Privacy

Introduction

The company Nyíregyházi Turisztikai NonprofitKft. (company registration number: 15 09 075056, tax number:14959165-1-15, registered office: H-4400 Nyíregyháza, Kossuth tér 1., Hungary)(hereinafter referred to as: ‘Service Provider’ or ‘controller’) undertakes tobe bound by the provisions of the following Policy:

The company hereby provides the following information in accordance withREGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April2016 on the protection of natural persons with regard to the processing ofpersonal data and on the free movement of such data, and repealing Directive95/46/EC (General Data Protection Regulation).

This Privacy Policy regulates the processing operations carried out inconnection with the https://www.templomtura.hu/ website.

The Privacy Policy is available at https://www.templomtura.hu/en/data-protection

Any amendmentsto the Policy shall take effect upon being published on the above website.

The controller and its contact information:

Name: NyíregyháziTurisztikai Nonprofit Kft.
Registered office: H-4400 Nyíregyháza, Kossuth tér 1., Hungary
Email: tdm@nyiregyhaza.info.hu
Telephone: +36 42 310 735; +36 42 794 069

Definitions

1. ‘personal data’ means any information relating to an identifiedor identifiable natural person (‘data subject’); an identifiable natural personis one who can be identified, directly or indirectly, in particular byreference to an identifier such as a name, an identification number, locationdata, an online identifier or to one or more factors specific to the physical,physiological, genetic, mental, economic, cultural or social identity of thatnatural person;

2. ‘processing’ means any operation or set of operations whichis performed on personal data or on sets of personal data, whether or not byautomated means, such as collection, recording, organisation, structuring,storage, adaptation or alteration, retrieval, consultation, use, disclosure bytransmission, dissemination or otherwise making available, alignment orcombination, restriction, erasure or destruction;

3. ‘controller’ means the natural or legal person, publicauthority, agency or other body which, alone or jointly with others, determinesthe purposes and means of the processing of personal data; where the purposesand means of such processing are determined by Union or Member State law, thecontroller or the specific criteria for its nomination may be provided for byUnion or Member State law;

4. ‘processor’ means a natural or legal person, publicauthority, agency or other body which processes personal data on behalf of thecontroller;

5. ‘recipient’ means a natural or legal person, publicauthority, agency or another body, to which the personal data are disclosed,whether a third party or not. However, public authorities which may receivepersonal data in the framework of a particular inquiry in accordance with Unionor Member State law shall not be regarded as recipients; the processing ofthose data by those public authorities shall be in compliance with theapplicable data protection rules according to the purposes of the processing;

6. ‘consent’ of the data subject means any freely given,specific, informed and unambiguous indication of the data subject’s wishes by whichhe or she, by a statement or by a clear affirmative action, signifies agreementto the processing of personal data relating to him or her;

7. ‘personal data breach’ means a breach of security leading to theaccidental or unlawful destruction, loss, alteration, unauthorised disclosureof, or access to, personal data transmitted, stored or otherwise processed.

Principles relating to processing of personal data

Personal data shall be:

a) processed lawfully, fairly and in a

transparent manner in relation to the data subject (‘lawfulness, fairness

and transparency’);

b) collected for specified, explicit and

legitimate purposes and not further processed in a manner that is

incompatible with those purposes; further processing for archiving

purposes in the public interest, scientific or historical research

purposes or statistical purposes shall, in accordance with Article 89(1),

not be considered to be incompatible with the initial purposes (‘purpose

limitation’);

c) adequate, relevant and limited to what is

necessary in relation to the purposes for which they are processed (‘data

minimisation’);

d) accurate and, where necessary, kept up to

date; every reasonable step must be taken to ensure that personal data

that are inaccurate, having regard to the purposes for which they are

processed, are erased or rectified without delay (‘accuracy’);

e) kept in a form which permits identification of

data subjects for no longer than is necessary for the purposes for which

the personal data are processed; personal data may be stored for longer

periods insofar as the personal data will be processed solely for

archiving purposes in the public interest, scientific or historical

research purposes or statistical purposes in accordance with Article 89(1)

subject to implementation of the appropriate technical and organisational

measures required by this Regulation in order to safeguard the rights and

freedoms of the data subject (‘storage limitation’);

f) processed in a manner that ensures appropriate

security of the personal data, including protection against unauthorised

or unlawful processing and against accidental loss, destruction or damage,

using appropriate technical or organisational measures (‘integrity and

confidentiality’).

The controller shall be responsible for the above andbe able to demonstrate compliance with the above (‘accountability’).

The controller represents that its data processingoperations are in line with the principles laid down in this Clause.

Instances of processing

Contact

1. Thefact of data collection, the categories of data processed, and the purpose ofprocessing:

Personal data - Purpose of processing

Name - Identification

Email address - Communication, sending responses

Phone number - Communication

Message content - Required for response

Date of communication - Performance of technicaloperations.

IP address at the time of communication - Performanceof technical operations.

The email address shall not necessarily containpersonal data.

2. Categories of data subjects: All data subjects sending messages through thecontact form.

3. Duration of processing, time limitfor erasure of the data: If any of theconditions laid down in Article 17(1) of the GDPR are met, it shall last untilerasure is requested by the data subject.

4. Potential controllers entitled toreceive the data, recipients of personal data: Personal data may be processed by the authorisedemployees of the controller.

5. Information on the rights of datasubjects related to processing:

The data subject may request from the controller

access to and rectification or erasure of personal data or restriction of

processing concerning the data subject, and

the data subject shall have the right to data

portability, and the right to withdraw consent at any time.

6. The data subject can initiate theprovision of access to the personal data, the erasure, modification,restriction of processing, or data portability in the following manners:

by post at the address of H-4400 Nyíregyháza,

Kossuth tér 1, Hungary

by email at the tdm@nyiregyhaza.info.hu email

address,

by telephone at the +36 42 310 735; +36 42 794

069 telephone number.

7. Legal basis for processing: the data subject’s consent, point (a), (b) and(c) of Article 6(1). By contacting us, you give us consent to process yourpersonal data received by us in the course of such contact (name, telephonenumber, email address) in compliance with this Policy.

8. Pleasenote that

this processing is based on your consent and/or

is necessary for providing an offer or, in the case of a contractual

relationship, is based on a legal obligation (cooperation).

you are obliged to provide the personal data so

that you can contact us.

as a consequence of your failure to provide data

you will be unable to contact the Service Provider.

Customer relationships

1. Thefact of data collection, the categories of data processed, and the purpose ofprocessing:

Personal data - of processing

Name, email address, telephone number - Communication,identification, performance of contracts, business purpose.

2. Categories of data subjects: All data subjects communicating byphone/email/in person, or in a contractual relationship with the controller.

3. Duration of processing, time limitfor erasure of the data: Mails containingthe requests are processed until the data subject’s erasure request but for nolonger than 2 years.

4. Potential controllers entitled toreceive the data, recipients of personal data: The personal data may be processed by thecontroller’s authorised personnel, by honouring the above principles.

5. Information on the rights of datasubjects related to processing:

The data subject may request from the controller

access to and rectification or erasure of personal data or restriction of

processing concerning the data subject, and

the data subject shall have the right to data

portability, and the right to withdraw consent at any time.

6. The data subject can initiate theprovision of access to the personal data, the erasure, modification,restriction of processing, or data portability in the following manners:

by post at the address of H-4400 Nyíregyháza,

Kossuth tér 1, Hungary

by email at the tdm@nyiregyhaza.info.hu email

address,

by telephone at the +36 42 310 735; +36 42 794

069 telephone number.

7. Legal basis for processing:

7.1. points (b) and (c) of Article 6(1) of the GDPR.

7.2. Pursuant to Section 6:21 of Act V of 2013 on theCivil Code 5 years for enforcing claims arising from the contract.

Section 6:22 [Statute of limitations]

(1) Unless otherwise provided for in this Act,

claims shall lapse after five years.

(2) The statute of limitations shall commence

when the claim becomes due.

(3) Agreements concerning the alteration of the

limitation period shall be made in writing.

(4) Agreements excluding the statute of

limitations shall be null and void.

8. Pleasenote that

processing is required for the performance of the

contract and for giving an offer.

you are obliged to provide the personal data

to allow performance of the contract/other request.

as a consequence of your failure to

provide data we will be unable to perform your order/the contract, or

process your request.

Complaint handling

1. Thefact of data collection, the categories of data processed, and the purpose ofprocessing:

Personal data - Purpose of processing

Surname and first name - Identification,communication.

Email address - Keeping contact.

Phone number - Keeping contact.

Invoicing name and address - Identification, handlingquality complaints, issues and problems related to the products ordered.

2. Categories of data subjects: All data subjects shopping on the website andsubmitting a quality or other complaint.

3. Duration of processing, time limitfor erasure of the data: Copies of theminutes, memorandum recording the complaint and the response thereto shall beretained for 5 years pursuant to Section 17/A(7) of Act CLV of 1997 on ConsumerProtection.

4. Potential controllers entitled toreceive the data, recipients of personal data: The personal data may be processed by thecontroller’s sales and marketing personnel, by honouring the above principles.

5. Information on the rights of datasubjects related to processing:

The data subject may request from the controller

access to and rectification or erasure of personal data or restriction of

processing concerning the data subject, and

the data subject shall have the right to data

portability, and the right to withdraw consent at any time.

6. The data subject can initiate theprovision of access to the personal data, the erasure, modification,restriction of processing, or data portability in the following manners:

by post at the address of H-4400 Nyíregyháza,

Kossuth tér 1, Hungary

by email at the tdm@nyiregyhaza.info.hu email

address,

by telephone at the +36 42 310 735; +36 42 794

069 telephone number.

7. Legal basis for processing: point (c) of Article 6(1), and Section 17/A (7)of Act CLV of 1997 on Consumer Protection.

8. Pleasenote that

personal data are to be provided based on a legal

obligation.

the processing of personal data is a condition

precedent to the conclusion of the contract.

you are obliged to provide the personal data so

that we can handle your complaint.

as a consequence of your failure to provide

data, we will not be able to handle the complaint we have received from you.

Recipients to whom the personal data may be disclosed

‘recipient’ means a natural or legal person, publicauthority, agency or another body, to which the personal data are disclosed,whether a third party or not.

Processors (processing data on behalf of thecontroller)

In order to facilitate its own processing activities,and furthermore, to fulfil its obligations under contracts concluded with thedata subject and/or prescribed by law, the controller uses processors.

The controller places strong emphasis on using onlyprocessors providing sufficient guarantees to implement appropriate technicaland organisational measures in such a manner that processing will meet therequirements of the GDPR and ensure the protection of the rights of the datasubject.

The processor and any person acting under theauthority of the controller or of the processor, who has access to personaldata, shall not process the personal data specified in this Policy except oninstructions from the controller.

The controller shall have legal liability for theprocessor’s activities. A processor shall be liable for the damage caused byprocessing only where it has not complied with obligations of the GDPRspecifically directed to processors or where it has acted outside or contraryto lawful instructions of the controller.

The processor shall have no authority to makesubstantial decisions regarding the processing of data.

To provide for the IT background, the controller mayuse a web hosting provider as processor and, to deliver the items ordered, itmay use a courier service as a processor.

The individual processors

Activity performed by the processor

Web hosting, web development

Name: Qilaq Solutions Kft.

Address, contact details: 8623 Balatonföldvár, Móricz Zs. u. 26/b/3

Email: info@qilaq.hu

6. Management of cookies

1. Webshopstypically use cookies such as the so-called ‘password-protected sessioncookies’, ‘shopping cart cookies’, ‘security cookies’, ‘necessary cookies’,‘functional cookies’ and ‘website statistics cookies’, the use of which doesnot require previous consent from the data subjects.

2. Thefact of processing, categories of data processed: Unique identifier, dates,times

3. Categoriesof data subjects: All data subjects visiting the website.

4. Thepurpose of processing: Identification of users, registration of the ‘shoppingcart’ and monitoring of visitors.

5. Durationof processing, time limit for erasure of the data:

Cookie type

Session cookies
Persistent or saved cookies
Statistical cookies

Legal basis for processing

Section 13/A(3) of Act CVIII of 2001 on Certain Issuesof Electronic Commerce Services and Information Society Services (‘E-commerceAct’)

Duration of processing

Session cookies: Theperiod ending upon the relevant visitor session ending
Persistent or saved cookies: until deletion by the data subject
Statistical cookies: 1 to 2 months

Data category processed - connect.sid

6. Potentialcontrollers with right of access: The use of cookies does not involve theprocessing of personal data by the controller.

7. Informationon the rights of data subjects related to processing: Data subjects can deletecookies in the Tools/Settings menu of their browser, generally among thesettings of the Privacy menu.

8. Legalbasis for processing: The data subject’s consent is not required if theexclusive purpose of using cookies is to communicate through the electroniccommunications network, or its use is indispensable for the service provider torender an information society service expressly requested by the subscriber orthe user.

9. Mostbrowsers used by our users enable them to set which cookies should be saved,and make it possible to delete (certain) cookies again. If you limit the savingof cookies on certain websites or disable third party cookies, under certaincircumstances you may become unable to fully use our website. Here you can findinformation on how to customise cookie settings in the case of the usualbrowsers:

Google Chrome (https://support.google.com/chrome/answer/95647?hl=en)
Internet Explorer (https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies)
Firefox (https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences)
Safari (https://support.apple.com/kb/PH21411?locale=hu_HU&viewlocale=en_US)

Use" class="redactor-linkify-object">https://support.apple.com/kb/PH21411?locale=hu_HU&... of Google and Facebook services

Use of Google Ads (Adwords) conversion tracking

1. Thecontroller uses the ‘Google Ads (Adwords)’ online advertising program,including Google’s conversion tracking service. Google conversion tracking isan analysis service offered by Google Inc. (1600 Amphitheatre Parkway, MountainView, CA 94043, USA; ‘Google’).

2. Ifa User visits a website through a Google-ad, a conversion tracking cookie isdeposited on his or her computer. These cookies have limited validity and theydo not contain any personal data, and therefore cannot be used for the User’sidentification.

3. Ifthe User visits certain pages on the website and the cookie has not yetexpired, both Google and the data controller can detect that the User hasclicked on the advertisement.

4. EachGoogle Ads (Adwords) customer receives a different cookie, and so the cookiescannot be traced back via the websites of Ads (Adwords) customers.

5. Theinformation obtained using the conversion cookie is used to generate conversionstatistics for Ads (Adwords) customers. This way customers receive informationon the number of users that clicked on their advertisement and were directed tothe page marked with a conversion tracking tag. However, they will not receiveany information that can be used to personally identify users.

6. Ifyou want to opt out of conversion tracking, you can reject it by disabling theinstallation of cookies in your browser. After that, you will not be includedin conversion tracking statistics.

7. Moreinformation and Google’s Privacy Policy is available at: www.google.de/policies/privacy/

Use" class="redactor-linkify-object">http://www.google.de/policies/privacy/">www.google... of Google Analytics

1. Thiswebsite uses Google Analytics, a web analytics service offered by Google, Inc.(‘Google’). Google Analytics uses ‘cookies’ that are text files placed on theUser’s computer and which help analyse how Users use the site.

2. Theinformation generated by the cookie about the User’s use of the website isgenerally transmitted to and stored by Google on servers in the USA. If,however, IP anonymisation is activated on the website, Google will beforehandshorten the User’s IP address within Member States of the European Union or inother states that are party to the Agreement on the European Economic Area.

3. Onlyin exceptional cases will the full IP address be transmitted to a Google serverin the USA and shortened there. Google will use this information on behalf ofthe operator of this website to evaluate the User’s use of the website, tocompile reports on the website activities and to provide further servicesassociated with the use of the website and the Internet for the websiteoperator.

4. TheIP address that the User’s browser transmits as part of Google Analytics willnot be associated with any other data held by Google. The User can prevent thestorage of cookies by selecting the corresponding setting in his or herbrowser, but please note that in such a case the User may not be able to useall the functions on this website. The User can also prevent Google’scollection and use of data generated by the cookie and related to the User’suse of the website (including the User’s IP address) as well as the processingof this data by downloading and installing the browser plugin availableat https://tools.google.com/dlpage/gaoptout?hl=hu

Facebook" class="redactor-linkify-object">https://tools.google.com/dlpage/gaoptout?hl=hu">ht... pixel

1. Facebookpixel is a code used for making conversion reports on the website, forcompiling target audience groups, and for providing the site owner withdetailed analysis on the visitors’ website use. With the help of the Facebookremarketing pixel tracking code, you can display personalised offers andadvertisements on Facebook to website users. The Facebook remarketing list isnot suitable for personal identification. Further information regardingFacebook Pixel can be found at https://www.facebook.com/business/help/65129470501...

Social" class="redactor-linkify-object">https://www.facebook.com/business/help/65129470501... media sites

1. Thefact of data collection, the categories of data processed: The user’s name asregistered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram or othersocial media sites, and the user’s public profile picture.

2. Categoriesof data subjects: All data subjects who have signed up forFacebook/Google+/Twitter/Pinterest/Youtube/Instagram or other social mediasites and have ‘liked’ the Service Provider’s social media site, or havecontacted the controller through the social media site.

3. Thepurpose of data collection: To share certain content elements of the website,or the products and promotions on the website or the website itself and/or to‘like’, follow or promote the same on these social media sites.

4. Durationof processing, time limit for erasure of the data, potential controllersentitled to receive the data, and information on the rights of data subjectsrelated to processing: Data subjects may receive information about the sources,the processing of data, the method of data transfer and the legal grounds thereofby visiting the relevant social media site. Processing is performed on thesocial media sites, therefore the duration and manner of processing, and alsothe option of data erasure and rectification shall be governed by the policy ofthe relevant social media site.

5. Legalbasis for processing: the data subject’s voluntary consent to the processing oftheir data on the social media sites.

Customer relations and other processing

1. Ifthe data subject has any questions or problems during their use of thecontroller’s services, they can contact the controller at its contactinformation (phone, email, social media sites etc.) specified on the website.

2. Theemails and messages received, the data provided by telephone or via Facebooketc, including the name, email address and any other voluntarily providedpersonal data of the data subject will be erased by the controller within amaximum of 2 years from the date of provision.

3. Regardingany type of processing not listed herein, we will provide information at thetime of recording the data in question.

4. Inexceptional cases at the authorities’ request, or at the request of otherbodies authorised by law, the Service Provider may be obliged to provideinformation, disclose and transfer data, or supply documents.

5. Insuch cases, provided that the requesting entity has specified the exact purposeof use and the scope of the data, the Service Provider will only disclose thosepersonal data to the requesting entity and only to such extent that isindispensable for the implementation of the purpose of the request.

The rights of data subjects

1. Right of access

You shall have the right to obtain from the controllerconfirmation as to whether or not personal data concerning you are beingprocessed, and, where that is the case, access to the personal data and theinformation listed in the Regulation.

2. Right to rectification

You shall have the right to obtain from the controllerwithout undue delay the rectification of inaccurate personal data concerningyou. Taking into account the purposes of the processing, you shall have theright to have incomplete personal data completed, including by means ofproviding a supplementary statement.

3. Right to erasure

You shall have the right to obtain from the controllerthe erasure of personal data concerning you without undue delay and thecontroller shall have the obligation to erase personal data without undue delayunder certain conditions specified.

4. Right to be forgotten

Where the controller has made the personal data publicand is obliged to erase the personal data, the controller, taking account ofavailable technology and the cost of implementation, shall take reasonablesteps, including technical measures, to inform controllers which are processingthe personal data that you have requested the erasure by such controllers ofany links to, or copy or replication of, those personal data.

5. Right to restriction of processing

You shall have the right to obtain from the

controller restriction of processing where one of the following conditions

applies:

the accuracy of the personal data is contested by

you, for a period enabling the controller to verify the accuracy of the

personal data;

the processing is unlawful and you oppose the

erasure of the personal data and request the restriction of their use

instead;

the controller no longer needs the personal data

for the purposes of the processing, but they are required by you for the

establishment, exercise or defence of legal claims;

you have objected to processing pending the

verification whether the legitimate grounds of the controller override

your legitimate grounds.

6. Right to data portability

You shall have the right to receive the personal dataconcerning you, which you have provided to a controller, in a structured,commonly used and machine-readable format and have the right to transmit thosedata to another controller without hindrance from the controller to which thepersonal data have been provided (…)

7. Right to object

In the case of processing on the legal basis oflegitimate interest or official authority, you shall have the right to object,on grounds relating to your particular situation, at any time to processing ofpersonal data concerning you, including profiling based on those provisions.

8. Objection in case of direct marketing

Where personal data are processed for direct marketingpurposes, you shall have the right to object at any time to processing ofpersonal data concerning you for such marketing, which includes profiling to theextent that it is related to such direct marketing. Where you object toprocessing for direct marketing purposes, the personal data shall no longer beprocessed for such purposes.

9. Automated individual decision-making, includingprofiling

You shall have the right not to be subject to adecision based solely on automated processing, including profiling, whichproduces legal effects concerning you or similarly significantly affects you.
The previous paragraph shall not apply if the decision:

is necessary for entering into, or performance

of, a contract between you and a data controller;

is authorised by Union or Member State law to

which the controller is subject and which also lays down suitable measures

to safeguard your rights and freedoms and legitimate interests; or

is based on your explicit consent.

Time limit for taking action

The controller shall provide you with information onaction taken on the requests above without undue delay and in any event within1 month of receipt of the request.

This period may be extended by 2 furthermonths where necessary. The controller shall inform you of any suchextension within 1 month of receipt of the request, togetherwith the reasons for the delay.

If the controller does not take action on yourrequest, the controller shall inform you without delay and at the latest withinone month of receipt of the request of the reasons for not taking action and onthe possibility of lodging a complaint with a supervisory authority and seekinga judicial remedy.

Security of processing

Taking into account the state of the art, the costs ofimplementation and the nature, scope, context and purposes of processing aswell as the risk of varying likelihood and severity for the rights and freedomsof natural persons, the controller and the processor shall implementappropriate technical and organisational measures to ensure a level of securityappropriate to the risk, including inter alia as appropriate:

·

a) the pseudonymisation and encryption of

personal data;

b) the ability to ensure the ongoing

confidentiality, integrity, availability and resilience of processing

systems and services;

c) the ability to restore the availability and

access to personal data in a timely manner in the event of a physical or

technical incident;

d) a process for regularly testing, assessing

and evaluating the effectiveness of technical and organisational measures

for ensuring the security of the processing.

e) The data processed shall be stored in such a

way that no unuathorised person can access them. In the case of paper

based data carriers, this should involve the development of a procedure

for physical storage and archiving, while in the case of data processed

in electronic form, the application of a central authorisation management

system.

f) The manner of storing the data with IT

methods shall be selected in such a way that the data can be deleted upon

the data erasure deadline – also having regard to any different erasure

deadline – or if necessary for other reasons. Erasure must be

irreversible.

g) Paper based data carriers must be deprived of

personal data by using a shredder or an external organisation

specialising in destroying documents. In the case of electronic data

carriers, physical destruction must be carried out in accordance with the

rules applicable to the scrapping of electronic data carriers and/or, as

necessary, data must be securely and irreversibly deleted in advance.

h) The controller takes the following specific

data security measures:

a. In order to protect the personal data processed onpaper, the Service Provider applies the following measures (physicalprotection):

§

i.

Documents are placed in secure, lockable and dry rooms.

ii. The

Service Provider’s building and premises are equipped with fire

protection and security equipment.

iii.

Only the persons authorised thereto may become familiar with the

personal data; the data may not be accessed by any third party.

iv.

During his or her work, the Service Provider’s staff member performing

data processing may only leave the room where processing takes place if

he or she locks the data carriers entrusted to him/her or locks the

room in question.

v. If

personal data processed on paper are digitised, the rules governing

digitally stored documents shall be applied.

b. IT protection

·

o

i. The computers and mobile devices (other data

carriers) used for processing are in the Service Provider’s possession.

ii. The data stored on the computers may only

be accessed with a username and password.

iii. The central server may only be accessed in

possession of proper authorisation, and only by designated persons.

iv. For the security of digitally stored data,

the Service Provider applies data backups and archiving.

v. The computer system containing the personal

data used by the Service Provider is equipped with virus protection.

Communication of a personal data breach to the datasubject

When the personal data breach is likely to result in ahigh risk to the rights and freedoms of natural persons, the controller shallcommunicate the personal data breach to the data subject without undue delay.

The notice delivered to the data subject shall definethe nature of the personal data breach in clear and plain language, and itshall communicate the name and contact details of the data protection officeror other contact point where more information can be obtained; it shalldescribe the likely consequences of the personal data breach; describe themeasures taken or proposed to be taken by the controller to address thepersonal data breach, including, where appropriate, measures to mitigate itspossible adverse effects.

The communication to the data subject shall not berequired if any of the following conditions are met:

the controller has implemented appropriate

technical and organisational protection measures, and those measures were

applied to the personal data affected by the personal data breach, in

particular those that render the personal data unintelligible to any

person who is not authorised to access it, such as encryption;

the controller has taken subsequent measures

which ensure that the high risk to the rights and freedoms of data

subjects is no longer likely to materialise;

it would involve disproportionate effort. In such

a case, there shall instead be a public communication or similar measure

whereby the data subjects are informed in an equally effective manner.

If the controller has not already communicated thepersonal data breach to the data subject, the supervisory authority, havingconsidered the likelihood of the personal data breach resulting in a high risk,may require it to do so.

Notification of a personal data breach to theauthority

In the case of a personal data breach, the controllershall without undue delay and, where feasible, not later than 72 hours afterhaving become aware of it, notify the personal data breach to the supervisoryauthority competent in accordance with Article 55, unless the personal databreach is unlikely to result in a risk to the rights and freedoms of naturalpersons. Where the notification to the supervisory authority is not made within72 hours, it shall be accompanied by reasons for the delay.

Complaints

Complaints may be filed against the controller’sviolation of law, if any, with the Hungarian National Authority for DataProtection and Freedom of Information:

Hungarian National Authority for Data Protection

and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság

Hatóság)

H-1055 Budapest, Falk Miksa utca 9-11., Hungary

Mailing address: H-1363 Budapest, PO Box (Pf.) 9

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

Email: ugyfelszolgalat@naih.hu

Closing remarks

When preparing the information document we took intoaccount the provisions of the following laws:

• REGULATION (EU) 2016/679 OF THE EUROPEAN
• PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
• natural persons with regard to the processing of personal data and on the
• free movement of such data, and repealing Directive 95/46/EC (General Data
• Protection Regulation)
• Act CXII of 2011 – on Informational
• Self-Determination and Freedom of Information (hereinafter: Info Act)
• Act CVIII of 2001 – on Certain Issues of
• Electronic Commerce Activities and Information Society Services (Section 13/A in particular)
• Act XLVII on 2008 – on the Prohibition of Unfair
• Commercial Practices against Consumers;
• Act XLVIII of 2008 – on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Section 6 in particular)
• Act XC of 2005 on the Freedom of Information by
• Electronic Means
• Act C of 2003 on Electronic Communications
• (Section 155 in particular)
• Opinion 16/2011 on EASA/IAB Best Practice
• Recommendation on Online Behavioural Advertising
• Recommendation by the Hungarian National
• Authority for Data Protection and Freedom of Information on the Data
• Protection Requirements of Prior Information
• Regulation (EU) 2016/679 of the European
• Parliament and of the Council of 27 April 2016 on the protection of
• natural persons with regard to the processing of personal data and on the
• free movement of such data, and repealing Directive 95/46/EC

Documents available for download

Personal Data Breach Report

Notification to the data subject

Declaration on Withdrawal

Consent pursuant to the GDPR

Declaration on erasure

Nyíregyháza, December 21. 2021