By using our website, you agree to the use of cookies in accordance with our Cookie Policy.
Modify settings Accept
Menu
Your are here: > Home >

Privacy Policy

Privacy Policy

Introduction

Peter’s Paplan Kft. (hereinafter referred to as: Service Provider, Data Controller) adheres to the following information notice.

In accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we provide the following information.

This Privacy Policy governs the data processing activities of the following website: www.peterspaplan.com

The Privacy Policy is available at the following link: https://peterspaplan.com/privacy_policy_adatvedelmi_nyilatkozat

Amendments to this notice will take effect upon publication at the above address.

 

The Data Controller and its Contact Information:
  • Name: Peter’s Paplan Kft.
  • Headquarters: 2234 Maglód, Wodiáner Telep, Rába utca 2.
  • Email: peterspaplan@peterspaplan.hu
  • Phone: +36 29 328 289

 

Contact Information of the Data Protection Officer:
  • Name: Ádám Szerényi
  • Headquarters: 2234 Maglód, Wodiáner Telep, Rába utca 2
  • Email: peterspaplan@peterspaplan.hu
  • Phone: +36 29 328 289

 

Definitions“personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

“data processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;

“data controller”: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

“data processor”: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;

“recipient”: a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

“the data subject’s consent”: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

“data protection incident”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

 

Principles Relating to the Processing of Personal Data

Personal data must:

  • be processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”);
     
  • be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes in accordance with Article 89(1) (“purpose limitation”);
     
  • be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
     
  • be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
     
  • be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
     
  • be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”)
     

The controller shall be responsible for, and be able to demonstrate compliance with, the above principles (“accountability”).

Data Processing

Data Processing Related to the Operation of the Webshop

The fact of data collection, the scope of processed data, and the purpose of data processing:

Personal Data Purpose of Data Processing
Username Identification, enabling registration
Password Ensures secure login to the user account.
First and Last Name Necessary for contact, purchasing, and issuing a proper invoice.
Email Address Communication.
Phone Number Communication, more efficient coordination of billing or delivery-related questions.
Billing Name and Address Issuing a proper invoice, creating the contract, defining its content, modifying it, monitoring its fulfillment, invoicing fees arising from it, and enforcing related claims.
Shipping Name and Address Enabling home delivery.
Date of Purchase/Registration Performing a technical operation.
IP Address at the Time of Purchase/Registration Performing a technical operation.

 

Neither the username nor the email address is required to contain personal data.

 

Scope of Data Subjects: All data subjects who register or make a purchase on the webshop website.

Duration of Data Processing, Deadline for Data Deletion: Immediately upon deletion of the registration. The data controller informs the data subject electronically about the deletion of any personal data provided by the data subject, in accordance with Article 19 of the GDPR. If the data subject's deletion request also extends to the email address provided by them, the data controller will delete the email address after providing the notification. Exceptions are accounting documents, as these must be retained for 8 years under Section 169 (2) of Act C of 2000 on Accounting.

Accounting documents that directly and indirectly support accounting (including general ledger accounts, analytical and detailed records) must be retained in a readable format and retrievable by reference to the accounting entries for at least 8 years.

Persons Authorized to Access the Data, Potential Recipients of Personal Data: The personal data may be processed by the sales and marketing staff of the data controller, respecting the above principles.

Description of the Rights of Data Subjects Regarding Data Processing:

The data subject may request the data controller to:

  • provide access to personal data concerning them,
  • rectify, delete, or restrict the processing of such data,
  • object to the processing of such personal data, and
  • exercise their right to data portability and withdraw consent at any time.
The data subject can initiate access to, deletion, modification, or restriction of the processing of personal data, as well as data portability and objections to data processing, in the following ways:
  • On the website www.peterspaplan.com: Click on the 'Login' menu in the top right corner, log in, and then select the 'Account' option from the dropdown menu under the name in the top right corner. Here, you can modify or delete your data in the following sections:

    • Modify Account Details

    • Change Password

    • Modify Address Details

  • By post at the address: Hungary, 2234 Maglód, Wodiáner Telep, Rába utca 2.

  • By email at: peterspaplan@peterspaplan.hu

  • By phone at: +36 29 328 289

Legal Basis for Data Processing:
  1. Article 6(1)(b) of the GDPR.
     
  2. Section 13/A (3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter: E-commerce Act):
     
    • The service provider may process personal data that are technically essential for providing the service. The service provider must select and operate the tools used for providing information society services in such a way that personal data are processed only if it is strictly necessary for providing the service and fulfilling the purposes defined in this Act, and even then, only to the extent and for the duration necessary.
       
  3. Article 6(1)(c) of the GDPR for issuing invoices in compliance with accounting regulations.
     
  4. Section 6:21 of Act V of 2013 on the Civil Code for enforcing claims arising from the contract (5 years).
Section 6:22 [Limitation Period]:
  1. Unless otherwise provided by this Act, claims shall lapse after five years.
     
  2. The limitation period begins when the claim becomes due.
     
  3. An agreement to modify the limitation period must be made in writing.
     
  4. An agreement excluding the limitation period is null and void.
Please Note:
  • Data processing is necessary for the performance of the contract.
     
  • You are required to provide personal data so that we can fulfill your order.
     
  • Failure to provide data will result in us being unable to process your order.

 

Data Processors Used

Shipping

Activity performed by the data processor: Delivery of products, transportation.

Name and contact details of the data processor:

  • DPD Hungária Kft.
  • 1134 Budapest, Váci út 33
  • Tax number: 13034283-2-41
  • Phone number: +36 1 501 6200

The fact of data processing, the scope of processed data: Shipping name, shipping address, phone number, email address.

Scope of data subjects: All data subjects requesting home delivery.

Purpose of data processing: Delivery of the ordered product to the home address.

Duration of data processing, deadline for data deletion: Until the completion of home delivery.

Legal basis for data processing: Article 6(1)(b) of the GDPR.

 

Hosting Service Provider

Activity performed by the data processor: Hosting service.

Name and contact details of the data processor:

  • ShopRenter.hu Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
  • 4028 Debrecen, Kassai út 129
  • Phone: +36-1/234-5012
  • Email: info@shoprenter.hu

The fact of data processing, the scope of processed data: All personal data provided by the data subject.

Scope of data subjects: All data subjects using the website.

Purpose of data processing: Making the website accessible and ensuring its proper operation.

Duration of data processing, deadline for data deletion: Until the termination of the agreement between the data controller and the hosting service provider, or until the data subject submits a deletion request to the hosting service provider.

Legal basis for data processing: Article 6(1)(c) and (f) of the GDPR, as well as Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.

 

Recipients with whom personal data is shared (Data Transfer):

Online Payment

Activity performed by the recipient: Online payment.

Name and contact details of the recipient:

  • Barion Payment Zrt.
  • Headquarters: 1117 Budapest, Infopark sétány 1. I. épület 5. emelet 5
  • Company registration number: 01-10-048552
  • Tax number: 25353192-2-43
  • Represented by: Sándor Kiss, CEO, Chairman of the Board
  • License ID: H-EN-I-1064/2013, Institution ID: 25353192

The fact of data processing, the scope of processed data: Billing data, name, email address.

Scope of data subjects: All data subjects choosing payment on the website.

Purpose of data processing: Conducting online payments, confirming transactions, and fraud monitoring to protect users.

Duration of data processing, deadline for data deletion: Until the completion of the online payment.

Legal basis for data processing: Article 6(1)(b) of the GDPR. Data processing is necessary for the performance of the online payment requested by the data subject.

 

Rights of the Data Subject:
  • You have the right to be informed about the circumstances of data processing.
     
  • You are entitled to receive feedback from the data controller on whether your personal data is being processed and to access all information related to the data processing.
     
  • You are entitled to receive your personal data in a structured, commonly used, machine-readable format.
     
  • You are entitled to request the data controller to rectify your inaccurate personal data without undue delay.
     

Cookie Management

Cookies typical of online stores include "cookies used for password-protected sessions," "cookies necessary for shopping carts," and "security cookies," which do not require prior consent from the data subjects.

The fact of data processing, the scope of processed data: Unique identifier, dates, times.

Scope of data subjects: All visitors to the website.

Purpose of data processing: Identifying users, maintaining the "shopping cart," and tracking visitors.

Duration of data processing, deadline for data deletion:
 

Type of Cookie Legal Basis for Data Processing Duration of Data Processing Scope of Processed Data
Session Cookies Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services Until the end of the relevant visitor session connect.sid


Persons authorized to access the data: The data controller does not process personal data using cookies.

Rights of data subjects regarding data processing: Data subjects can delete cookies in their browser's Tools/Settings menu, usually under the Privacy settings.

Legal basis for data processing: Consent from the data subject is not required if the sole purpose of using cookies is to transmit communication over an electronic communications network or to provide an information society service explicitly requested by the subscriber or user.

 

Google AdWords Conversion Tracking Usage

The Data Controller uses the online advertising program called "Google AdWords" and within its framework utilizes Google's conversion tracking service. Google Conversion Tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google").

When a User accesses a website through a Google advertisement, a cookie required for conversion tracking is placed on their computer. These cookies have limited validity and do not contain any personal data, thus the User cannot be identified through them.

When the User browses certain pages of the website and the cookie has not yet expired, Google and the Data Controller can see that the User clicked on the advertisement.

Each Google AdWords customer receives a different cookie, so cookies cannot be tracked across the websites of AdWords customers.

The information obtained using conversion tracking cookies is used to generate conversion statistics for customers who have opted for AdWords conversion tracking. Customers can thus obtain information on the number of users who clicked on their advertisement and were redirected to a page tagged with a conversion tracking tag. However, they do not receive information that could identify any user.

If you do not wish to participate in conversion tracking, you can reject it by disabling the installation of cookies in your browser. After this, you will not be included in conversion tracking statistics.

Further information and Google's privacy policy are available at: www.google.de/policies/privacy/
 

Google Analytics Usage

This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies,” text files that are stored on your computer to help analyze how users interact with the website.

The information generated by the cookies about the User’s use of the website is generally transmitted to and stored on a Google server in the United States. By activating IP anonymization on this website, Google will truncate the User’s IP address within the member states of the European Union or in other states that are party to the Agreement on the European Economic Area before transmission.

The full IP address is only transmitted to a Google server in the United States and truncated there in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate the User’s use of the website, compile reports on website activity, and provide other services related to website and internet usage to the website operator.

The IP address transmitted by the User’s browser as part of Google Analytics will not be merged with other Google data. Users can prevent the storage of cookies by selecting the appropriate settings in their browser; however, please note that in this case, not all features of this website may be fully functional. Users can also prevent Google from collecting and processing data generated by cookies related to their use of the website (including their IP address) by downloading and installing the browser plugin available at the following link: 
https://tools.google.com/dlpage/gaoptout?hl=en

 

Newsletter, DM Activities

Under Section 6 of Act XLVIII of 2008 on the basic requirements and restrictions of economic advertising activities, the User may give prior and explicit consent to the Service Provider to contact them with promotional offers or other communications at the contact details provided during registration.

Furthermore, the Client may give consent, in line with the provisions of this information notice, for the Service Provider to manage their personal data necessary for sending promotional offers.

The Service Provider does not send unsolicited promotional messages, and the User may unsubscribe from receiving offers free of charge, at any time, without justification. In this case, the Service Provider deletes all personal data required for sending promotional messages from its records and will no longer contact the User with promotional offers. The User can unsubscribe from promotions by clicking on the link in the message.

The fact of data collection, the scope of processed data, and the purpose of data processing:
 

Personal Data Purpose of Data Processing
Name, email address Identification, enabling newsletter subscription.
Time of subscription Performing technical operations.
IP address at the time of subscription Performing technical operations.


Scope of Data Subjects: All data subjects subscribing to the newsletter.

Purpose of Data Processing: Sending electronic messages containing advertisements (emails, SMS, push notifications) to the data subject, providing information about current news, products, promotions, new features, etc.

Duration of Data Processing, Deadline for Data Deletion: Data processing lasts until the withdrawal of consent, i.e., until unsubscription.

Persons Authorized to Access the Data, Potential Recipients of Personal Data: Personal data may be processed by the sales and marketing staff of the data controller in compliance with the above principles.

Explanation of the Rights of Data Subjects Regarding Data Processing:

The data subject may request the data controller to:

  • Provide access to personal data concerning them,
     
  • Rectify, delete, or restrict the processing of such data,
     
  • Object to the processing of such personal data, and
     
  • Exercise their right to data portability and withdraw consent at any time.
Access to personal data, their deletion, modification, or restriction of processing, data portability, and objections to data processing can be initiated by the data subject in the following ways:
  • By post at the address: Hungary, 2234 Maglód, Wodiáner Telep, Rába utca 2,
     
  • By email at: peterspaplan@peterspaplan.hu,
     
  • By phone at: +36 29 328 289.
The data subject may unsubscribe from the newsletter at any time free of charge.

Legal Basis for Data Processing: The data subject's consent, Article 6(1)(a) and (f) of the GDPR, and Section 6(5) of Act XLVIII of 2008 on the basic requirements and restrictions of economic advertising activities:

"The advertiser, advertising service provider, or publisher of the advertisement – within the scope specified in the consent – maintains a record of the personal data of individuals who have given their consent. The data recorded in this register regarding the recipient of the advertisement may only be processed in accordance with the consent provided and may only be transmitted to a third party with the prior consent of the data subject."

Please Note:
  • Data processing is based on your consent.
     
  • You are required to provide personal data if you wish to receive newsletters from us.
     
  • Failure to provide data will result in us being unable to send you newsletters.

Complaint Handling

The fact of data collection, the scope of processed data, and the purpose of data processing:
 

Personal Data Purpose of Data Processing
First and Last Name Identification, communication.
Email Address Communication.
Phone Number Communication.
Billing Name and Address Identification, handling quality complaints, questions, and issues related to ordered products.


Scope of Data Subjects: All individuals who purchase from the webshop and submit a quality complaint.

Duration of Data Processing, Deadline for Data Deletion: Copies of the complaint record, transcript, and the response must be retained for 5 years in accordance with Section 17/A (7) of Act CLV of 1997 on Consumer Protection.

Persons Authorized to Access the Data, Potential Recipients of Personal Data: Personal data may be processed by the sales and marketing staff of the data controller, respecting the above principles.

Explanation of the Rights of Data Subjects Regarding Data Processing:

The data subject may request the data controller to:

  • Provide access to personal data concerning them,
     
  • Rectify, delete, or restrict the processing of such data,
     
  • Object to the processing of such personal data, and
     
  • Exercise their right to data portability and withdraw consent at any time.

​​​Access to personal data, their deletion, modification, or restriction of processing, data portability, and objections to data processing can be initiated by the data subject in the following ways:

  • By post at the address: Hungary, 2234 Maglód, Wodiáner Telep, Rába utca 2,
     
  • By email at: peterspaplan@peterspaplan.hu,
     
  • By phone at: +36 29 328 289.

​​Legal Basis for Data Processing: Article 6(1)(c) of the GDPR and Section 17/A (7) of Act CLV of 1997 on Consumer Protection.

Please Note:

  • Providing personal data is a contractual obligation.
     
  • The processing of personal data is a prerequisite for entering into the contract.
     
  • You are required to provide personal data so that we can handle your complaint.
     
  • Failure to provide data will result in us being unable to process your complaint.

 

Social Media

Fact of data collection, scope of processed data:
The name registered on Facebook social media platforms and the user's public profile picture.

Scope of data subjects:
All individuals who have registered on Facebook social media platforms and “liked” the website.

Purpose of data collection:
Sharing or “liking” specific content elements, products, promotions, or the website itself on social media platforms to promote them.

Duration of data processing, deadline for data deletion, persons authorized to access the data, and explanation of the rights of data subjects regarding data processing:
The data subject can obtain information about the source of the data, the processing, the method of transfer, and the legal basis on the respective social media platform. Data processing occurs on social media platforms, and as such, the duration, method, as well as the possibilities for deletion and modification of the data, are governed by the regulations of the respective social media platform.

Legal basis for data processing:
The voluntary consent of the data subject to process their personal data on social media platforms.
 

Customer Relations and Other Data Processing

If the data subject has any questions or issues while using the services of the data controller, they may contact the data controller through the methods provided on the website (phone, email, social media, etc.).

The data controller deletes the received emails, messages, data provided via phone, Facebook, etc., along with the name and email address of the inquirer and any other voluntarily provided personal data, no later than one year after the data was provided.

For data processing activities not listed in this notice, information will be provided at the time the data is collected.

In the case of exceptional requests from authorities or inquiries from other bodies authorized by law, the Service Provider is obligated to provide information, disclose data, transfer data, or make documents available.

In such cases, the Service Provider only discloses as much personal data and to the extent necessary to fulfill the purpose of the request, provided that the exact purpose and scope of the data have been specified.

 

Rights of the Data Subjects

Right of Access

You have the right to receive feedback from the data controller as to whether your personal data is being processed, and if so, you are entitled to access your personal data and the information listed in the regulation.

Right to Rectification

You have the right to request the data controller to rectify inaccurate personal data concerning you without undue delay. Taking into account the purpose of the data processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

Right to Erasure

You have the right to request the data controller to erase your personal data without undue delay, and the data controller is obligated to erase your personal data without undue delay under certain conditions.

Right to Be Forgotten

If the data controller has made the personal data public and is obligated to erase it, the data controller, taking into account available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform other data controllers processing the data that you have requested the erasure of any links to, or copies or replications of, the personal data in question.

Right to Restriction of Processing

You have the right to request the data controller to restrict processing if any of the following conditions are met:
  • You contest the accuracy of the personal data, in which case the restriction applies for a period enabling the data controller to verify the accuracy of the personal data.
     
  • The processing is unlawful, and you oppose the erasure of the data and request the restriction of its use instead.
     
  • The data controller no longer needs the personal data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims.
     
  • You have objected to the processing; in this case, the restriction applies until it is determined whether the legitimate grounds of the data controller override your legitimate grounds.


Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided.

Right to Object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, including profiling based on those provisions.

Objection in the Case of Direct Marketing

If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right Not to Be Subject to Automated Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.This does not apply if the decision:
  • Is necessary for entering into, or the performance of, a contract between you and the data controller.
     
  • Is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests.
     
  • Is based on your explicit consent.
     

Response Deadlines

The data controller shall inform you of the measures taken in response to the above requests without undue delay, but in any case, within 1 month of receiving the request.

If necessary, this period may be extended by 2 months. The data controller shall inform you of the extension and the reasons for the delay within 1 month of receiving the request.

If the data controller does not take action on your request, they shall inform you without delay, but no later than 1 month from the receipt of the request, of the reasons for not taking action and of your right to lodge a complaint with a supervisory authority and seek judicial remedy.
 

Data Security

The data controller and the data processor shall implement appropriate technical and organizational measures to ensure a level of data security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the data processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons. These measures include, as appropriate:

  • Pseudonymization and encryption of personal data;
     
  • Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
     
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
     
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
     

Notification of Data Breaches to the Data Subject

If a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall notify the data subject of the data breach without undue delay.The notification to the data subject shall describe in clear and plain language the nature of the data breach and include at least the following information:

  • The name and contact details of the data protection officer or other contact point where more information can be obtained;
     
  • The likely consequences of the data breach;
     
  • The measures taken or proposed by the data controller to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The data subject does not need to be informed if any of the following conditions are met:
  1. The data controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the data breach, particularly measures such as encryption that render the personal data unintelligible to any person who is not authorized to access it;
     
  2. The data controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
     
  3. Informing the data subject would involve disproportionate effort. In such cases, public communication or a similar measure shall be made to inform the data subjects in an equally effective manner.


​If the data controller has not yet notified the data subject of the data breach, the supervisory authority, after considering the likelihood of the data breach resulting in a high risk, may require the data subject to be informed.
 

Reporting Data Breaches to the Authority

The data controller shall report the data breach to the competent supervisory authority under Article 55 without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.
 

Mandatory Data Processing Review

If the duration of mandatory data processing or the periodic review of its necessity is not specified by law, local government regulation, or a binding legal act of the European Union, the data controller shall review at least every three years from the start of the data processing whether the personal data processed by them or on their behalf is necessary for achieving the purpose of the data processing.The circumstances and results of this review shall be documented by the data controller, and this documentation shall be retained for ten years following the review and made available to the National Authority for Data Protection and Freedom of Information (hereinafter: Authority) upon request.
 

Right to Lodge a Complaint

In the event of a violation of the law by the data controller, a complaint may be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

Address: Hungary, 1125 Budapest, Szilágyi Erzsébet fasor 22/C
Mailing address: 1530 Budapest, P.O. Box 5
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu

Closing Statement

In preparing this information notice, we have taken into account the following legislation:
  • Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as "Infotv.").
  • Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (particularly Section 13/A).
  • Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers.
  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (particularly Section 6).
  • Act XC of 2005 on the Freedom of Electronic Information.
  • Act C of 2003 on Electronic Communications (specifically Section 155).
  • Opinion No. 16/2011 on the EASA/IAB Best Practice Recommendation on Online Behavioural Advertising.
  • Recommendations of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information notices.

The privacy notice is also available for download in PDF format here.

Search