Privacy Policy

European Chinese Supply Chain Zrt. – hereinafter referred to as the Company – complies with the prior information obligation of data subjects regarding the processing of personal data by publishing this Privacy Statement, prescribed by REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, pursuant to which all information according to the relevant articles of the Regulation shall be concise, transparent, it shall be made available to those affected by data processing in an understandable and easily accessible form, clearly and comprehensibly worded.

I. DATA CONTROLLER

The Company informs the data subjects that it shall be considered to be data controller in the processing of personal data.

COMPANY NAME: European Chinese Supply Chain Zrt.
HEADQUARTER: 1133 Budapest, Váci str. 76.
COMPANY REGISTRATION NUMBER: 01 10 049896
TAX NUMBER: 26389686-2-41.
E-MAIL: info@ecsc-logistics.com
WEBSITE: www.ecsc-logistics.com

Employees of the Company with access rights related to the relevant data processing purpose, as well as persons and organizations performing data processing activities on the basis of service contracts for the Company, may be aware of personal data, within the scope determined by the Company and to the extent necessary for the performance of their activities.

II. DATA PROCESSOR

The Company has an external data processor for operating and maintaining its website among personal data managed by her/him on the basis of voluntary consent.

COMPANY NAME: European Chinese Supply Chain Zrt.
HEADQUARTER: 1133 Budapest, Váci str. 76.
COMPANY REGISTRATION NUMBER: 01 10 049896
TAX NUMBER: 26389686-2-41.
E-MAIL: info@ecsc-logistics.com
WEBSITE: www.ecsc-logistics.com

III. DEFINITIONS

1. ‘personal data’: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
2. ‘processing’: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
3. ‘restriction of processing’: marking of stored personal data with the aim of limiting their processing in the future
4. ‘profiling’: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5. ‘pseudonymisation’: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6. ‘filing system’: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
7. ‘controller’: natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
8. ‘processor’: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
9. ‘recipient’: a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
10. ‘third party’: a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
11. ‘consent’ of the data subject’ means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
12. ‘personal data breach’: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled;
13. ‘Company’: a natural or legal person engaged in economic activity, regardless of its legal form, including partnerships and associations engaged in regular economic activity.

IV. LEGAL BASIS FOR PROCESSING

1. Consent of the data subject

(1) The lawfulness of processing personal data shall be based on the consent of the data subject or have some other legal basis established by law.

(2) In case of data processing based on the consent of the data subject, the data subject may give his/her consent to the processing of his/her personal data in the following form:

a), in writing, in the form of a statement giving consent to personal data processing,

1. b) by electronic means, by the express behavior implemented on the website of the Company, by ticking a check box, or by making relevant technical settings during the use of services related to the information society, as well as any other statement or action that, in the given context, constitutes the data subject’s consent to their personal data clearly indicates the intended treatment.

(3) Silence, a pre-ticked box or inaction therefore does not constitute consent.

(4) Consent covers all data processing activities conducted for the same purpose or purposes.

(5) If data processing serves several purposes at the same time, consent shall be given for each purpose. If the data subject gives consent after an electronic request, the request shall be clear and concise, and it shall not unnecessarily prevent the use of the service for which the consent is requested.

(6) The data subject has the right to withdraw his/her consent at any time. Withdrawal of consent does not affect the legality of data processing based on consent prior to withdrawal. Before giving consent, the data subject shall be informed of this. It shall be possible to withdraw consent in the same way as to give it.

2. Performance of the contract

(1) Data processing is considered lawful if it is necessary for the performance of a contract in which the data subject is one of the parties, or if it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract.

(2) The consent of the data subject to processing personal data that are not necessary for the performance of the contract cannot be a condition for entering into a contract.

3. Fulfilling the legal obligation of the data controller or protecting the vital interests of the data subject or other natural person

(1) The legal basis for data management is laid down by law in the event of the fulfilment of a legal obligation. As a consequence, the consent of the data subject is not required for the processing of their personal data.

(2) The data controller is obliged to inform the data subject about the purpose, legal basis, duration of the data management, the person of the data controller, as well as about his/her rights and legal remedies.

(3) Under the fulfilment of legal obligation, the data controller is entitled, after withdrawing the data subject’s consent, to manage data that is necessary to fulfil a legal obligation to which it is subject.

4. Execution of a task carried out under public power, asserting the legitimate interests of the data controller or a third party

(1) The data controller – including the data controller with whom the personal data may be disclosed – or the legitimate interest of a third party may create a legal basis for data processing, provided the interests, fundamental rights and freedoms of the data subject do not take precedence, considering the data subject’s reasonable expectations based on the relationship with the data controller. Such a legitimate interest may be discussed, for example, when there is a relevant and appropriate relationship between the data subject and the data controller, for example in cases where the data subject is a client of the data controller or is employed by it.

(2) In order to establish the existence of a legitimate interest, it is necessary to examine carefully, among others, whether the data subject can reasonably expect, at the time and in connection with the collection of personal data, data processing may take place for the given purpose.

(3) The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not expect further processing.

V. RIGHTS OF THE DATA SUBJECT RELATED TO DATA PROCESSING

1. The Company provides the following brief information about the rights of the data subject:

The data subject shall have the right:

1. for information before data control,
2. to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
3. to request the correction or deletion of data, to receive a notification from the data controller that this has occurred,
4. to request restriction of data processing to receive a notification from the data controller that this has occurred,
5. for data portability,
6. to object, if his or her personal data is processed for purposes of public interest or with reference to the legitimate interests of the data controller,
7. be exempt from automatic decision-making, including profiling,
8. to file a complaint with the supervisory authority. The data subject can exercise his right to file a complaint at the following contact details: National Data Protection and Freedom of Information Authority, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., Phone: +36 (1) 391-1400; Fax: +36 (1) 391 1410, www: http: //www.naih.hu, e-mail: ugyfelszolgalat@naih.hu
9. for an effective judicial remedy against a supervisory authority,
10. for an effective judicial remedy against the data controller or data processor
11. or information about the data protection incident.

2. Detailed information on data subject rights

Right of information

(1) The data subject has the right to receive information about the information related to data processing before the start of activities aimed at managing his or her data.

(2) Information to be provided where personal data are collected from the data subject

1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
2. the contact details of the data protection officer, where applicable;
3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
4. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
5. the recipients or categories of recipients of the personal data, if any;
6. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available

(3)  In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

1. a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(d) the right to lodge a complaint with a supervisory authority;

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

(4)  Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

1. a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) the categories of personal data concerned;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

(5)  In addition to the information referred to in paragraph 4, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
2. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
3. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
4. where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
5. the right to lodge a complaint with a supervisory authority;
6. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources
7. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

(6)  Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 4.

(7)  Paragraphs 3 to 6 shall not apply where and insofar as:

1. the data subject already has the information;
2. the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall act appropriately to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available
3. obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
4. where personal data shall remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

Right of access by the data subject

(1)  The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. where the personal data are not collected from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer

(3) The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

Rectification and erasure

Right to rectification

• The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (‘right to be forgotten’)

(1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

(2) Where the controller has made the personal data public and is obliged pursuant to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task conducted in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e) for the establishment, exercise, or defence of legal claims

Right to restriction of processing

(1) The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

1. The data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims; or
4. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

(2) Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State

(3) A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Notification obligation regarding rectification or erasure of personal data or restriction of processing

(1) The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort.

(2) The controller shall inform the data subject about those recipients if the data subject requests it.

Right to data portability

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

(b) the processing is conducted by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task conducted in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Right to object

1)  The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims.

(2)  Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

(3)  Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

(4)  At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

(5)  In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications

(6)  Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task conducted for reasons of public interest.

The right to be exempt from automated decision-making

(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2) Paragraph 1 shall not apply if the decision:

1. is necessary for entering into, or performance of, a contract between the data subject and a data controller
2. is authorised by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
3. is based on the data subject’s explicit consent.

(3) In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

(4) Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

The data subject’s right to complaint and legal remedy

The right to complain to the supervisory authority.

(1) Based on Article 77 of the Regulation, the data subject is entitled to file a complaint with the supervisory authority if, in the opinion of the data subject, the control of personal data relating to him/her violates this Regulation.

(2) The data subject may exercise his right to file a complaint at the following contact details:

National Data Protection and Freedom of Information Authority: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410, www: http://www.naih.hu, e-mail: ugyfelszolgalat@naih.hu

(3) The supervisory authority to which the complaint was submitted is obliged to inform the customer about the procedural developments related to the complaint and its outcome, including that the customer is entitled to a judicial remedy based on Article 78 of the Regulation.

Right to an effective judicial remedy against a supervisory authority

(1)  Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

(2)  Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not manage a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.

(3)   Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

(4)   Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

Right to an effective judicial remedy against a controller or processor

(1)  Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation

(2)  Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

Restrictions

(1) Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard

1. national security;
2. defence;
3. public security;
4. the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
5. other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
6. the protection of judicial independence and judicial proceedings;
7. the prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions;
8. a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
9. the protection of the data subject or the rights and freedoms of others;
10. the enforcement of civil law claims.

(2) In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

1. the purposes of the processing or categories of processing;
2. the categories of personal data;
3. the scope of the restrictions introduced;
4. the safeguards to prevent abuse or unlawful access or transfer;
5. the specification of the controller or categories of controllers;
6. the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
7. the risks to the rights and freedoms of data subjects; and
8. the right of data subjects to be informed about the restriction unless that may be prejudicial to the purpose of the restriction.

Information about the data protection incident

(1) The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a considerable risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.

(2) In the information provided to the data subject referred to in paragraph (1), the nature of the personal data breach shall be clearly and comprehensibly described, and at least the name and contact details of the data protection officer or other contact person providing additional information, the likely consequences of the breach, the data controller measures taken or planned by to remedy the breach, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the breach.

(3) The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

1. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
2. the controller has taken subsequent measures which ensure that the considerable risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

(4) If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

VI. PROCEDURE TO BE APPLIED IN THE EVENT OF A REQUEST BY THE DATA SUBJECT

(1The Company facilitates the exercise of the data subject’s rights and may not refuse to comply with the data subject’s request to exercise his or her rights, as set out in this data control information, unless it proves that the data subject cannot be identified.

(2) The Company informs the data subject of the measures taken following the request without undue delay, but in any case, within one month from the receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The data controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request.

(3) If the data subject has submitted the request electronically, the information shall be provided electronically, if possible, unless the data subject requests otherwise.

(4)  If the Company does not take measures following the data subject’s request, it shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to take action, as well as the fact that the data subject may file a complaint with the supervisory authority and exercise his right to judicial redress.

(5) The Company provides the data subject with the following information and measures free of charge: feedback on the processing of personal data, access to processed data, correction, addition, deletion of data, restriction of data processing, data portability, objection to data processing, information about data protection incidents.

(6) If the data subject’s request is clearly unfounded or – especially due to its repeated nature – excessive, the data controller, taking into account the administrative costs associated with providing the requested information or information or taking the requested measure: may charge a fee of HUF 5,000 or refuse to take action based on the request.

(7) It is the responsibility of the data controller to prove that the request is clearly unfounded or excessive.

(8) Without prejudice to Article 11 of the Regulation, if the data controller has well-founded doubts regarding Articles 15-21 of the Regulation. regarding the identity of the natural person who submitted the application pursuant to Article.

VII. PROCEDURE IN CASE OF PERSONAL DATA BREACH

(1) ‘Personal data breach’ under this Regulation means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

(2) A personal data breach is the loss or theft of a device containing personal data (laptop, mobile phone), as well as the loss or inaccessibility of the code used to decrypt files encrypted by the data controller, infection by ransomware (blackmail virus), which would be inaccessible until the ransom is paid makes the data controlled by the data controller, attacking the IT system, e-mail containing wrongly sent personal data, publicizing the address list, etc.

(3) If a personal data breach is detected, the Company’s representative will immediately conduct an investigation in order to identify the breach and determine its possible consequences. Necessary measures shall be taken to prevent damage.

(4) The personal data breach shall be reported to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the breach, unless the breach is likely to pose no risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons justifying the delay shall also be attached.

(5) The data processor shall report the breach to the data controller without undue delay after becoming aware of it.

(6) In the notification referred to in paragraph (3), at least:

1. the nature of the data protection incident shall be described, including – if possible – the categories and approximate number of affected persons, as well as the categories and approximate number of data affected by the incident;
2. the name and contact details of the data protection officer or other contact person providing additional information shall be provided;
3. describe the consequences of the personal data breach;
4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(7) Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

(8) The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

VIII. DATA CONTROLLING IN CONNECTION WITH THE WEBSITE

Information regarding the data of visitors to the Company’s website

(1) During visits to the Company’s website, one or more cookies – small information packages that the server sends to the browser, and then the browser sends back to the server for every request directed to the server – are sent to the computer of the person visiting the website, through which your browser will be uniquely identifiable, if the person visiting the website has given his or her express (active) consent by continuing to browse the website after clear and unambiguous information.

(2) Cookies work solely to improve the user experience and automate the login process. The cookies used on the website do not store personally identifiable information, and the Company does not manage personal data in this context.

Registration

(1) In case of registration, the legal basis for data processing is the data subject’s consent, which the data subject provides by ticking the box next to the “registration” section on the Company’s website after being informed about the processing of their data.

(2) In the case of registration, the group of stakeholders: all natural persons who wish to register and give their consent to the processing of their personal data.

(3) The range of data processed in case of registration: name, address, e-mail address, phone number, login password.

(4) In the case of registration, the purpose of data processing is as follows: contact for the preparation of a contract or direct marketing request, provision of free services available on the website to the affected party, access to non-public content of the website.

(5) Recipients of the data (those who can access the data) in the event of registration: the head of the Company, staff providing customer relations, data processing staff operating the website of the Company.

(6) Duration of data processing in case of registration: in case of registration, until deletion at the request of the data subject.

(7) The data subject may request the deletion of his/her registration (personal data) at any time.

IX. DATA PROCESSING ACTIVITY RELATED TO CONTRACT PERFORMANCE

(1) The Company processes the personal data of the natural persons who contract with it – customers, buyers, suppliers – in connection with the contractual relationship. The data subject shall be informed about the processing of personal data.

(2) Scope of stakeholders: all natural persons who establish a contractual relationship with the Company.

(3) The legal basis of data processing is the performance of a contract, the purpose of data processing is to maintain contact, assert claims arising from the contract, and ensure compliance with contractual obligations.

(4) Recipients of personal data: the head of the Company, the Company’s employees and data processors performing customer service and bookkeeping tasks based on their duties.

(5) The range of personal data processed: name, address, seat, telephone number, e-mail address, tax number, bank account number, entrepreneur ID number, primary producer ID number.

(6) Duration of data processing: 5 years from the termination of the contract.

X. DATA SECURITY PROVISIONS

(1) The Company may process personal data only in accordance with the activities set out in these regulations and according to the purpose of data processing.

(2) The Company ensures the security of data, and in this context undertakes to take all the technical and organizational measures that are absolutely necessary for the enforcement of the data security legislation, data, and privacy protection rules, and to establish the procedural rules necessary for the enforcement of the above-defined legislation.

(3) The Company shall act appropriately to protect the data against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as accidental destruction and damage, as well as inaccessibility resulting from changes in the technology used.

(4) The technical and organizational measures to be implemented by the Company for the sake of data security are laid down in the Company’s data protection regulations.

(5) When defining and applying data security measures, the Company takes into account the state of the art at all times, and in the case of several data management solutions, chooses a solution that ensures a higher level of protection of personal data, unless it would represent a disproportionate difficulty.

XI. PROVOSIONS FOR DATA PROCESSING

1. General rules related to data processing

(1) The rights and obligations of the data processor related to the processing of personal data are determined by the law and the data controller within the framework of separate laws on data processing.

(2) The Company declares that the data processor does not have the competence to make substantive decisions regarding data processing during its activities, it may process the personal data it has come to know only in accordance with the provisions of the data controller, it may not perform data processing for its own purposes, furthermore, personal data must be stored and preserved according to the regulations of the data controller.

(3) The Company is responsible for the legality of the instructions given to the data processor regarding data processing operations.

(4) The Company is obliged to provide the data subjects with information about the person of the data processor and the place of data processing.

(5) The Company does not authorize the data processor to use additional data processors.

(6) The contract for data processing must be in writing. Data processing cannot be entrusted to organizations that are interested in business activities that use the personal data to be processed.