DATA MANAGEMENT INFORMATION FOR DATA PROCESSING IN HÁZIKÓ FARM LTD WEBSHOP

Effective from November 24, 2020

1. Our company’s data as the Data Controller:

Company name:	Házikó Farm Ltd.
Headquarters and postal address:	3170 Szécsény, Ludányhalászi út 2. 1696/4 hrsz.
Registering authority:	Company Registry Court of Balassagyarmat Regional Court
Company registration number:	Cg. 12-09-010999
Tax number:	25074145-2-12
E-mail:	iroda@haziko.farm
Website:	https://haziko.farm/
Phone service:	+36 30 758 0417
Customer service e-mail:	iroda@haziko.farm
Complaint handling location and contact details:	Headquarters: 3170 Szécsény, Ludányhalászi út 2. 1696/4 hrsz. <br> +36 30 758 0417 <br> Email: iroda@haziko.farm <br> On weekdays from 9:00 AM to 4:00 PM
Hosting provider’s name:	Rackforest Ltd.
Hosting provider’s address:	1132 Budapest, Victor Hugo Street 18-22. 3rd floor, 3008.

2. Definitions:

Term or abbreviation	Explanation
Data Controller	The legal entity determining the processing of personal data, in this case, our company.
Data Subject	Living natural persons whose personal data we store, including current, past, and future employees, collaborators (customers, suppliers, agents, guests, partners, etc.) with whom our company enters into any legal relationship and from whom we collect or receive personal data.
EU	European Union
GDPR, Info Act	The EU General Data Protection Regulation, which came into effect on May 25, 2018, and Act CXII of 2011
Personal Data	Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal data can be factual (such as name, address, or date of birth, place of birth, mother’s name) or opinion-based (such as performance evaluations).
Data Processing	Any operation or set of operations performed on personal data. This includes obtaining, using, viewing, accessing, recording, or storing data, listing, organizing, modifying, retrieving, using, disclosing, deleting, or destroying data. Data processing also includes transferring personal data to third parties.
Data Processor	The natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
Profiling	Automatic processing that uses personal data to analyze or predict aspects concerning the individual’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Pseudonymization	Coding or otherwise maintaining personal data in such a way that it cannot be attributed to a specific data processing subject without additional information. The additional information must be stored separately and protected against unauthorized use by technical and organizational measures.
Special Categories of Data	Extremely strict rules apply to processing personal data belonging to “special categories.” Such personal data may include: <br> – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, <br> – Genetic data and biometric data processed for the purpose of uniquely identifying an individual, data concerning health or data concerning a person’s sex life or sexual orientation, or <br> – Data concerning criminal convictions and offenses.
Supervisory Authority	National Authority for Data Protection and Freedom of Information
Third Country	Any country outside the EU
Data Transfer	Transfer of personal data from the data controller or data processor to a legal entity outside the EU.

We inform you that our company does not operate a data protection officer. This information is prepared and issued to ensure that all data subjects who provide personal data to our company are sufficiently informed about the circumstances of their data management.

3. Data Protection Principles Applied by Our Company:
   1. As a data controller, our company commits to ensuring that all data processing of personal data obtained in connection with its activities complies with the requirements set forth in its regulations and the applicable national laws, as well as the legal acts of the European Union. The relevant laws are detailed below (Section II, Point 5).
   2. Our company is fully committed to protecting the personal data of its customers and partners, and it considers it extremely important to respect the right to informational self-determination of its customers. Our company treats personal data confidentially and takes all security, technical, and organizational measures that ensure data security according to the current state of science and technology.
   3. Our company’s data management practices are governed by this data management information notice.
   4. Information about our company’s data processing activities is easily accessible to anyone visiting our website, in the footer of the homepage of the funkyforest.hu/shop website operated by our company.
   5. Our company reserves the right to modify this Data Management Information at any time. In the case of modifications to the Data Management Information, our company notifies the user of the changes and their effective date by publishing them on the www.funkyforest.hu/shop website. The user accepts the modified Data Management Information by using the service after the modifications become effective.
   6. Our company’s data processing procedures are based on the applicable data protection laws, particularly the following:
      • Act CXII of 2011 – on the Right to Informational Self-Determination and Freedom of Information (Infotv.);
      • Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
      • Act V of 2013 – on the Civil Code (Ptk.);
      • Act C of 2000 – on Accounting (Számv. tv.);
      • Act CXXXVI of 2007 – on the Prevention and Combating of Money Laundering and Terrorist Financing (Pmt.);
      • Act CVIII of 2001 – on Electronic Commerce Services and Certain Aspects of Information Society Services (Eker. tv.);
      • Act XLVIII of 2008 – on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Grt.).
   7. Our company uses personal data exclusively in compliance with legal requirements, based on the legal grounds specified in the GDPR, and for specific purposes.
   8. Our company, in accordance with legal requirements, sufficiently informs all individuals whose personal data it processes (data subjects) about the manner, purpose, and principles of data collection, recording, and processing before collecting, recording, or processing their personal data. In the case of mandatory data provision, the law prescribing the data processing will also be indicated. The data subject will be informed about the purpose of the Data Processing and who will manage and where the Personal Data will be processed.
   9. If our company processes the data subject’s data for a purpose other than that originally stated, it will inform the data subject in advance.

4. The Legal Basis, Purpose, Scope of Processed Data, Duration of Data Processing, and Authorized Data Recipients

1. Our company’s data processing activities are based on the following legal grounds (GDPR Article 6(1)):
   • The data subject has given consent to the processing of their personal data for one or more specific purposes (voluntary consent);
   • The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract (contract performance);
   • The processing is necessary for compliance with a legal obligation to which the data controller is subject (legal obligation);
   • The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party (legitimate interest).
2. In the case of data processing based on voluntary consent, data subjects can withdraw their consent at any stage of the data processing.
3. Incompetent and limited capacity minors cannot use services through our company’s system.
4. There are cases where our company processes, stores, or transmits data provided by the data subject based on legal requirements.
5. Personal data may only be processed for specific purposes. Data processing must meet the purpose of data processing at all stages, and the collection and processing of data must be fair and lawful. Only personal data that is essential for the realization of the purpose of data processing may be processed. The personal data may only be processed to the extent and for the time necessary to achieve the purpose. Our company does not use personal data for purposes other than the specified purposes.
6. Our company can only be responsible for the processing of personal data provided by the data subject themselves. It may happen that the service user provides personal data that is not their own. We remind you that in such cases, the person providing the data is responsible for obtaining the consent of the data subject.
7. Data processing related to the services provided by our company:

Registration

Purpose of data processing: During preliminary registration, by providing a password, it is possible for our contracting partners to provide their data only once, eliminating the need to provide their data repeatedly for each product sales action. Registration is also a prerequisite for the product sales activity.

Legal basis for data processing: the data subject’s voluntary consent, GDPR Article 6(1)(a).

Scope of processed data: contact person’s name, email address, password.

Data deletion deadline: Our company processes the provided data as long as the partner does not terminate the use of the data for this purpose by deleting their account.

Consequences of failure to provide data: the convenience service of only having to provide the necessary data once through registration cannot be used.

Online webshop service (product purchase) – purchase transaction

Purpose of data processing: Ensuring the provision of the webshop service offering product sales on the website, the fulfillment of the order, its documentation, and ensuring the availability of appropriate documentation and data for accounting obligations. The purpose of data processing is also to identify the partner as a product purchaser, fulfill the ordered service, facilitate payment, keep records of partners, differentiate them, and fulfill the contract.

Legal basis for data processing: performance of the contract, GDPR Article 6(1)(b).

Scope of processed data: name, email, billing name/company name, address data, tax number, invoice email (if different).

Data deletion deadline: for registration, within 180 days after the deletion of the registration; for purchases not requiring registration, within 180 days after the purchase. The data is retained for the purpose of tracing back any complaints or claims following the purchase. If a legal dispute arises in connection with the purchase transaction, our company retains the data until the legal dispute is resolved, the legal basis being our company’s legitimate interest, GDPR Article 6(1)(f). After the final resolution of the legal dispute, our company deletes the data within 30 days.

Consequences of failure to provide data: You will not be able to purchase the selected product through our website.

Billing

1. Purpose of data processing: issuing accounting documents related to purchase transactions and retaining them within the legal deadlines.
2. Legal basis for data processing: compliance with a legal obligation, GDPR Article 6(1)(c).
3. Scope of processed data: surname and first name, billing address provided for invoice issuance, content of the document.
4. Data deletion deadline, data processing duration: 8 years, or the duration specified in the applicable tax and accounting laws.
5. Consequences of failure to provide data: the purchase cannot be completed.

Cookie Management

Cookies are variable content alphanumeric information packages sent by the web server, stored on the user’s computer for a predetermined validity period. The use of cookies allows the retrieval of certain data of the visitor and tracking their internet usage. Cookies help to track the user’s interests, internet usage habits, and website visit history to optimize the user’s shopping experience. As cookies act as a kind of tag that enables the website to recognize returning visitors, they can store valid usernames and passwords on the website. If the browser returns a previously saved cookie, our company can link the user’s current visit to previous ones, but only for its own content.

With the information sent by cookies, internet browsers can be more easily recognized, so users can receive relevant and „personalized” content. Cookies make browsing more convenient, including online data security needs and relevant advertisements. Cookies also allow our company to create anonymous (anonymous) statistics about the habits of visitors to the site, thus customizing the appearance and content of the site even more. Our company uses two types of cookies on its website:

1. Temporary cookies: essential for using the site and navigating the website, ensuring the functionality of the website. Without accepting these, the website or certain parts of it will not appear, browsing becomes obstructed, placing products in the cart, or bank payment cannot be properly implemented.
2. Persistent cookies: which remain on the device depending on the browser settings until the user deletes them. These include internal or external cookies. If our company’s web server installs the cookie and the data is transmitted to its own database, it is an internal cookie. If the cookie is installed by our company’s web server but the data is transmitted to an external company, it is an external cookie. External cookies include third-party cookies placed in the user’s browser by third parties (Google Analytics, Facebook Pixel). These are placed in the browser if the visited website uses services provided by third parties. The purpose of persistent cookies is to ensure the highest possible quality of operation of the given page to increase the user experience.

During the visit to the website, the user can give consent to the storage of persistent cookies on their computer and access them through our company by pressing the button on the cookie warning on the login page.

The user can configure and prevent cookie-related activities through the browser program. Cookie management is generally possible in the Tools/Settings menu of browsers under Privacy/History/Custom settings, using terms such as cookie, cookie, or tracking. However, we remind you that without using cookies, the user may not be able to use all the services of the website, especially the payment services. For more information about cookies, please visit the Jegy.hu website by clicking on the link in the cookie warning bar.

Purpose of data processing: conducting payment transactions with the payment company, identifying users, distinguishing them from each other, identifying the current session of users, storing data provided during it, preventing data loss, identifying users, tracking them, web analytics measurements.

Legal basis for data processing: the data subject’s voluntary consent, GDPR Article 6(1)(a).

Scope of processed data: identification number, date, time, and previously visited page.

Data processing duration: temporary cookies are stored until the user closes all their browsers of that type. Persistent cookies are stored on the user’s computer for 1 year or until the user deletes them.

Consequences of failure to provide data: incomplete utilization of website services, failed payment transactions, inaccurate analytical measurements.

Statistical Data

The data controller may use the data solely for statistical purposes. The use of data in statistically aggregated form must not contain the data subject’s name or any other data suitable for identification in any form.

Technically recorded data during the operation of the system

Technically recorded data includes the data of the user’s login computer generated during the use of the service and recorded by the data controller’s system as an automatic result of technical processes (e.g., IP address, session ID). Due to the nature of the internet, automatically recorded data is automatically logged by the system without a separate declaration or action by the user – by using the internet. Without such automatic server-client communications, the internet does not function. These data cannot be linked to other personal data of users, except in cases required by law. The data can only be accessed by our company, as the data controller. Log files automatically recorded during the system’s operation are stored in the system for a justified period necessary to ensure the operation of the system.

Our company’s customer correspondence (email)

If you contact our company, you can reach us at the contact details provided in this information notice or on the website. Our company deletes all received emails, along with the sender’s name, email address, date, time data, and other personal data provided in the message, within a maximum of five years from the date of data communication.

Web analytics measurements

Google Analytics and Facebook Analytics, as external companies, help to independently measure the website’s traffic and other web analytics data. Detailed information on the handling of measurement data can be found at the following links: http://www.google.com/analytics, https://analytics.facebook.com. Our company uses Google Analytics and Facebook Analytics data exclusively for statistical purposes.

Other Data Processing

In the course of our company’s operations, there may be data processing activities not listed in this information notice. Information on data processing not listed in this information notice will be provided directly when the data is collected. We inform our users and customers that courts, prosecutors, investigating authorities, administrative authorities, the National Data Protection and Freedom of Information Authority, the Hungarian National Bank, and other bodies authorized by law may request information, data disclosure, transfer, or the provision of documents from our company. Our company only discloses personal data to authorities to the extent and to the extent necessary to fulfill the purpose of the request, provided that the authority has specified the exact purpose and scope of the data.

8. Our company, as the data controller, does not verify the authenticity of the personal data provided. The correctness of the provided data is the sole responsibility of the person providing it. When providing an email address, any partner also accepts responsibility for ensuring that the specified email address is used exclusively by them for the service. Given this responsibility, any liability related to the entry from the provided email address rests solely with the partner who registered the email address. If the partner does not provide their personal data, it is their duty to obtain the consent of the data subject.
9. Persons authorized to access personal data include employees of our company with employment or assignment relationships, as well as data processors.
10. Data Transfer and Designation of Data Processors

• By using the service, the user acknowledges that our company may transfer the data to the following partners. The legal basis for data transfer: performance of the contract, GDPR Article 6(1)(b).
• To our invoicing service provider, as our Data Processor, which is as follows: szamlazz.hu (Company Name: KBOSS.hu Kereskedelmi és Szolgáltató Kft., 1031 Budapest, Záhony utca 7., Tax Number: 13421739241)

Our company transfers the necessary data to the financial institutions involved in the purchase process to facilitate the payment transactions. The data required varies by financial institution. Our company does not access the personal data provided on the financial institution’s own data request pages. The financial institutions listed below may appear as payment processors on our website, and the table also includes the data required by each financial institution. (Not all financial institutions are listed on the website at any given time.) The required data may vary, particularly with the implementation of strong customer authentication, which is introduced at different times by each bank.

Payment Company Name	Transferred Data
Barion Payment Zrt.	transaction amount, name, address, IP number, name, email address, address, phone number, billing address, transaction amount, transaction amount, currency, name, quantity, unit price of items placed in the cart

• Our company transfers the following data provided during product purchase to the accounting data processor: TLI Consulting Kft., 1194 Budapest, Kelet utca 43., 22915926.
• Transferred data: data on the invoice: name, address/billing address, tax number.
• Our company, as the data controller, is entitled and obliged to transfer all personal data available to it and duly stored by it to the competent authorities, which are obliged to transfer data based on legal regulations or final authority. The data controller cannot be held liable for such data transfer or the consequences arising from it.
• Our company only carries out data transfers not listed above with the user’s prior and informed consent.

5. Method of Storing Personal Data, Security of Data Processing

1. Our company’s IT systems and other data storage locations are located at its headquarters/storage and with data processors.
2. Our company selects and operates the IT tools used for the processing of personal data in the course of providing the service in such a way that the processed data:
   • is accessible to those authorized to access it (availability);
   • is authentic and its authenticity is ensured (data processing authenticity);
   • its integrity is verifiable (data integrity);
   • is protected against unauthorized access (data confidentiality).
3. Our company protects the data with appropriate measures, in particular against unauthorized access, alteration, transfer, disclosure, deletion, or destruction, as well as accidental destruction, damage, or inaccessibility resulting from changes in the applied technology.
4. Our company ensures that the electronically processed data files in its various registers are protected by appropriate technical solutions to ensure that the stored data, except as allowed by law, cannot be directly linked and assigned to the data subject.
5. In light of the state of the art, our company ensures the protection of the security of data processing through technical, organizational, and organizational measures that provide a level of protection appropriate to the risks related to data processing.
6. During data processing, our company ensures:
   • confidentiality: protects the information so that only those who are entitled to access it can access it;
   • integrity: protects the accuracy and completeness of the information and the processing method;
   • availability: ensures that when the authorized user needs it, they can indeed access the desired information and the related tools are available.
7. Both our company’s and its partners’ IT systems and networks are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire, and flood, as well as computer viruses, computer intrusions, and other attacks. The operator ensures security through server-level and application-level defense procedures.
8. During the automated processing of personal data, our company ensures additional measures:
   • preventing unauthorized data input;
   • preventing the unauthorized use of automated data processing systems using data transmission equipment;
   • ensuring that it can be verified and established to which bodies personal data have been transmitted or may be transmitted using data transmission equipment;
   • ensuring that it can be verified and established which personal data were entered into the automated data processing systems, when and by whom;
   • ensuring that installed systems can be restored in case of malfunction, and ensuring that errors occurring during automated processing are reported.
9. When defining and applying measures to protect the security of data, our company considers the current state of the art. From multiple possible data processing solutions, the one that ensures a higher level of protection of personal data must be chosen, except if it would cause disproportionate difficulty.
10. Our company ensures the protection of the security of data processing through technical, organizational, and organizational measures that provide a level of protection appropriate to the risks related to data processing.
11. Electronic messages transmitted over the Internet, regardless of the protocol (email, web, ftp, etc.), are vulnerable to network threats that could lead to unfair activities or the disclosure, alteration of information. To protect against such threats, our company takes all reasonable precautions. The systems are monitored to record any security deviations and provide evidence for any security incidents. System monitoring also allows checking the effectiveness of applied precautions. However, the Internet is notoriously not 100% secure, and despite the utmost care, it may be subject to unavoidable attacks that may cause damage for which our company cannot be held responsible.

6. Data Subject Rights

1. The data subject can request information about the processing of their personal data and request the rectification or – except for mandatory data processing – deletion, withdrawal, exercise the right to data portability, and objection as indicated at the data collection or through the contact details provided in this Data Management Information Notice.
   • Changes to personal data or requests for deletion of personal data can be communicated through a written statement in a private document providing full evidence sent to the registered email address or by post. Some personal data can also be modified on the personal profile page.
2. Right to Information: Our company takes appropriate measures to ensure that all information related to the processing of personal data and all communications provided under GDPR Articles 13 and 14, and 15-22, and 34 are concise, transparent, intelligible, and easily accessible, using clear and plain language. The right to information can be exercised in writing through the contact details provided in this Data Management Information Notice. Information can also be provided verbally at the data subject’s request – subject to verification of identity.
3. Right of Access: The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:
   • The purposes of the processing;
   • The categories of personal data concerned;
   • The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
   • The envisaged period for which the personal data will be stored;
   • The existence of the right to request rectification or erasure of personal data or restriction of processing or to object to such processing;
   • The right to lodge a complaint with a supervisory authority;
   • Information on the source of the data.

Requests for information sent by email – unless the data subject identifies themselves in another way – are considered authentic by the Data Controller only if they are sent from the registered email address of the user. Requests for information should be sent by email to iroda@haziko.farm.

• If personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.
• Our Company provides a copy of the personal data undergoing processing to the data subject. For any additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. Upon the data subject’s request, our Company provides the information in electronic form. The data controller shall provide the information within one month of receipt of the request.

4. Right to rectification: The data subject may request the correction of inaccurate personal data concerning them and the completion of incomplete data processed by our Company.

If the personal data does not correspond to reality, and the personal data that corresponds to reality is available to the data controller, the data controller will correct the personal data.

5. Right to erasure (‘right to be forgotten’): The data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the data controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
   • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
   • The data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
   • The data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
   • The personal data have been unlawfully processed;
   • The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject;
   • The personal data have been collected in relation to the offer of information society services.

Once a request for the deletion or modification of personal data has been fulfilled, the previous (deleted) data cannot be restored.

Data deletion cannot be initiated if the data processing is necessary for any of the following reasons: to fulfill a legal obligation under Union or Member State law applicable to the data controller, or for the establishment, exercise, or defense of legal claims by our company.

6. Right to restriction of processing: The data subject has the right to obtain from the data controller restriction of processing where one of the following applies:
   • The accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data;
   • The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
   • The data controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;
   • The data subject has objected to processing pending the verification whether the legitimate grounds of the data controller override those of the data subject.

Where processing has been restricted under this provision, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. The data subject shall be informed by the data controller before the restriction of processing is lifted.

7. Right to data portability: The data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided.
8. Right to object: The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on the legitimate interests pursued by the data controller or a third party, including profiling based on those provisions. The data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
9. Right not to be subject to automated decision-making, including profiling: The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right does not apply if the decision:
   • Is necessary for entering into, or performance of, a contract between the data subject and the data controller;
   • Is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests;
   • Is based on the data subject’s explicit consent.
10. Right to withdraw consent: The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
11. Procedural rules: Our company shall inform the data subject of actions taken on requests under GDPR Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Our company shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the data subject makes the request by electronic means, the information shall be provided by electronic means where possible unless otherwise requested by the data subject.
12. If our Company does not take action on the data subject’s request, we will inform the data subject of the reasons for not taking action without delay and at the latest within one month of receiving the request. The data subject will also be informed that they may lodge a complaint with a supervisory authority and seek judicial remedy.
13. Our Company provides the requested information and communication free of charge. However, if the data subject’s request is manifestly unfounded or excessive, particularly because of its repetitive character, our Company may either charge a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.
14. Our Company informs each recipient to whom the personal data has been disclosed of any rectification or erasure of personal data or restriction of processing unless this proves impossible or involves disproportionate effort. At the data subject’s request, our Company informs the data subject about those recipients.
15. Our Company provides the data subject with a copy of the personal data undergoing processing. For any further copies requested by the data subject, our Company may charge a reasonable fee based on administrative costs. If the data subject makes the request electronically, the information will be provided in a commonly used electronic form unless otherwise requested by the data subject.

16. Compensation and damages: Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the data controller or processor for the damage suffered. The processor shall only be liable for the damage caused by processing where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. Where more than one controller or processor or both a controller and a processor are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage. The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. The data controller or data processor shall not be held liable if they can prove that they are in no way responsible for the event that caused the damage.

7. Enforcement of Rights

1. If you have any questions or comments, please contact the managing director at the contact details provided in this Data Management Information Notice.
2. Right to bring action before the courts: The data subject may bring an action before the courts in case of infringement of their rights. The court shall act in the case without delay.
3. Data protection authority procedure: Complaints can be lodged with the National Authority for Data Protection and Freedom of Information:
   • Name: National Authority for Data Protection and Freedom of Information
   • Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C
   • Mailing address: 1530 Budapest, Pf.: 5
   • Phone: 06-1-391-1400
   • Fax: 06-1-391-1410
   • Email: ugyfelszolgalat@naih.hu
   • Website: http://www.naih.hu