Table of Contents

Introduction

Qreme Cosmetics Ltd. (1011 Budapest, Jégverem Street 6, Tax number: 32250503-2-41, Company registration number: 01-09-414241) (hereinafter: Service Provider, data controller) is subject to the following regulation:

We provide the following information in accordance with the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).

This privacy policy governs the processing of data on the following sites:
https://qreme.hu/
https://qremecosmetics.com

The data processing information is available at the following page: https://qremecosmetics.com/adatkezelesi-tajekoztato/

Modifications to the regulation will take effect upon publication at the above address.

The Data Controller and Their Contact Information

Name: Qreme Cosmetics Ltd.
Headquarters: 1011 Budapest, Jégverem Street 6.
Email: info@qremecosmetics.com
Phone: +36 70 502 0118

Definitions

1. “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
2. “data processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;
3. “data controller”: the natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its designation may be provided for by Union or Member State law;
4. “data processor”: a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the data controller;
5. “recipient”: a natural or legal person, public authority, agency, or any other body to whom the personal data are disclosed, whether a third party or not. Public authorities that may receive personal data in the framework of a specific inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
6. “the data subject's consent”: any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them;
7. “data breach”: a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Principles for Processing Personal Data

Personal data:

1. shall be processed lawfully and fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”);
2. shall be collected for specified, legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes in accordance with Article 89(1) (“purpose limitation”);
3. shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
4. shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
5. shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, subject to the implementation of the appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of data subjects (“storage limitation”);
6. shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

The data controller is responsible for compliance with the above and must be able to demonstrate such compliance (“accountability”).

The data controller declares that their data processing is in accordance with the principles set out in this section.

Data Management Related to the Operation of the Webshop / Use of Services

1. The fact of data collection, the scope of processed data, and the purpose of data management:

2. The scope of data subjects: All subjects registered/purchasing on the webshop website. Neither the username nor the email address is required to contain personal data.

3. Duration of data management, deadline for data deletion: If any of the conditions stated in Article 17(1) of the GDPR are met, it lasts until the data subject's deletion request. The data controller will inform the data subject electronically about the deletion of any personal data provided by the data subject, according to Article 19 of the GDPR. If the data subject's deletion request extends to the email address provided, the data controller will delete the email address after providing the notification. Except for accounting documents, as these must be kept for 8 years in accordance with Section 169(2) of Act C of 2000 on Accounting. The contractual data of the data subject can be deleted upon the expiry of the civil law statute of limitations based on the data subject's deletion request.

Accounting documents supporting the bookkeeping (including general ledger accounts, analytical, and detailed records) must be retained in a legible format for at least 8 years in a retrievable manner based on references to bookkeeping records.

4. Persons entitled to know the data, possible data managers, recipients of personal data: Personal data may be managed by the data controller and their authorized employees, respecting the above principles.

5. Description of the rights of data subjects regarding data management:

• The data subject may request access to their personal data, correction, deletion, or restriction of processing from the data controller, and
• The data subject has the right to data portability and to withdraw consent at any time.

6. The data subject can initiate access to personal data, deletion, modification, or restriction of processing, and data portability in the following ways:

• By post at 1011 Budapest, Jégverem utca 6,
• By email at info@qremecosmetics.com,
• By phone at +36 70 502 0118.

7. Legal basis for data management:

1. Article 6(1)(b) of the GDPR,

2. Section 13/A(3) of Act CVIII of 2001 on certain issues related to electronic commerce services and services related to the information society: The service provider may manage the personal data that is technically essential for providing the service. The service provider must choose and operate the tools used for providing information society services in such a way that personal data is only processed when strictly necessary for the provision of the service and the fulfillment of other purposes defined in this law, and even in this case only to the necessary extent and duration.

3. For issuing invoices in accordance with accounting regulations, Article 6(1)(c).

4. For enforcing claims arising from contracts, according to Section 6:22 of Act V of 2013 on the Civil Code, 5 years.

6:22. [Statute of Limitations]
(1) Unless otherwise provided by this law, claims expire after five years.
(2) The limitation period begins when the claim becomes due.
(3) Any agreement to change the limitation period must be in writing.
(4) Any agreement excluding the limitation is null and void.

8. We inform you that

• the data management is necessary for the performance of the contract and for offering.
• you are obliged to provide personal data so we can fulfill your order.
• Failure to provide data will result in the consequence that we cannot process your order.

Cookie Management

1. For the use of cookies referred to as "session cookies", "cookies necessary for the shopping cart", "security cookies", "necessary cookies", "functional cookies", and "cookies responsible for managing website statistics", prior consent from the data subjects is not required.

2. The fact of data processing and the scope of the processed data: Unique identifier, dates, times.

3. The scope of the data subjects: All individuals visiting the website.

4. The purpose of data processing: Identifying users, tracking visitors, providing customized functionality.

5. Duration of data processing and the deadline for data deletion:

6. The identities of possible data processors entitled to access the data: Personal data may be accessed by the data controller.

7. Information about the rights of data subjects concerning data processing: Data subjects have the opportunity to delete cookies in the browser's Tools/Settings menu, typically under the Privacy settings.

8. Most browsers used by our users allow you to set which cookies to save and enable (specific) cookies to be deleted again. If you restrict the saving of cookies on certain websites or do not allow third-party cookies, this may lead to our website not being usable in its entirety under certain circumstances. Here you can find information on how to customize cookie settings for common browsers:

Google Chrome: https://support.google.com/chrome/answer/95647?hl=hu
Internet Explorer: https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies
Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
Safari: https://support.apple.com/hu-hu/guide/safari/sfri11471/mac

Using Google Ads Conversion Tracking

1. The data controller uses the online advertising program called "Google Ads" and utilizes Google’s conversion tracking service within its framework. Google’s conversion tracking is an analytics service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google").
2. When a user reaches a webpage via a Google advertisement, a cookie necessary for conversion tracking is placed on their computer. These cookies have a limited validity and do not contain any personal data, meaning users cannot be identified by them.
3. When the user browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the user clicked on the ad.
4. Each Google Ads customer receives a different cookie, so tracking cannot be done across Ads customers’ websites.
5. The information obtained through conversion tracking cookies serves to create conversion statistics for clients who choose Ads conversion tracking. Clients can thus learn the number of users who clicked on their ad and were forwarded to a page equipped with a conversion tracking tag. However, they do not receive any information that would allow them to identify individual users.
6. If you do not wish to participate in conversion tracking, you can refuse this by disabling the installation of cookies in your browser. In this case, you will not be included in the conversion tracking statistics.
7. According to Google Consent Mode v2, Google also uses two new types of cookies: ad_user_data and ad_personalization, which are based on the consent of the data subject and relate to the use and sharing of data. The ad_user_data is intended for granting consent for user data to Google for advertising purposes. The ad_personalization controls whether the data can be used for personalizing ads (e.g., remarketing). The data controller ensures the appropriate collection and withdrawal of consents through their cookie banner/panel. The withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal.
8. Further information and Google’s privacy policy can be found at the following address: https://policies.google.com/privacy

Using Google Analytics

1. This website uses Google Analytics, which is a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies,” which are text files placed on your computer to help analyze your use of the website.
2. The information generated by the cookie regarding your use of this website is usually transmitted to and stored on a server in the USA operated by Google. By activating IP anonymization on this website, your IP address will be truncated by Google within the member states of the European Union or in other states that are party to the Agreement on the European Economic Area.
3. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compile reports on website activity, and provide other services related to website activity and internet usage to the website operator.
4. The IP address transmitted by your browser as part of Google Analytics is not combined with other Google data. You can prevent the storage of cookies by adjusting your browser settings accordingly; however, we would like to point out that in this case, you may not be able to use all the features of this website to their full extent. You can also prevent Google from collecting and processing data generated by cookies related to your website usage (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu

Newsletter, DM Activities

1. According to Section 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities, the User may give prior and explicit consent to be contacted by the Service Provider with advertising offers and other communications at the contact details provided during registration.

2. Furthermore, the Client, taking into account the provisions of this notice, may consent to the processing of personal data necessary for sending advertising offers by the Service Provider.

3. The Service Provider does not send unsolicited advertising messages, and the User can unsubscribe from receiving offers free of charge and without restriction or justification. In this case, the Service Provider will delete all personal data necessary for sending advertising messages from its records and will not contact the User with further advertising offers. The User can unsubscribe from the advertisements by clicking the link in the message.

4. The fact of data collection, the scope of processed data, and the purpose of data processing:

5. The scope of data subjects: All data subjects subscribing to the newsletter.

6. The purpose of data processing: Sending electronic messages containing advertisements (email, SMS, push notifications) to the data subject, providing information about current news, products, promotions, new features, etc.

7. The duration of data processing, the deadline for data deletion: Data processing lasts until consent is withdrawn (until unsubscribing, or until the data subject's deletion request), or until the newsletter ceases to exist.

8. The identity of possible data processors authorized to access the data, the recipients of personal data: Personal data may be processed by the data controller, as well as its sales and marketing staff, respecting the above principles.

9. A description of the rights of data subjects related to data processing:

• The data subject may request access to personal data concerning them, its correction, deletion, or restriction of processing from the data controller, and
• may object to the processing of their personal data, and
• the data subject has the right to data portability, as well as to withdraw their consent at any time.

10. The data subject can initiate access to personal data, its deletion, modification, or restriction of processing, data portability, or objection in the following ways:

• by mail at 1011 Budapest, Jégverem utca 6.,
• by email at info@qremecosmetics.com,
• by phone at +36 70 502 0118.

11. The data subject may unsubscribe from the newsletter at any time for free.

12. We inform you that:

• data processing is based on your consent.
• you are required to provide personal data if you want to receive our newsletter.
• failure to provide data will result in the consequence that we cannot send you a newsletter.
• we inform you that you can withdraw your consent at any time by clicking unsubscribe.
• withdrawing consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

Complaint Handling

1. The fact of data collection, the scope of processed data, and the purpose of data processing:

2. The scope of data subjects: All individuals who purchase on the website and file a quality complaint.

3. The duration of data processing, the deadline for data deletion: Copies of the protocol, transcript, and response regarding the complaint must be kept for 3 years according to Section 17/A (7) of Act CLV of 1997 on Consumer Protection.

4. Persons entitled to access the data, recipients of the personal data: Personal data may be processed by the data controller and their authorized employees, respecting the above principles.

5. Overview of the rights of data subjects regarding data processing:

• The data subject may request access to their personal data, correction, deletion, or limitation of processing from the data controller, and
• the data subject has the right to data portability and to withdraw consent at any time.

6. The data subject can initiate access to personal data, its deletion, modification, or limitation of processing, and data portability in the following ways:

• by mail at 1011 Budapest, Jégverem Street 6,
• by email at info@qremecosmetics.com,
• by phone at +36 70 502 0118.

7. We inform you that

• providing personal data is based on a legal obligation.
• the processing of personal data is a prerequisite for the conclusion of the contract.
• it is mandatory to provide personal data so that we can handle your complaint.
• failure to provide data will result in the consequence that we cannot process your complaint.

Recipients with whom personal data is shared

“recipient”: a natural or legal person, public authority, agency, or any other entity with whom or with which personal data is shared, regardless of whether they are a third party.

1. Data processors (who process data on behalf of the data controller)

The data controller uses data processors to facilitate its own data processing activities and to fulfill obligations arising from contracts with data subjects or as required by law.

The data controller places a high emphasis on only using data processors that provide appropriate guarantees for compliance with the requirements of the GDPR regarding data processing and the implementation of appropriate technical and organizational measures to protect the rights of data subjects.

The data processor and any person acting under the authority of the data controller or the data processor, who has access to personal data, processes the personal data contained in this policy solely in accordance with the instructions of the data controller.

The data controller is legally responsible for the activities of the data processor. The data processor is only liable for damages caused by data processing if it fails to comply with the specific obligations imposed on data processors by the GDPR or if it disregards or acts contrary to the lawful instructions of the data controller.

The data processor has no substantial decision-making power regarding the processing of data.

The data controller may use a hosting service provider to ensure the IT background, and a courier service for the delivery of ordered products as data processors.

2. Certain data processors

“third party”: a natural or legal person, public authority, agency, or any other entity that is not the data subject, the data controller, the data processor, or any persons authorized to process personal data under the direct authority of the data controller or data processor.

3. Data transfer to third parties

Third-party data controllers process the personal data we share in their own name and in accordance with their own privacy policy.

Social Media

1. The fact of data collection, the scope of processed data: registered name and public profile picture of the user on social media platforms such as Twitter/Pinterest/Youtube/Instagram/TikTok/Linkedin, etc.
2. The scope of data subjects: All data subjects who registered on social media platforms such as Twitter/Pinterest/Youtube/Instagram/TikTok/Linkedin, etc., and "liked" the Service Provider's social media page, or contacted the data controller through the social media platform.
3. The purpose of data collection: To share or promote certain content elements, products, or the website itself on social media platforms, as well as to "like," follow, or popularize them.
4. The duration of data processing, the deadline for data deletion, the identity of possible data processors entitled to access the data, and the rights of data subjects related to data processing: The data subject can obtain information about the source of the data, its processing, as well as the manner and legal basis for its transfer on the respective social media platform. Data processing takes place on social media platforms; therefore, the regulations of the respective social media platform apply to the duration, manner of processing, and possibilities for deletion and modification of the data.
5. The legal basis for data processing: the voluntary consent of the data subject to the processing of their personal data on social media platforms.

Joint Data Management with Facebook / Meta

The data controller has a Facebook / Meta profile for this activity. The statistical data management carried out on the Facebook social network is a joint data management between the data controller and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland). Detailed information about the joint data management agreement is provided in the data controller appendix of the Facebook Page Insights feature. The appendix is available at the following link: https://hu‐hu.facebook.com/legal/terms/page_controller_addendum

The data controller only communicates through private messages on the social network if you reach out to us there.

1. Categories of Data Subjects

• those who are registered on the social network and have “liked” the data controller's profile page,
• those who contact the data controller via private message on the social network.

2. Purpose of Data Management

The purpose of data management is to share and promote the activities and services of the data controller on the Facebook social network. The data provided by the data subject in a private message may be used by the data controller to respond to the message; otherwise, the data controller does not collect data through social networks and does not extract data from there.

3. Legal Basis for Data Management

The data management is based on Article 6(1)(a) of the GDPR, with the legal basis being the consent of the data subject to the processing of their personal data on the Facebook social network.

4. Scope of Processed Data

• registered name of the data subject,
• public profile picture of the data subject,
• other public data provided and shared by the data subject on the social network.

5. Source of Processed Personal Data: The source of the processed data is the data subject.

6. Withdrawal of Consent

You may withdraw your consent to data management at any time by deleting your post or comment. The data management takes place through social networks operated by third parties. If you withdraw your consent, the data controller will delete the conversation with you. The withdrawal of consent does not affect the legality of the data management based on consent prior to its withdrawal.

You can initiate access to, deletion of, modification of, or restriction of processing of your personal data, as well as data portability, in the following ways:

• by post at 1011 Budapest, Jégverem utca 6.,
• by email at info@qremecosmetics.com,
• by phone at +36 70 502 0118.

7. Duration of Data Management

• until the withdrawal of the data subject's consent,
• if a message exchange occurs, then for 2 years.

8. Transfer of Personal Data, Recipients, and Categories of Recipients: see the definition of recipient in Article 4(9) of the GDPR. The data controller only transfers the data subject's personal data to state authorities, such as courts, public prosecutors, investigative authorities, and the National Authority for Data Protection and Freedom of Information, in exceptional cases and based on legal obligations.

9. Possible Consequences of Not Providing Data

If data is not provided, the data subject will not be able to obtain information about the data controller's activities and services through the Facebook social network or send a message to the data controller via Facebook Messenger.

10. Automated Decision-Making (including Profiling)

Automated decision-making, including profiling, does not occur during data management.

11. Joint Data Controller Agreement with Facebook Ireland Ltd:

The Page Insights feature displays aggregated data that shows how data subjects use the Facebook page. Facebook Ireland Limited (“Facebook Ireland”) and the data controller are joint data controllers regarding the processing of analytical data. The Page Insights appendix defines Facebook's and the data controller's responsibilities in relation to the processing of analytical data. Facebook Ireland assumes primary responsibility for the processing of analytical data under the GDPR and complies with all relevant obligations under the GDPR in relation to the processing of analytical data. Facebook Ireland also makes the excerpt of the Page Insights appendix available to all data subjects. The data controller ensures that it has a proper legal basis for processing analytical data under the GDPR, identifies the data controller of the page, and complies with all other relevant legal obligations. Facebook Ireland has sole responsibility for the processing of personal data in connection with the Page Insights feature, except for data covered by the Page Insights appendix. The Page Insights appendix does not grant the data controller the right to request personal data from Facebook users processed by Facebook Ireland, including page insights data. The data controller may not act on behalf of Facebook Ireland in fulfilling privacy inquiries and may not provide responses.

Customer Relations and Other Data Managements

1. If questions arise or if the data subject has any issues while using the services of the data controller, they can contact the data controller through the methods provided on the website (phone, email, social networks, etc.).
2. The data controller will delete incoming emails, messages, and data provided via phone, Meta, etc., along with the inquiry's name and email address and any other voluntarily provided personal data, no later than 2 years after the data provision.
3. Information about data management not listed in this notice will be provided when the data is recorded.
4. In the case of exceptional authority requests or requests from other bodies based on legal authorization, the provider is obliged to provide information, disclose data, transfer data, or make documents available.
5. In these cases, the provider will only disclose personal data to the requester to the extent necessary to fulfill the purpose of the request, provided that the precise purpose and the scope of the data have been specified.

Rights of the Data Subjects

1. Right of Access

You have the right to receive feedback from the data controller regarding whether your personal data is being processed, and if such processing is ongoing, you have the right to access your personal data and the information listed in the regulation.

2. Right to Rectification

You have the right to request the data controller to rectify any inaccurate personal data concerning you without undue delay. Considering the purposes of processing, you have the right to request the completion of incomplete personal data – including by means of a supplementary statement.

3. Right to Erasure

You have the right to request the data controller to erase your personal data without undue delay, and the data controller is obliged to erase your personal data without undue delay under certain conditions.

4. Right to be Forgotten

If the data controller has made personal data public and is required to erase it, it shall take reasonable steps – including technical measures – to inform the data controllers processing the data that you have requested the deletion of links to such personal data or copies or replications of such personal data, taking into account available technology and implementation costs.

5. Right to Restrict Processing

You have the right to request the data controller to restrict processing if any of the following conditions apply:

• You contest the accuracy of the personal data, in which case the restriction applies for a period enabling the data controller to verify the accuracy of the personal data;
• The processing is unlawful, and you oppose the erasure of the data and request instead the restriction of their use;
• The data controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims;
• You have objected to the processing; in this case, the restriction applies for the period until it has been established whether the legitimate grounds of the data controller override those of your own.

6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another data controller without hindrance from the data controller to whom you provided your personal data (...)

7. Right to Object

In the case of data processing based on legitimate interests or public authority, you have the right to object at any time to the processing of your personal data related to your particular situation, including profiling based on those provisions.

8. Right to Object in the Case of Direct Marketing

If the processing of personal data is for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for this purpose, including profiling to the extent that it is related to direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data may no longer be processed for that purpose.

9. Automated Decision-Making in Individual Cases, Including Profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – that produces legal effects concerning you or similarly significantly affects you.

The preceding paragraph does not apply if the decision:

• is necessary for entering into or performance of a contract between you and the data controller;
• is authorized by applicable EU or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• is based on your explicit consent.

Deadline for Action

The data controller shall inform you of the measures taken in response to the above requests without undue delay, but in any event within 1 month of receiving the request.

If necessary, this may be extended by 2 months. The data controller shall inform you of the extension of the deadline, along with the reasons for the delay, within 1 month of receiving the request.

If the data controller does not take action in response to your request, they shall inform you without undue delay, but at the latest within one month of receiving the request, of the reasons for not taking action, as well as your right to lodge a complaint with a supervisory authority and to exercise your right to judicial remedy.

Data Processing Security

The data controller and the data processor shall implement appropriate technical and organizational measures, taking into account the state of science and technology, the costs of implementation, as well as the nature, scope, circumstances, and purposes of data processing, and the risks with varying degrees of likelihood and severity to the rights and freedoms of natural persons, to guarantee a level of data security appropriate to the risk, including, among other things, where applicable:

1. the pseudonymization and encryption of personal data;
2. ensuring the continuous confidentiality, integrity, availability, and resilience of systems and services used for processing personal data;
3. the ability to restore access to personal data and the availability of data in a timely manner in the event of a physical or technical incident;
4. procedures for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing;
5. the processed data should be stored in such a way that unauthorized persons cannot access them. For paper-based data carriers, this can be achieved by organizing physical storage and filing, while for electronically processed data, by using a centralized access management system.
6. The method of storing data through IT means should be selected in such a way that their deletion—taking into account any differing deletion deadlines—can be carried out when the data deletion deadline expires, or if necessary for other reasons. The deletion must be irreversible.
7. Paper-based data carriers should be deprived of personal data using a document shredder or by engaging an external organization specialized in document destruction. For electronic data carriers, physical destruction must be ensured according to the rules for the disposal of electronic data carriers, and if necessary, the data must be securely and irreversibly deleted beforehand.
8. The data controller takes the following specific data security measures:

To ensure the security of paper-based personal data, the Service Provider implements the following measures (physical protection):

1. Documents must be stored in a secure, lockable dry room.
2. If personal data processed on paper is digitized, then the rules applicable to digitally stored documents must be applied.
3. The Service Provider’s employee engaged in data processing may only leave the room where data processing is taking place if the data carriers entrusted to them are secured or the room is locked.
4. Personal data may only be accessed by authorized persons; third parties may not have access.
5. The Service Provider's building and premises are equipped with fire protection and security systems.

IT Protection

1. Computers and mobile devices (other data carriers) used during data processing are the property of the Service Provider.
2. The computer system containing personal data used by the Service Provider is equipped with antivirus protection.
3. To ensure the security of digitally stored data, the Service Provider employs data backups and archiving.
4. Access to the central server machine is limited to authorized personnel only.
5. Data on computers can only be accessed with a username and password.

Notification of the Data Subject about the Data Protection Incident

If the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject without undue delay.

The information provided to the data subject must clearly and understandably describe the nature of the data protection incident, and provide the name and contact details of the data protection officer or other contact person providing further information; outline the likely consequences resulting from the data protection incident; and describe the measures taken or planned by the data controller to remedy the data protection incident, including, where appropriate, measures aimed at mitigating any adverse effects resulting from the data protection incident.

The data subject does not need to be informed if any of the following conditions are met:

• the data controller has implemented appropriate technical and organizational protective measures and these measures were applied to the data concerned in the data protection incident, particularly those measures—such as encryption—that render the data unintelligible to unauthorized persons;
• the data controller has taken further measures after the data protection incident that ensure that the high risk reported to the rights and freedoms of the data subject is no longer likely to materialize;
• the notification would require disproportionate effort. In such cases, the data subjects should be informed through publicly available information, or similar measures should be taken to ensure that the data subjects are informed effectively.

If the data controller has not yet notified the data subject about the data protection incident, the supervisory authority, after assessing whether the data protection incident is likely to result in a high risk, may order that the data subject be informed.

Reporting a Data Protection Incident to the Authority

The data protection incident must be reported by the data controller to the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons for the delay must also be provided.

Review of Mandatory Data Processing

If the duration of mandatory data processing or the necessity of its periodic review is not determined by law, local government regulation, or a mandatory legal act of the European Union, the data controller shall review at least every three years whether the processing of personal data by itself or by the data processor acting on its behalf is necessary for the realization of the purpose of data processing.

The circumstances and results of this review shall be documented by the data controller, and this documentation shall be retained for ten years following the completion of the review and made available to the National Authority for Data Protection and Freedom of Information (hereinafter: Authority) upon request.

Complaint Submission Opportunity

National Authority for Data Protection and Freedom of Information
1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf. 9.
Phone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu

Conclusion

In preparing this information, we took into account the following regulations:

• Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (GDPR) (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
• Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (hereinafter: Infotv.);
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (particularly Section 13/A);
• Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices Against Consumers;
• Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities (especially Section 6);
• Act XC of 2005 on Electronic Freedom of Information;
• Act C of 2003 on Electronic Communications (specifically Section 155);
• Opinion No. 16/2011 regarding the Best Practices of Behavioral Online Advertising EASA/IAB Recommendations;
• Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of preliminary information.