Privacy Policy

Billbarter Hungaria Zrt. (1052 Budapest, Szervita tér 8.; Tax number: 23395149-2-43) (hereinafter: Service Provider, data controller) submits to the following regulations: In accordance with the Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we provide the following information. This privacy policy governs the data processing of the following websites/mobile applications: www.billbarter.com, www.spp.hu, www.billbartergroup.com, www.investdubai.hu, www.investdubai.sk, www.investdubai.cz, www.investdubai.ae.org, www.okoshomokozo.hu, www.smartsendbox.eu, www.ertekcsokken.es.

The privacy policy is available at the following address: www.billbarter.com/GDPR. Amendments to the policy take effect upon publication at the above address.

DATA CONTROLLER AND CONTACT INFORMATION

• Name: Billbarter Hungaria Zrt.
• Headquarters: 1052 Budapest, Szervita tér 8.
• Email: info@billbarter.com
• Phone: +36 96 528 096

DEFINITIONS

1. „Personal data”: any information relating to an identified or identifiable natural person („data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. „Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. „Controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
4. „Processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
5. „Recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
6. „Data subject’s consent”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
7. „Data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

PRINCIPLES OF PERSONAL DATA PROCESSING

Personal data must be:

1. Processed lawfully, fairly, and in a transparent manner in relation to the data subject („lawfulness, fairness, and transparency”);
2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, in accordance with Article 89(1), not be considered incompatible with the initial purposes („purpose limitation”);
3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed („data minimization”);
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay („accuracy”);
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to the implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject („storage limitation”);
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures („integrity and confidentiality”).

The controller shall be responsible for, and be able to demonstrate compliance with, these principles („accountability”). The controller declares that data processing is carried out in accordance with the principles set forth in this section.

DATA PROCESSING RELATED TO THE USE OF SERVICES

1) The fact of data collection, the scope of the data processed, and the purpose of data processing:

2) Scope of data subjects: All data subjects registered/purchasing on the webshop website. It is not necessary for the username or email address to contain personal data.
3) Duration of data processing, deadline for data deletion: If any of the conditions in GDPR Article 17(1) are met, the data will be deleted upon the data subject’s request. The controller informs the data subject electronically about the deletion of any personal data provided by the data subject based on GDPR Article 19. If the data subject’s deletion request includes their email address, the controller will delete the email address after notification. Exceptions are accounting documents, which must be retained for 8 years according to Section 169(2) of the Accounting Act of 2000. Contractual data of the data subject can be deleted based on the data subject’s request after the expiration of the civil law limitation period. Accounting documents that support bookkeeping directly and indirectly (including general ledger accounts, analytical and detailed records) must be kept in a readable form and retrievable by the accounting records for at least 8 years.
4) Persons authorized to access the data, recipients of personal data: Personal data can be processed by the data controller and its authorized employees, respecting the above principles.
5) Rights of data subjects related to data processing: The data subject may request access to, correction of, deletion of, or restriction of processing of their personal data from the data controller, and the data subject has the right to data portability and the right to withdraw consent at any time.
6) Methods for initiating the access, deletion, modification, or restriction of processing of personal data, as well as data portability:

• By mail to 1052 Budapest, Szervita tér 8.
• By email to info@billbarter.com
• By phone at +36 96 528 096

7) Legal basis for data processing:

• GDPR Article 6(1)(b)
• Electronic Commerce Act 2001 (Elker tv.) Section 13/A(3): „The service provider may process personal data that are technically essential for the provision of the service. Under similar conditions, the service provider must select and operate the tools used for providing the service of the information society in such a way that personal data are processed only if it is necessary for the provision of the service and to fulfill other purposes defined by this law, but even in such cases, only to the necessary extent and for the necessary time.”
• Issuing invoices that comply with accounting regulations under GDPR Article 6(1)(c).
• Enforcing claims arising from the contract based on Section 6:22 of the Civil Code of 2013: 5 years.
• Section 6:22: „Unless otherwise provided by this Act, claims shall expire after five years.”
• Limitation starts when the claim becomes due.
• An agreement to change the limitation period must be in writing.
• An agreement excluding limitation is void.

8) We inform you that:

• Data processing is necessary for fulfilling the contract and making an offer.
• You are obliged to provide personal data to fulfill your order.
• Failure to provide data will result in us being unable to process your order.

COOKIE MANAGEMENT

1) No prior consent is required from data subjects for the use of „cookies used for password-protected sessions,” „shopping cart cookies,” „security cookies,” „necessary cookies,” „functional cookies,” and „cookies responsible for website statistics.”
2) The fact of data processing, the scope of data processed: Unique identification number, dates, times.
3) Scope of data subjects: All visitors to the website.
4) Purpose of data processing: Identifying users, tracking visitors, ensuring customized functionality.
5) Duration of data processing, deadline for data deletion:

6) Persons authorized to access the data: Personal data can be accessed by the data controller.
7) Rights of data subjects related to data processing: Data subjects can delete cookies in their browsers’ Tools/Settings menu, generally under Privacy settings.
8) Most browsers used by our users allow setting which cookies to save and allow the deletion of (specific) cookies. Restricting the saving of cookies on certain websites or not allowing third-party cookies may result in the website no longer being fully usable. Information on customizing cookie settings for common browsers can be found here:

• Google Chrome: Google Chrome Help
• Internet Explorer: Microsoft Support
• Firefox: Mozilla Support
• Safari: Apple Support

USE OF GOOGLE ADS CONVERSION TRACKING

1. The data controller uses the online advertising program called “Google Ads” and within its framework utilizes the Google conversion tracking service. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
2. When a user accesses a website via a Google advertisement, a cookie necessary for conversion tracking is placed on their computer. These cookies have limited validity and do not contain any personal data, so the user cannot be identified through them.
3. When the user browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the user clicked on the advertisement.
4. Each Google Ads customer receives a different cookie, so they cannot be tracked through the websites of Ads customers.
5. The information obtained using conversion cookies is used to create conversion statistics for Ads customers who have opted for conversion tracking. Customers are informed about the number of users who clicked on their advertisement and were redirected to a page tagged with a conversion tracking tag. However, they do not have access to information that could identify any user.
6. If you do not wish to participate in conversion tracking, you can refuse by disabling the installation of cookies in your browser. You will then not be included in the conversion tracking statistics.
7. Based on Google Consent Mode v2, Google also uses two new types of cookies: ad_user_data and ad_personalization, which are based on the user’s consent and concern the use and sharing of data. The ad_user_data cookie is used for giving consent for advertising purposes to Google. The ad_personalization cookie regulates whether data can be used for personalized ads (e.g., remarketing). The data controller ensures the acquisition and withdrawal of the appropriate consents via its cookie banner/panel. Withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal.
8. For more information and Google’s privacy policy, please visit: https://policies.google.com/privacy

USE OF GOOGLE ANALYTICS

1. This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies,” which are text files placed on your computer to help the website analyze how users use the site.
2. The information generated by the cookie about your use of the website is usually transmitted to and stored by Google on servers in the United States. By activating IP anonymization on this website, Google will truncate the user’s IP address within the member states of the European Union or other parties to the Agreement on the European Economic Area.
3. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compile reports on website activity, and provide other services related to website and internet usage.
4. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, please note that if you do this, you may not be able to use the full functionality of this website. You can also prevent Google from collecting and processing the data generated by the cookie and related to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en

COMPLAINT HANDLING

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

2. Scope of data subjects: All data subjects who purchase on the website and make a complaint about quality or any other issue.
3. Duration of data processing, deadline for data deletion: Copies of the records, transcripts, and responses related to complaints must be retained for 3 years according to Section 17/A (7) of Act CLV of 1997 on Consumer Protection.
4. Potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller and its authorized employees, respecting the above principles.
5. Description of data subjects’ rights related to data processing: a) The data subject may request access to their personal data, rectification, erasure, or restriction of processing from the data controller, and b) the data subject has the right to data portability and the right to withdraw consent at any time.
6. Means of accessing, deleting, modifying, or restricting the processing of personal data, data portability: a) by postal mail at 1052 Budapest, Szervita tér 8, b) by email at info@billbarter.com, c) by phone at +36 96 528 096.
7. Please note that: a) the provision of personal data is based on a legal obligation, b) the processing of personal data is a prerequisite for concluding the contract, c) you are required to provide personal data to handle your complaint, d) failure to provide data will result in us being unable to handle your complaint.

RECIPIENTS WITH WHOM PERSONAL DATA IS SHARED

“Recipient” refers to any natural or legal person, public authority, agency, or any other body to whom personal data is disclosed, whether or not they are a third party.

1. Data Processors (who process data on behalf of the data controller):
   The data controller uses data processors to facilitate its own data processing activities and to fulfill obligations arising from contracts with the data subject or legal requirements. The data controller places great emphasis on using only those data processors who or which provide adequate guarantees for compliance with the GDPR and for the implementation of appropriate technical and organizational measures to protect the rights of data subjects. The data processor and any person acting under the authority of the data controller or the data processor who has access to personal data processes the personal data only in accordance with the data controller’s instructions. The data controller is legally responsible for the activities of the data processor. The data processor is only liable for damages caused by data processing if they have not complied with the obligations specifically imposed on data processors by the GDPR or if they have disregarded or acted contrary to the lawful instructions of the data controller. The data processor does not have substantial decision-making authority regarding data processing. The data controller may use a hosting service provider for IT background support and a courier service for the delivery of ordered products, as data processors.
2. Specific Data Processors:

“Third party” refers to any natural or legal person, public authority, agency, or body other than the data subject, data controller, data processor, or persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.

SOCIAL MEDIA

1. Fact of data collection, scope of processed data:
   Name registered on social media sites such as Twitter/Pinterest/YouTube/Instagram, and the user’s public profile picture.
2. Scope of data subjects:
   All data subjects who have registered on social media sites such as Twitter/Pinterest/YouTube/Instagram and have “liked” the service provider’s social media page or contacted the data controller through the social media site.
3. Purpose of data processing:
   To share, like, follow, and promote certain content elements, products, promotions, or the website itself on social media sites.
4. Duration of data processing, deadline for data deletion, potential data controllers entitled to access the data, and data subjects’ rights related to data processing:
   Data subjects can find information about the source of the data, its processing, transfer method, and legal basis on the respective social media site. Data processing takes place on social media platforms, and the duration, method of processing, and options for deleting and modifying data are governed by the respective social media platform’s regulations.
5. Legal basis of data processing:
   The voluntary consent of the data subject to the processing of their personal data on social media sites.

FACEBOOK/META JOINT DATA CONTROLLERSHIP

The data controller has a Facebook/Meta profile for its activities. The statistical data processing on the Facebook social media platform is a joint data processing activity between the data controller and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland). The joint data processing agreement’s details are provided in the Page Insights Controller Addendum available at:
https://hu-hu.facebook.com/legal/terms/page_controller_addendum

The data controller communicates via private messages on the social media platform only if you contact us there.

1. Categories of data subjects:
   a) Data subjects who have registered on the social media platform and have “liked” the data controller’s profile page.
   b) Data subjects who contact the data controller via private message on the social media platform.
2. Purpose of data processing:
   The purpose of data processing is to share and promote the data controller’s activities and services on the Facebook social media platform. The data controller may use the data provided by the data subject in a private message to respond to the message. The data controller does not collect or extract data from social media platforms.
3. Legal basis of data processing:
   The legal basis for data processing is the data subject’s consent to the processing of their personal data on the Facebook social media platform, according to Article 6 (1) point (a) of the GDPR.
4. Scope of processed data:
   a) The data subject’s registered name.
   b) The data subject’s public profile picture.
   c) Other public data provided and shared by the data subject on the social media platform.
5. Source of processed personal data:
   The source of the processed data is the data subject.
6. Withdrawal of consent:
   The data subject can withdraw their consent to data processing at any time, and delete their post or comment. Data processing takes place on social media platforms operated by third parties. If the data subject withdraws their consent, the data controller will delete the conversation with the data subject. Withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal. The data subject can initiate access to, deletion, modification, restriction of processing, or portability of personal data in the following ways:
   a) By postal mail at 1052 Budapest, Szervita tér 8,
   b) By email at info@billbarter.com,
   c) By phone at +36 96 528 096.
7. Duration of data processing:
   a) Until the data subject withdraws their consent.
   b) If a message exchange occurs, for 2 years.
8. Transfer, recipients, or categories of recipients of personal data:
   The definition of recipient can be found in Article 4 point 9 of the GDPR. The data controller will only transfer the data subject’s personal data to state authorities and agencies (such as courts, prosecutors, investigative authorities, administrative authorities, and the National Authority for Data Protection and Freedom of Information) in exceptional cases and based on legal obligations.
9. Possible consequences of failure to provide data:
   Failure to provide data will result in the data subject being unable to obtain information about the data controller’s activities or services via the Facebook social media platform or send messages to the data controller via Facebook Messenger.
10. Automated decision-making (including profiling):
    No automated decision-making or profiling takes place during data processing.
11. Joint data controller agreement with Facebook Ireland Ltd.:
    The Page Insights function displays aggregated data that helps understand how the Facebook page is used by data subjects. Facebook Ireland Limited (“Facebook Ireland”) and the data controller are joint data controllers for the processing of insights data. The Page Insights Addendum determines the responsibilities of Facebook and the data controller regarding insights data processing. Facebook Ireland assumes primary responsibility for processing insights data under the GDPR and complies with all relevant obligations. Facebook Ireland also makes the Page Insights Addendum available to all data subjects. The data controller ensures it has a proper legal basis for processing insights data under the GDPR, identifies the page controller, and complies with all other relevant legal obligations. Facebook Ireland is solely responsible for processing personal data related to the Page Insights function, except for data covered by the Page Insights Addendum. The Page Insights Addendum does not grant the data controller the right to request personal data of Facebook users processed by Facebook Ireland, including insights data. The data controller cannot act or respond on behalf of Facebook Ireland regarding data protection inquiries.

Data Processing Information

Customer Relations and Other Data Processing

1. Contacting: If the data subject has any questions or issues when using our services, they can contact the data controller via the provided communication channels (phone, email, social media, etc.).
2. Data Storage: The data controller will delete received emails, messages, and other provided data (name, email address, etc.) no later than 2 years from the date of data provision.
3. Data Processing Information: Information on data processing not listed in this notice will be provided at the time of data collection.
4. Authority Requests: In exceptional cases, the service provider is obliged to provide information, disclose, and make documents available upon request from authorities or other entities authorized by law.
5. Extent of Data Disclosure: In such cases, the service provider will only disclose as much personal data as necessary to fulfill the request, provided the requester specifies the exact purpose and scope of the data.

Rights of Data Subjects

1. Right of Access: You have the right to obtain confirmation from the data controller as to whether or not your personal data is being processed, and if so, you have the right to access the personal data and the information listed in the regulation.
2. Right to Rectification: You have the right to request the data controller to rectify any inaccurate personal data concerning you without undue delay. Considering the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. Right to Erasure: You have the right to request the data controller to erase your personal data without undue delay, and the data controller has the obligation to erase your personal data without undue delay under certain conditions.
4. Right to be Forgotten: If the data controller has made the personal data public and is obliged to erase it, the data controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other data controllers processing the personal data that you have requested the erasure of any links to, or copies or replication of, those personal data.
5. Right to Restriction of Processing: You have the right to request the data controller to restrict processing if one of the following conditions applies:
   a) You contest the accuracy of the personal data, for a period enabling the data controller to verify the accuracy of the personal data;
   b) The processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
   c) The data controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims;
   d) You have objected to processing; in this case, the restriction applies for the period during which it is verified whether the legitimate grounds of the data controller override your legitimate grounds.
6. Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided.
7. Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on legitimate interest or the performance of a task carried out in the public interest or in the exercise of official authority, including profiling based on those provisions.
8. Right to Object to Direct Marketing: Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
9. Automated Individual Decision-Making, Including Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
   a) Is necessary for entering into, or performance of, a contract between you and the data controller;
   b) Is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
   c) Is based on your explicit consent.

Response Time for Requests

The data controller shall inform you without undue delay, but at the latest within one month of receipt of the request, of the actions taken based on your requests. This period may be extended by two further months if necessary. The data controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the data controller does not take action on your request, they shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Data Security

The data controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, as appropriate:

1. The pseudonymization and encryption of personal data;
2. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Stored data must be protected from unauthorized access, both in physical and electronic form. For physical records, secure storage and filing systems must be in place, while for electronic data, a central authorization management system should be used.

Data storage methods must allow for the deletion of data once the retention period has expired, ensuring that data cannot be recovered. Paper records should be destroyed using a shredder or a specialized document destruction service, while electronic media should be securely disposed of following electronic data destruction rules.

Specific Data Security Measures

For paper-based data security, the following measures are implemented:

1. Documents are stored in a secure, well-locked, dry room.
2. If paper records are digitized, the rules for digital storage apply.
3. Employees handling data must lock up data carriers or the room itself when leaving the workspace.
4. Personal data may only be accessed by authorized individuals.
5. The service provider’s buildings and rooms are equipped with fire and property protection devices.

For IT security:

1. Computers and mobile devices used for data processing are owned by the service provider.
2. The computer system containing personal data is protected by antivirus software.
3. Regular data backups and archiving are employed to ensure data security.
4. Access to the central server is restricted to authorized personnel only.
5. Access to computer data requires a username and password.

Notification to Affected Parties Regarding Data Protection Incidents

If a data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall inform the affected party without undue delay.

The notification provided to the affected party must clearly and comprehensively describe the nature of the data protection incident and provide the name and contact details of the data protection officer or other contact person who can provide further information; it must outline the likely consequences of the data protection incident; and it must describe the measures taken or planned by the data controller to remedy the data protection incident, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

Affected parties do not need to be notified if any of the following conditions are met:

• The data controller has implemented appropriate technical and organizational measures and applied these measures to the data affected by the data protection incident, particularly measures such as encryption that render the data unintelligible to unauthorized persons;
• The data controller has taken additional measures following the data protection incident to ensure that the high risk to the rights and freedoms of the affected parties is unlikely to materialize;
• Notifying the affected parties would require disproportionate effort. In such cases, affected parties must be informed through public announcements or similar measures ensuring effective notification.

If the data controller has not notified the affected party of the data protection incident, the supervisory authority, after considering whether the data protection incident is likely to result in a high risk, may order the notification of the affected party.

Reporting Data Protection Incidents to Authorities

The data controller shall, without undue delay and, where feasible, no later than 72 hours after becoming aware of a data protection incident, report the incident to the supervisory authority competent under Article 55, unless the data protection incident is unlikely to result in a risk to the rights and freedoms of natural persons. If the report is not made within 72 hours, the reasons for the delay must be provided.

Mandatory Review of Data Processing

If the duration or necessity of mandatory data processing is not defined by law, local government regulations, or mandatory legal acts of the European Union, the data controller shall review the data processing at least every three years from the commencement of the data processing to determine whether the processing of personal data managed by the data controller or by the data processor acting on behalf of or under the instruction of the data controller is necessary for achieving the purpose of the data processing.

The data controller shall document the circumstances and results of this review, retain this documentation for ten years after the completion of the review, and provide it to the National Authority for Data Protection and Freedom of Information (hereinafter: Authority) upon request.

Complaint Options

Any infringements by the data controller can be reported to the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
1055 Budapest, Falk Miksa Street 9-11.
Mailing address: 1363 Budapest, Pf. 9.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu

Conclusion

In preparing this information, we have complied with the following regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR);
• Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Info Act);
• Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (in particular § 13/A);
• Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers;
• Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising (especially § 6);
• Act XC of 2005 on Freedom of Electronic Information;
• Act C of 2003 on Electronic Communications (specifically § 155);
• Opinion 16/2011 on the EASA/IAB Recommendation on Online Behavioral Advertising;
• Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements for prior information.