clients, buyers, suppliers

 

(4) The manager or employees performing invoice issuance as a job task, the manager or employee performing accounting activities are entitled to access personal data. The company is entitled to process personal data recorded in the course of fulfilling the legal obligation indicated above for 8 years from the termination of the contract (business relationship).

1.3. Data processing related to the fulfillment of tax and contribution obligations

(1) The Company processes the personal data of those data subjects – employees, their family members, employees, recipients of other benefits – prescribed in tax laws, with whom its payers (2017: Act CL on the Taxation System (Art.) 7.§ 31.) are in a relationship, for the purpose of fulfilling legal obligations and tax and contribution obligations prescribed by law (assessment of tax, tax advance, contributions, payroll accounting, social security, pension administration). The scope of the processed data is determined by Art. 50.§, specifically highlighting: the natural person's personal identification data (including the previous name and title), gender, citizenship, tax identification number of the natural person, social security identification number (TAJ number). If tax laws provide for legal consequences, the Company may process data related to employees' health (Szja tv. § 40) and trade union membership (Szja § 47(2) b./) for the purpose of fulfilling tax and contribution obligations (payroll accounting, social security administration).

(2) The storage period of personal data is 8 years after the termination of the legal relationship that gave rise to the legal basis.

(3) Recipients of personal data: employees and data processors of the Company performing tax, payroll and social security (payer) tasks.

Data processing during information requests and requests for quotations

(1) The company provides third parties with the opportunity to request information and quotes regarding the services provided by the company or the products sold.

(2) The legal basis for data processing is the consent of the data subject in the case of a request for information or a request for a quotation.

(3) The group of data subjects in the case of a request for information or a request for a quote: any natural person who requests information or a quote regarding the company's services or products and provides their personal data.

 

(4) Scope of processed data: name, address, telephone number, e-mail address.

(5) Purpose of data processing in case of information request: identification, contact

(6) The purpose of data processing in the case of a request for quotation: providing a quotation, maintaining contact.

(7) The recipients of the data (those who may see the data) are the head of the Foundation and the employee responsible for customer relations in the case of a request for information or a request for a quote.

(8) Duration of data processing in the case of a request for information or a request for a quote: the company deletes the personal data 30 days after the provision of the information or the submission of the quote.

Data processing related to the website operated by the company

3.1. Information regarding the data of visitors to the company's website

(1) During visits to the company's website, one or more cookies - small information packages that the server sends to the browser, and the browser then sends back to the server with each request directed to the server - are sent to the computer of the person visiting the website, through which their browser will be uniquely identified, if the person visiting the website has given their express (active) consent to this by their behavior of further browsing the website after being clearly and unambiguously informed.

(2) Cookies work solely to improve the user experience and automate the login process. The cookies used on the website do not store personally identifiable information, and the company does not process personal data in this context.

3.2. Registration, newsletter subscription

(1) The legal basis for data processing in the case of registration or newsletter subscription is the consent of the data subject, which the data subject provides by checking the box next to the text "registration" or "newsletter subscription" on the company's website after receiving information regarding the processing of his or her data.

(2) In the case of registration or newsletter subscription, the data subject is any natural person who subscribes to the company's newsletter or registers on the website and gives their consent to the processing of their personal data.

(3) The scope of data processed in the event of newsletter subscription: name, e-mail address.

(4) The scope of data processed in the event of registration: name, address, e-mail address, telephone number, password.

(5) The purpose of data processing in the case of newsletter subscription is: to inform the data subject about the company's services, products, changes in them, information about news and events.

(6) The purpose of data processing in the event of registration: contact in order to prepare for the conclusion of a contract, providing the data subject with services available free of charge on the website, access to the non-public content of the website.

(7) Recipients of the data (who may access the data) in the case of newsletter subscription or registration: the company manager, the employee responsible for customer relations, and the employees of the data processor responsible for operating the company's website.

(8) Duration of data processing in the case of newsletter subscription or registration: until the consent is withdrawn. In the case of newsletter subscription, until unsubscription, in the case of registration, until deletion at the request of the data subject.

 

(9) The data subject may unsubscribe from the newsletter at any time or request the deletion of his/her registration (personal data). The newsletter can be unsubscribed by clicking on the unsubscribe link in the footer of the electronic mail sent to the data subject or by sending a letter to the company's registered office.

3.3. Data processing related to direct marketing activities

(1) The legal basis for the company's data processing for direct marketing purposes is the consent of the data subject, which is clear and explicit. The data subject provides his clear, explicit prior consent by checking the box next to the text section "Consent to direct marketing inquiries" on the company's website after being informed about the processing of his data.

(2) The data subject may also provide his/her consent on paper by filling out the data form forming Annex 2 to these regulations.

(3) The data subject: any natural person who gives their clear, express consent to the company processing their personal data for direct marketing purposes.

(4) Data processing purposes: maintaining contact for the purpose of sending advertisements and offers related to the provision of services and product sales, and notifying about promotions, electronically or by post.

(5) Recipients of personal data: the company manager, employees performing customer service and marketing tasks based on their job title.

(6) The scope of personal data processed: name, address, telephone number, e-mail address.

 

(7) Duration of data processing: processing of personal data for direct marketing purposes until the data subject withdraws his/her consent.

Data processing activities related to the performance of a contract

(1) The company processes the personal data of natural persons contracting with it – clients, buyers, suppliers – in connection with the contractual relationship. The data subject must be informed about the processing of personal data.

(2) The scope of data subjects: all natural persons who enter into a contractual relationship with the company.

(3) The legal basis for data processing is the performance of a contract, the purpose of data processing is to maintain contact, enforce claims arising from the contract, and ensure compliance with contractual obligations.

(4) Recipients of personal data: the company's manager, the company's employees and data processors performing customer service and accounting tasks based on their job duties.

(5) The scope of personal data processed: name, address, registered office, telephone number, e-mail address, tax number, bank account number, entrepreneur ID number, primary producer ID number.

(6) Duration of data management: 5 years from the termination of the contract.

Contact details of natural person representatives of legal entity clients, buyers, suppliers

(1) The scope of personal data that can be processed: the name, address, telephone number, e-mail address, online identifier of the natural person.

(2) The purpose of the processing of personal data: performance of the contract concluded with the Company's legal entity partner, business relations, legal basis: performance of the contract.

(3) Recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service.

(4) Duration of storage of personal data: 5 years after the business relationship or the representative status of the data subject.

Data processing related to entry and exit to the company's headquarters

(1) In the case of operating an access control system (non-electronic), information must be posted about the identity of the data controller and the method of data management.

(2) The scope of personal data that can be processed: the natural person's name, address, vehicle registration number, time of entry and exit.

(3) Legal basis for data processing: enforcement of the legitimate interests of the data controller, performance of a contract.

(4) The purpose of processing personal data is: asset protection, contract performance.

(5) Recipients of personal data and categories of recipients: employees of the company engaged in asset protection, employees of the company's asset protection agent as data processors.

(6) Duration of processing of personal data: 6 months.

Data processing related to electronic surveillance system

(1) The company uses a camera surveillance system at its headquarters for the purpose of personal and property protection.

(2) It is prohibited to place a camera in a room where surveillance may violate human dignity, especially in changing rooms, showers, restrooms or, for example, in a medical room or waiting room.

(3) If no one is legally allowed to reside in the area of the company's registered office, the entire area of the registered office shall be

(for example, changing rooms, toilets, rooms designated for breaks between work) can be observed.

(4) The company may use the electronic surveillance system exclusively for the purpose of monitoring parts of buildings, premises and areas owned (or used) by the company, or the events occurring there, but not for the purpose of monitoring public areas. The camera's viewing angle may be directed to an area consistent with its purpose.

(6) The company shall place a clearly visible information board on the use of the electronic surveillance system, thereby fulfilling its obligation to provide prior information. The information shall be provided for each camera, specifying precisely the purpose for which the given camera was placed in the given area and the area or equipment to which the camera's viewing angle is directed. The information shall cover the legal basis for data processing, the identification of the person (legal or natural) operating the electronic surveillance system, the place and duration of storage of the recording, the circle of persons authorized to view the data, as well as the persons and bodies to whom and in what cases the recording may be transmitted, the rights of the data subjects in connection with the electronic surveillance system and how they can exercise their rights, and the means of enforcement they may use in the event of a violation of their right to informational self-determination.

(7) The storage period for recordings (personal data) recorded by the electronic surveillance system is 3 working days from the date of creation.

(8) The legal basis for camera surveillance is the legitimate interest of the data controller, or the voluntary consent of the data subject based on the information posted by the Foundation in the form of signs.

(9) The data subject's consent may also be given in the form of suggestive conduct. Suggestive conduct is particularly the case if the data subject enters or resides in the units covered by the camera surveillance system.

 

(10) Scope of processed data: image of the data subject recorded by the operated camera system and other personal data.

(11) Recipients of personal data recorded by camera recording: The head of the Foundation, the employees operating the camera system, the data processor providing the operation for the purpose of detecting violations and monitoring the operation of the system, the company's employees dealing with asset protection, and the employees of the company's asset protection agent as data processors.

XII. RULES RELATING TO DATA PROCESSING

General rules regarding data processing

(1) The Company uses an external data processor entrusted with the personal data it processes for the purpose of performing the following tasks: – operation and maintenance of the website, – fulfillment of tax and accounting obligations, – legal support and services, etc. The list of data processors is contained in Annex 1 to these regulations.

(2) The rights and obligations of the data processor related to the processing of personal data are determined by the data controller within the framework of law and separate laws relating to data processing.

(3) The company declares that it does not have the competence to make substantive decisions regarding data processing during the course of its activities as a data processor, may process the personal data it has obtained only in accordance with the instructions of the data controller, may not process data for its own purposes, and is obliged to store and preserve the personal data in accordance with the instructions of the data controller.

(4) The company is responsible for the legality of the instructions given to the data processor regarding data processing operations.

(5) The company is obliged to provide data subjects with information about the identity of the data processor and the place of data processing.

(6) The Company does not authorize the data processor to use additional data processors.

(7) The data processing contract must be in writing. Data processing may not be entrusted to an organization that has a business interest in using the personal data to be processed.

XIII. PROVISIONS ON DATA SECURITY Principles for implementing data security.

(1) The company may only process personal data in accordance with the activities set out in this policy and for the purpose of data processing.

(2) The company ensures the security of data, and in this regard undertakes to take all technical and organizational measures that are essential for the enforcement of data security laws, data and confidentiality protection rules, and to develop the procedural rules necessary for the enforcement of the laws specified above.

(3) The technical and organizational measures to be implemented by our company are aimed at: pseudonymization and encryption of personal data, where applicable; ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data; the ability to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident; applying a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures taken to guarantee the security of data processing,

(4) When determining the appropriate level of security, specific account shall be taken of the risks arising from the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

 

(5) Our company takes appropriate measures to protect data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, and against inaccessibility resulting from changes in the technology used.

(6) Our company records the data it processes in accordance with applicable laws, ensuring that the data is only accessible to those employees and other persons acting within the scope of the Company's interests who need it to perform their jobs and tasks.

 

(7) Our company stores the personal data provided during each data processing activity separately from other data, with the proviso that - in accordance with the above provision - the separated data files may only be accessed by employees with the appropriate access rights.

(8) Our company's managers and employees do not transfer personal data to third parties and take the necessary measures to prevent unauthorized access.

(9) Our company grants access to personal data to employees who have submitted themselves to the obligation to comply with data security rules by making a confidentiality declaration regarding the personal data processed.

(10) When defining and applying measures to ensure data security, our company takes into account the current state of technology and, in the event of several possible data management solutions, chooses the solution that ensures a higher level of protection of personal data, unless this would pose a disproportionate difficulty.

Protecting our company's IT records

(1) Our company takes the following necessary measures to ensure data security with regard to its IT records: It provides the data files it manages with permanent protection against computer viruses (it uses real-time virus protection software). It ensures the physical protection of the hardware devices of the IT system, including protection against natural damage. It ensures the protection of the IT system against unauthorized access, both in terms of software and hardware devices. It takes all measures necessary to restore data files, performs regular backups, and implements separate, secure management of backup copies.

Protecting our company's paper records

(1) Our company takes the necessary measures to protect paper-based records, especially with regard to physical security and fire protection.

(2) Our company's manager, employees, and other persons acting in the interest of the company are obliged to securely store and protect the data carriers they use or possess, including personal data, regardless of the method of recording the data, against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage.

XIV. OTHER PROVISIONS

 

(1) Our company is obliged to explain the provisions of this policy to all employees of our company.

(2) Our company is obliged to regularly review this policy.

(3) The data subjects can familiarize themselves with this regulation on the website www.attilanemethflorist.com and at the headquarters of our company. Budapest, 2024.04.24.