Privacy Statement of
REGARDING ITS DATA PROCESSING OPERATIONS
RELATED TO THE DATA SUBJECT
The present Privacy Statement (hereinafter referred to as: ‘Privacy Statement or Statement’) contains all information about the data processing operations of Nóra Kisfaludy-Tóbel as the entrepreneur representing Cinderella’s Day Wedding Planner Office (hereinafter referred to as: ‘Service Provider/data controller’) regarding its data subjects, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: General Data Protection Regulation/GDPR) and with the Hungarian Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (hereinafter referred to as ‘Privacy Act’) and other relevant legislation on ensuring the protection of personal data.
To maintain the security of your personal data, we will take the necessary and appropriate measures to ensure that while using our website www.cinderellasday.com for online information and connection, our users, guests and other data subjects shall be provided with information on the processing of their personal data in a consistent, transparent, comprehensible and easily accessible way and to facilitate the exercise of your rights as a data subject.
Please be advised that Service Provider will inform its partners and clients about the client-data management operations compliant to data protection legislations in the context of their contractual agreement due to the reason, that those operations are separated from the ones stated here and those only cover rights and obligations that are relevant to contractual agreements between Service Provider and its clients. In the present Privacy Statement we describe the data processing operations related to the usage of our website, as well as it informs about data processing regarding the Service Provider’s presence in social media.
The use or copying of the whole text or the contents of the present Privacy Statement by any third party without the consent the lawyer who drafted the Statement is prohibited. Service Provider may change the text of the present Statement in accordance with its data management practices.
This Privacy Statement is an annex to the Privacy Regulation (hereinafter referred to as ‘Regulation’) available at the seat of Service Provider.
Please read the contents of this statement carefully and feel confident to contact us with your questions.
DESCRIPTION OF DATA CONTROLLER AND DATA PROCESSORS
The publisher of the present Privacy Statement as the data controller/Service Provider:
Nóra Kisfaludy-Tóbel entrepreneur
Registered seat: 131 Gödöllői Str. Budapest 1141
Registration Number: 39242297
Email address: email@example.com
Service Provider is considered to be the data controller when managing the personal data of the ones concerned. We also use data processor to provide our services and perform our activities. Data processor is bound by the obligation of confidentiality with regard to the data obtained. Data processor treats personal data in accordance with the agreement between them and Service Provider to the extent of performing their duties. Please be advised that, with respect to the data provided through our website, only our web hosting partner listed in Point 1 may see any data provided by the data subject.
Based on the applicable regulations, in order to entrust a data processor, Service Provider does not need to ask for the prior consent of the person concerned (data subject), but you need to be informed about the process. Accordingly, we inform the ones concerned about the contact details of the data processors, who may handle the given data strictly for the purpose specified by us for the safety of our clients and for faster and more convenient administration.
- Web hosting partner
We contract with an external partner for web hosting services, who manages the personal data of the natural persons concerned as follows:
Name of the data processor: Orion Websolutions LLC
Mailing address: 2015 S Tuttle Ave, Sarasota, 34239, USA
Phone number: +36 30 5938073
Company VAT number: 990373199
Purpose of data processing: proper operation of the website, providing the client the opportunity to contact us.
Legal basis for the data processing: consent of the data subject.
Time of data processing: until termination of the contract between the data controller and the processor or until the data subject’s withdrawal of consent, with regard to the fact that the personal data provided in the contact form may only be viewed by the hosting provider, but that data is not stored on the server, it is received directly into the Service Provider’s closed mail system.
For the purposes of the present Privacy Statement, in accordance with Article 4 of the GDPR Regulation:
- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3.‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
- ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- ‘consent of the data subject’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- ‘consent’ means a voluntary and explicit expression of the wish of a data subject, based on appropriate information, and giving his or her unambiguous consent to the processing of personal data concerning him or her, either wholly or in part;
- ’protest’: a statement by the data subject that he or she objects to the processing of his personal data and requests the termination of the data processing or the deletion of the data processed.
- ’data processing’ means performing technical tasks related to the data processing operations, irrespective of the method or device used to perform the operations and wherever they are carried out, provided that the technical task is performed on the data.
- ’transfer of data’ means forwarding the data to a specific third party.
- ’disclosure’: making available the data to the public.
- ’deletion of data’ means the process of rendering data unrecognizable in such a way that it is no longer possible to recover it.
- ’sets of personal data’ means the total amount of data processed in a register.
We handle the processing of personal data of those concerned, in accordance with Article 5 of the GDPR Regulation, taking into account the following principles:
- Principle of legality, fairness and transparency: we process personal data in a lawful, fair and transparent manner in relation to the data subject;
- Principle of purpose limitation: personal data is collected for a specific, explicit and legitimate purpose and is not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Principle of data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; Regarding this principle, we do not ask for personal data, that is not necessary for proceeding our services.
- Principle of accuracy: personal data must be accurate and, where necessary, kept up to date; We make every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. If you as a data subject consider, that one or more personal data of yours was given or was indicated by us inaccurately, we would kindly like to ask you to let us know through an e-mail sent to firstname.lastname@example.org, so that we can correct it.
- Principle of storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the GDPR Regulation subject to implementation of the appropriate technical and organisational measures required by the GDPR Regulation in order to safeguard the rights and freedoms of the data subject. To this end, we take into account that personal data provided by the data subject will be stored only for the time necessary, depending on the time of provision of the service, on legal requirements and on the data subject’s consent, meaning that different time periods may be required for each of our data management activities.
- Principle of integrity and confidentiality: we process personal data
in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
- Principle of accountability: As a liable data controller, Service Provider is responsible for acting upon principles listed in 1-6. and is prepared to demonstrate compliance.
LAWFUL TREATMENT OF THE DATA SUBJECT’S PERSONAL DATA
- [Data process operation with the consent of the data subject]
(1) The personal data described in Chapter V of the present Statement will be processed based on the consent of the data subject through the contact form provided on our website. In case of data processing based on consent, the consent of the data subject to the processing of personal data shall be requested by us prior to the start of data processing. If data processing serves multiple purposes at the same time, the consent must be given for all data processing purposes. These objectives are set out in Chapter V of the present Statement. By ticking the box provided on the contact form, the data subject may give his or her consent to the processing the personal data for the purposes set out in the present Statement.
(2) We would like to inform you about our obligation, that where the consent of the data subject is given by means of a written declaration covering other matters as well, the request for consent shall be clearly distinguished from those other matters in a clear and easily accessible form, in a simple language, and shall not contain unfair terms. Any part of the statement containing the consent of the data subject that does not meet the requirements of the law is not binding.
(3) We would also like to inform you, that in order for the data subject’s consent to be based on the information given by us, the data subject must at least be aware of the identity of the controller (Service Provider) and the purpose of the processing of personal data. Giving consent is not considered to be voluntary if the person concerned does not have a real or free choice and is unable to deny or withdraw consent without it causing any damage to him or her. The data of the Service Provider can be found in Chapter I of the present Statement, while the purpose of data process is stated in Chapter V.
(4) Data process is considered to be lawful if it is required in the context of a contract or at an intention to conclude a contract. Service Provider shall not set up a condition for entering into a contract by requesting personal data that is not necessary for the performance of the contract.
If we enter into a service contract with visitors and clients contacting us through the contact form, we may need to request additional personal data in order to prepare the contract, which will be the subject of separate communication. If the contract is not concluded, the data provided through that separate communication will be deleted from our system. In case of successful conclusion of the contract, we inform our partners and clients about the further contractual data management as part of the contract.
(5) The possibility of withdrawing consent shall be made available to the data subject in an understandable, easily accessible form, in a clear and simple manner and shall not contain unfair terms. Please be advised that if you wish to withdraw your consent, you may do so by sending an email to email@example.com. In case of withdrawal, we will immediately delete the data and inform the data subject in a reply email. If the fulfillment of our legal obligation or contractual obligation (eg. provision of a service, invoice, fulfillment of accounting obligation) requires further processing of certain data, we will inform you in a reply email.
(6) If personal data has been given with the consent of the data subject, we may process the given data without further specific consent and after the withdrawal of the consent of the data subject for the fulfillment of our legal obligation unless otherwise provided by law.
(7) The consent should be voluntary, meaning it is free from all external influences and can possibly serve as a legal basis if there is a real choice for You, as the data subject and there is no risk of deception, intimidation, coercion or other significant negative consequences in the event of denial of consent. In the absence of a voluntary decision, we would not have the appropriate legal basis for data processing. Without question, we always base your consent on your voluntary decision regarding our consent-based data processing activities, providing you with an uninfluenced choice.
(8) Due to the nature of our wedding planner service, it is not likely, but also can not be excluded that a minor under the age of 16 may contact us through our website, so we consider it important to note the following: one specific matter of the legal basis for consent is Article 8 of the GDPR Regulation, which requires the consent of the parent for the lawfulness of data processing involving minors under 16 years of age. In the case of a child under the age of 16, the processing of children’s personal data is only lawful if and to the extent that the consent has been given or authorized by the parent exercising parental authority over the child. Parental guardians are kindly requested to inform us immediately if they become aware that they have not given their consent or authorization to the processing of personal data of a child under the age of 16, being under parental supervision. By informing us, we can take the necessary steps to delete the personal data provided.
- [Our obligation on providing information]
We keep the present Privacy Statement available to those concerned in an easily accessible way on our website and at our seat. The Statement informs the data subject in a publicly accessible manner, before and during the processing of the data, of all facts related to the management of their data, including the purpose and legal basis of the data process, the person entitled to data processing, the duration of the data process, about the fact if the personal data of the data subject is processed according to the data subject’s consent (Section 5 Article 6 of the Privacy Act) and regarding who is entitled to know the data. Our provision of information also covers the rights and remedies of the data subject concerned, that you may find in Chapter VIII., IX. and X. of the present Statement.
- [Data process operation based on the fulfillment of a legal obligation]
Data process operation based on the fulfillment of a legal obligation is independent from the consent of the data subject. Before starting the data process we must inform the data subject, that the process of data is based on a legal obligation. In such case we inform the data subject in a clear and detailed way before the beginning of the data process operation about all facts related to the process of his or her data, especially the purpose and legal basis of the data process, the person entitled to data processing, the duration of the data process, about the fact that the personal data is processed according to a legal obligation and regarding who is entitled to know the data. The information provided by us also covers the rights and remedies of the data subject concerned. In case of mandatory data process, the information may also be given by disclosing a reference to the provisions of the legal obligation that contains the necessary information covered by this paragraph.
- [Data process operation based on a legitimate interest]
Personal data may be processed if the data processing is necessary for the purpose of enforcing the legitimate interest of the Service Provider, exceptionally a third party, unless the right to the protection of the personal data of the data subject and the respect of his or her privacy represents a higher value than that legitimate interest. Such legitimate interest may make the data processing lawful, regardless of the consent of the data subject if the legitimate interest only restricts the right and privacy of the data subject to the extent necessary and proportionate. In the case of such interest-based data process, the principle of graduality and, if possible, the presence of the data subject shall be ensured. As data controller, we must conduct a written legitimate interest test for the lawfulness of data processing based on our legitimate interest and inform those concerned in an easily accessible way. If such a legitimate interest-based data processing is conducted by us, we will integrate the test to our present Statement.
DATA PROCESS OPERATIONS ON OUR WEBSITE AND SOCIAL MEDIA PLATFORMS
- Contacting us via our website
(1) The natural person initiating a contact through the website by filling out the contact form, via e-mail or by phone call, shall provide the following information necessary to establish the contact:
- name (surname, first name);
- telephone number;
- email address;
- any other personal data provided by the data subject voluntarily as a content of his or her message.
(2) The purpose of processing the personal data: providing information about our services, establishing contact between the natural person and us as Service Provider. Providing personalized client service and offer if required.
(3) The legal basis for data process is the consent of the data subject. The data subject may indicate his or her consent to the processing of his or her personal data by ticking the check-box provided in the contact form on our website. When contacting us, the present Privacy Statement is accessible through a link posted there. If you wish to withdraw your consent, you can do so by sending us an email with your request to firstname.lastname@example.org. If there is no obligation to further process the data due to our legal obligation or our contractual data management activities under Section (5), we will promptly delete the data and will inform you in a reply email.
(4) The recipient of the personal data described in Section (2) is solely Service Provider. When a person contacts the Service Provider through the contact form on our website, the data transmitted is not visible to the data processor or other third party and the data is not stored in the storage space. The data is sent directly to email@example.com email account managed exclusively by the Service Provider. In the case of communication by telephone or direct personal inquiry, if data are required, the Service Provider shall enter them into its own closed system.
(5) The duration of personal data storage shall last until 3 years after contacting us, but the latest until the consent of the data subject is withdrawn (until a request on deleting the data is submitted by the data subject). If the data subject concludes a contract with the Service Provider after the hereby described way of contacting us, then further data management is governed by our contractual data management terms.
- Data process operation on our social media platforms
(1) We would like to inform You, that we maintain the ‘Weddig in Hungary – CinderellasDay.com’ Facebook and ‘the cinderellasday – Cinderella’s Day Wedding’ Instagram and account (hereinafter collectively referred to as: social media platforms).
(2) Complaints submitted to Service Provider through our social media platforms are not considered to be formally submitted.
(3) Personal data published by visitors on the social media platforms of ours are not processed by us.
(4) Visitors are subject to the Privacy and Service Terms of the social media platforms.
(5) In case of an unlawful or offensive content posted on our social media platforms, we may exclude the person from the site without notice and may delete his or her comment.
(6) We are not responsible for any unlawful data content or comments published by our social media platform users. We are not responsible for any problems that may result from malfunctioning of the social media platforms, causing a breach in personal data protection.
(7) The provisions in this section also apply to any of our future social media platforms of ours.
DATA SECURITY MEASURES
- [Data security measures]
(1) For the purposes of personal data security, we are obliged to take all technical and organizational measures and establish the procedural rules necessary to ensure data protection regarding any of our data management activities.
(2) We protect the data by appropriate measures against accidental or unlawful destruction, loss, alteration, injury, unauthorized disclosure or unauthorized access to it.
(3) We classify and manage personal data as confidential.
(4) With regard to the data arriving through our website, electronic data processing and record keeping is carried out by means of a computerized information system that meets the requirements of data security.
(5) If the data of the natural persons concerned are handled by a paper-based document suitable for our data processing operations, they must be managed and kept at the premises of our seat and office, in accordance with the provisions of the Regulations and the present Privacy Statement (legal basis, scope of processed data, retention period).
(6) We ensure the control of incoming and outgoing electronic communications for the protection of personal data.
(7) Only we have access to documents that are in progress and undergoing data processing, and those are kept securely closed.
(8) We ensure appropriate physical protection of the data and the means and documents carrying them.
MANAGEMENT OF PERSONAL DATA BREACH
- [Concept of personal data breach]
(1) A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. (Article 4 of GDPR Regulation 12)
(2) The most common reported breaches may include: loss of laptop or mobile phone, unsafe storage of personal data; unsafe transfer of data, unauthorized copying, forwarding of clients, guest, customer, partner lists, attacks against the server, breaking the website.
- [Managing and remedy of personal data breach]
(1) Prevention, management of personal data breach, compliance with applicable legal requirements is our responsibility as Service Provider.
(2) If our IT data processor partner notices a breach in the course of performing their duties, they shall observe the personal data breach and notify us immediately. Access and access attempts must be registered in the IT systems and analyzed continuously.
(3) Personal data breaches can be reported at our central e-mail address (firstname.lastname@example.org), telephone number, so visitors, clients, contractors, partners and others considered can report the underlying signs or events and security weaknesses.
(4) In the event of a personal data breach being reported, we will immediately examine the notification, identify the breach and decide whether it is a real breach or a false call. The following should be examined and established:
- a) the date and place of the event (breach);
- b) description, circumstances and effects of the event (breach),
- c) the range and number of data compromised during the breach;
- d) the scope of persons affected by the compromised data;
- e) the description of the measures taken to prevent the breach;
- f) the description of the measures taken to prevent, remedy and reduce the damage.
(5) In the event of a personal data breach, the affected systems, persons, data must be delimited and separated, and the evidence supporting the incident must be collected and preserved. It is then possible to start repairing the damage and restoring the lawful operation.
- [Register of personal data breach]
- A record of personal data breach shall be kept, including:
- a) the scope of the personal data concerned;
- b) the scope and number of data subjects affected by the personal data breach;
- c) the date of the personal data breach;
- d) the circumstances and effects of the personal data breach;
- e) the steps taken to remedy the personal data breach;
- f) other data specified in the law regarding the relevant data processing operation.
(2) We retain data relating to personal data breach in the register for 5 years.
- [Reporting personal data breach to the authority]
Data breaches that are likely to endanger the rights and freedoms of natural persons shall be reported by us to the competent supervisory authority, the National Data Protection and Freedom of Information Authority (NAIH) pursuant to Article 33 (1) of the GDPR. The GDPR requires the controller to notify the NAIH of the incident without undue delay and, if possible, no later than 72 hours after becoming aware of the breach. Our notification shall be made electronically or on paper through the NAIH Data Breach Reporting System. (https://www.naih.hu/adatvedelmi-incidensbejelent–rendszer.html)
RIGHTS, LEGAL REMEDIES OF THE RELATED PERSON
Below, we inform the data subject about the rights and remedies available to the natural person concerned with regard to the protection of personal data. The submission and processing of the request of the data subject are governed by the provisions of Chapter X.
- [The right to preliminary information and the right of access by the data subject]
The data subject is entitled to be informed of facts and information related to data process operations prior to the commencement of these operations. Please contact email@example.com for information. If requested, we will provide you with the requested information without undue delay, but no more than one month, stating whether your personal data are being processed and, if so, you have the right to know what personal data are being processed, on what legal basis, for what purpose, for what period of time; and to whom, when, under what law and which personal data of yours we provide access to; to whom we transmit your personal data; the source of our access to your data; whether we use automated decision-making and, if so, its logic, and in the case of pursuing profiling, we also inform you.
You may request a copy of your personal data, which will be provided for the first time free of charge, after which you may be charged a reasonable fee based on administrative costs. Please note that in order to meet our data security requirements, we have the right to verify your identity when requesting and making copies.
The data subject has the right to receive feedback from the data controller on whether personal data are being processed and, if such processing is in progress, the data subject shall have access to personal data and related information as defined in the GDPR Regulation. (Article 15 of GDPR Regulation).
- [The right to rectification]
Upon request, the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. If the data subject credibly verifies the accuracy of the corrected data, we will comply with the request within a maximum of one month and will inform the data subject accordingly.
- [The right to erasure (‘the right to be forgotten’)]
Upon request, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if one of the grounds set out in the GDPR Regulation applies. (Article 17 of GDPR Regulation) Where the data processed are necessary for law enforcement purposes or, for example, for settlement with a public authority, the data processing may be carried out on the basis of a legal obligation or a legitimate interest. Upon deletion, the data controller shall also notify the data processors involved of the deletion obligation.
The data controller shall delete the personal data relating to the data subject without undue delay if any of the following grounds applies:
- a) personal data are no longer required for the purpose for which they were collected or otherwise processed;
- b) the storage period set by the controller has expired;
- c) the data subject has withdrawn his or her consent as the basis for the processing and there is no other legal basis for the processing;
- d) the data subject objects to the processing and there is no legitimate reason for the processing;
- e) the personal data have been unlawfully processed;
- f) personal data must be deleted in order to comply with a legal obligation under Union or national law applicable to the data controller;
- g) personal data have been collected in connection with the provision of information society services.
- [Right to restriction of processing]
Upon request, the data subject shall have the right to obtain from the controller – through our contact information described in point 1. – the restriction of processing if the following conditions specified in the GDPR Regulation are met:
- contest the accuracy of your personal information (limited to the time of our review);
- the processing is unlawful and the data subject opposes the erasure of the data and instead requests that their use be restricted;
- the data controller no longer needs personal data for the purpose of processing, but the data subject requires them to assert or defend a legal claim; or
- the data subject has objected to the data processing (we restricted to the time during which the legitimate interest of the data controller is established).
- [Notification obligation regarding rectification or erasure of personal data or restriction of processing]
We shall communicate and inform upon any rectification or erasure of personal data or restriction of processing carried out all recipient to whom or with whom the personal data have been disclosed, unless this proves impossible or requires a disproportionate effort. At the request of the data subject, the we shall inform the data subject about those recipients. (Article 19 of GDPR Regulation)
- [The right to data portability]
By applying the conditions set out in the GDPR Regulation, data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. (Article 20 of GDPR Regulation)
- [The right to object]
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) (data processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; the legitimate interests of the controller or by a third party, with exceptions) (Article 21 of GDPR Regulation) In the event of an objection, the data controller may not further process the personal data except for a legitimate reason which prevails over the interests of the data subject or is necessary for the establishment, exercise or defense of legal claims.
- [Automated individual decision-making, including profiling]
We do not use or perform profiling, automated decision making or automated mechanisms. We do not allow our data processors to make automated decision making or profiling, except with the express written consent of the data subject. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. (Article 22 of GDPR Regulation)
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22. (Article 23 of GDPR Regulation) In the event of a restriction, personal data may only be stored. Further data processing may only be conducted with the data subject’s consent, for the purposes of legal proceedings or the public interest.
- [Informing the data subject of a personal data breach]
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we shall communicate the personal data breach to the data subject without undue delay. (Article 34 of GDPR Regulation)
The data subject’s right of appeal
- [Right to lodge a complaint with the supervisory authority]
The data subject has the right to lodge a complaint to the supervisory authority if the data subject considers that the processing of personal data concerning him or her violates the GDPR Regulation. (Article 77 of GDPR Regulation)
- [Right to an effective judicial remedy against the supervisory authority]
Each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning them, or if the supervisory authority does not handle the complaint or does not inform the person concerned of the progress or the outcome of the complaint within three months. (Article 78 of GDPR Regulation)
- [Right to an effective judicial remedy against the controller or the processor]
Each data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under the GDPR Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR Regulation. (Article 79 of GDPR Regulation) If you believe that your personal data has been processed in violation of applicable data protection requirements, you may lodge a complaint with the supervisory authority – see section Chapter X Point 2 for contact details. You also have the right to initiate court procedure, that shall proceed out of turn. In this second case, you are free to choose whether to file your claim with the competent regional court of your place of residence (domicile) or place of temporary residence (temporary address) or of the Service Provider’s seat. You can search for the regional court of your place of residence at https://birosag.hu/birosag-kereso. According to the Service Provider’s seat, the Budapest-Capital Regional Court has jurisdiction.
SUBMISSION OF THE DATA SUBJECT’S APPLICATION OF REQUEST AND THE MEASURES TAKEN BY US AS DATA CONTROLLER
- [Measures based on the request of the data subject]
(1) In the cases covered by the present Privacy Statement, the data subject may primarily submit his or her request by email to firstname.lastname@example.org. As data controller we shall inform the data subject of the measures taken on his or her request for the exercise of his or her rights without undue delay, but no later than one month after application of the request. If for any reason we are unaware of the submission of the request, we are obliged to act promptly and without any delay along with informing the data subject.
(2) Where necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by a further two months. We shall inform the data subject of the extension of the deadline by indicating the reasons for the delay within one month of receiving the application of request.
(3) If the data subject submitted the application by electronic means, the information shall, as far as possible, be provided by electronic means, unless otherwise requested by the data subject.
(4) If we do not take any measures following the request by the data subject, we must inform the data subject without any delay, but at the latest within one month from receiving the application of the request, of the reasons for the non-execution of the measure and also about the data subject’s right to lodge a complaint with the supervisory authority and his or her right to appeal at court.
(5) We provide the information set out in Articles 13 and 14 of the GDPR Regulation and the information on the rights of the data subject (Articles 15 to 22 and 34 of the GDPR Regulation) free of charge. If the data subject’s application of request is unfounded without any doubt or is highly exaggerative, in particular because of its repetitive nature, we may charge fee calculated based on the administrative costs of providing for the requested information or refuse to take measures. It is us who bear the burden of proving that the application of request is unfounded highly exaggerative.
(6) If we have reasonable doubts as to the identity of the natural person submitting the request, we may request further information necessary to confirm the identity of the person concerned.
- Contact details of the supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, Pf .: 5.
Phone number: +36 (1) 391-1400