Privacy Notice

INTRODUCTION

PRIVACY NOTICE

for the webshop operated by Helpee Kft.

Helpee Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (H-2400 Dunaújváros, Vasmű út 51. 1. em. 4. ajtó; company registration number: 07-09-032044; tax number: 29172726-2-07) (hereinafter referred to as “Data Controller”), as the data controller, acknowledges the contents of this legal notice as binding on it. It undertakes to ensure that any data processing carried out in connection with its activity shall comply with the requirements specified in these rules and the applicable national and EU laws.

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) (hereinafter referred to as: Regulation) requires the Data Controller to take appropriate measures to provide the data subject with all information concerning the processing of personal data in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner, and to facilitate the exercise of the data subject’s rights.

The obligation to provide prior information to the data subject is also required by Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Privacy Act). Further applicable legislation:

• Act V of 2013 on the Civil Code (Civil Code);
• Act CLV of 1997 on Consumer Protection (Consumer Protection Act);
• Act C of 2000 on Accounting (Accounting Act);
• Act C of 2003 on Electronic Communications (Electronic Communications Act);
• Act CLXIV of 2005 on Commerce (Commerce Act);
• Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Economic Advertising (Advertising Act),
• Act II of 2012 on Offences, the Procedure in Relation to Offences and the Offence Record System (Offences Act),
• Act XC of 2017 on Criminal Procedure (Criminal Procedure Act);
• Government Decree 45/2014 (II.26.) on the detailed rules of contracts concluded between consumers and businesses
• Decree 19/2014 (IV.29.) of the Ministry for National Economy on procedural rules for administering guarantee and warranty claims on items sold under contracts between consumers and businesses ( d.).
• Government Decree 373/2021 (VI.30.) on detailed rules for contracts between consumers and businesses for the sale of goods, supply of digital content and provision of digital services

Helpee Kft. reserves the right to change this Notice at any time, and shall notify website visitors of any changes within 30 days.

Helpee Kft. is committed to protecting the personal data of its customers and partners, and attaches great importance to respecting the right of its customers to information self-determination.

Helpee Kft treats the personal data confidentially, and it takes all security, technical and organisational measures which guarantee the security of the data.

In the notice that can be read below, we inform you about the data processing related to the operation of Helpee Kft. as service provider, and we fulfil our above legal obligation.

 

CHAPTER I

SPECIFICATION OF THE DATA CONTROLLER

The publisher of this information, as well as the Data Controller:

Name: Helpee Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság

Registered seat: H-2400 Dunaújváros, Vasmű út 51. 1. em. 4.

Mailing address: H-1862 Budapest, ePostabox utca 10.

Company registration number: 07-09-032044

Tax number: 29172726-2-07

Registering court: Registry Court of the Székesfehérvár Regional Court

Represented by: MOLNÁR Boglárka, managing director, independently

Email: hello@helpee.hu

 

CHAPTER II

DATA PROCESSING

The Data Controller performs the data processing of its activities on the legal bases listed below for each data processing purpose.

We draw the attention of data providers to the fact that if they provide another person’s data, the consent of the actual data subject shall be obtained by the data provider.

The Data Controller shall not forward data to a third country.

The Data Controller does not use automated decision-making or profiling.

DATA PROCESSING:

Serial number	Purpose of data processing (Process)	Categories of data subjects	Personal data processed	Legal basis for data processing	Recipients, categories of recipients	Place and method of storage	Deadline for erasure	Data transmission
	Related to service provision and product sales
1.	Contact	person sending an email/ a message	name, email address, phone number	The data subject’s voluntary consent	Data controller	electronically	1 year from the date of contact	–
2.	Delivery of the purchased product	customers	name, email address, phone number, method of payment, address	The performance of contractual obligations	Data controller	on paper and electronically	1 year from the date of performance of the contract	–
	Data processing related to its operation
3.	Invoicing of products – through the szamlazz.hu system	customers	name/ company name, address/ registered seat, tax identification number/ tax number, email address	Compliance with legal obligations to which the Data Controller is subject	Data Controller, its agents and contractors	electronically	Section 169(2) of the Accounting Act – the erasure period specified in the relevant legislation	accounting and invoicing program
4.	Payment via debit card	customers	Bank card data is not processed by the data controller, only: currency, fee, surname, first name, billing data (name, tax identification number, address)	Performance of the contract	Authorities specified by legislation	electronically	Section 169 (2) of the Accounting Act – the erasure period specified in the relevant legislation – 8 years	accountant, payment system operator

 

OTHER DATA PROCESSING:

Webshop data processing

1. Quality complaints

In case of quality grievances and complaints, Helpee Kft. draws up a quality complaint report.

Purpose of data processing: handling quality complaints raised in the context of the services provided by Helpee Kft.

Legal basis for processing: point c) of Article 6(1) of the GDPR, the data processing is necessary for the fulfilment of the legal obligation of the data controller, in view of Section 17/A(5) of the Consumer Protection Act.

Type of personal data processed: the name and address of the consumer, the name of the consumer product, the purchase price, the date of the purchase and the notification of the defect, the description of the defect, the claim the consumer wishes to assert and the method of settlement of the complaint.

Duration of data processing: regarding the copies of reports about the complaint and responses to written complaints, it is five years according to Section 17/A(7) of the Consumer Protection Act.

Possible consequences of not providing the data: the data subject cannot exercise their consumer rights.

2. Logging of www.helpee.hu 

When visiting the website www.helpee.hu, the web server will automatically log the user’s activity.

Purpose of data processing: in order to control the operation of the services and to prevent abuse, the Service Provider records the visitors’ data during their visit to the website.

Legal basis for data processing: the data controller has a legitimate interest in identifying users and preventing abuse [Section 6 (1) (f) of the GDPR].

Scope of personal data processed: identification number, dates, times, the URL of the pages visited.

Duration of data processing: 1 year

Helpee Kft. does not link the data acquired during the analysis of the log files to any other information, it does not aim to identify the user.

The URL of the pages visited, and the dates, times alone are not suitable for the identification of the Data Subject, however, when linked to other data (e.g. provided during registration) they become suitable for being used to draw conclusions relevant to the user.

Data processing related to logging by third-party service providers:

The HTML code of the websites contains links to and from independent, third party servers independent from Helpee Kft. The third-party server is directly connected to the device of the user. We would like to advise our visitors that the providers of such links may collect user data (e.g. IP address, browser and operating system data, mouse pointer positions, the URL of the visited pages and the date of the visits) because of the direct connection to their servers and the direct communication with the user’s browser.

An IP address is a numerical sequence which allows to unambiguously identify the computers and mobile devices of users going on the Internet. An IP address may allow a visitor using a particular computer to be

geographically localised, too. The URL of the pages visited, and the dates, times alone are not suitable for the identification of the Data Subject, however, when linked to other data (e.g. provided during registration) they become suitable for being used to draw conclusions relevant to the user. Any content that may be personalised for the user is provided by the server of an external service provider.

The data processing for the purpose of web auditing and the recording of website visitor data by the web server is data processing common on the Internet, so the user accepts it by using the Internet and visiting websites. Detailed information regarding the processing of data by the servers of third party service providers may be obtained from the data controllers listed below.

3. Web analytics performed on the website

The independent measurement and auditing of visits to the website and other web analytics data of the www.helpee.hu website is supported by several servers as external service providers. For customised service, a small data package, a so-called cookie is placed on the user’s computer and retrieved by the service provider at a later visit. If the browser returns a cookie that was placed earlier, the service provider managing such cookie will be able to combine the most recent visit of the user with former visits, but only for its own content.

Purpose of data processing: identification and differentiation of users, identification of users’ current session, storage of data provided during that session, prevention of data loss, identification and tracking of users, display of personalised offers using data recorded during website visits, operation of the webshop, web analytics measurements.

Legal basis for data processing: the data controller has a legitimate interest in identifying users and preventing abuse [Section 6 (1) (f) of the GDPR].

The Data Controller uses the Google Analytics program to measure visits to its website and monitor the behaviour of its visitors, to prepare statistics and to measure the effectiveness of its advertisements.

The referenced program places so-called cookies in the browser that store unique user identifiers. As a visitor to the website, you authorise the use of the Google Analytics program. At the same time, you consent to the monitoring and tracking of your behaviour and the use of all services provided by the program.

In addition to all of this, it is possible to disable the data recording and data storage of cookies for the future at any time as described below. We inform you that the settings and use of the Google Analytics program fully comply with the requirements of the data protection authority.

Type of personal data processed:

cookie name	identifier and type	provider	data processed by the cookie	purpose of the cookie, duration of data processing
wc_cart_hash	session cookie	helpee.hu	helpee.hu – PHPSESSID	managing the contents of the cart,

				continuous
_ga	Google Analytics	.helpee.hu	IP address, Analytical cookies are anonymised and aggregated data, on the basis of which it is not possible to identify the computer or the User.	It registers an individual identifier that generates statistical data about how the visitor uses the website.     2 years
_ga#	Google Analytics	.helpee.hu	IP address	It is used by Google Analytics to collect data on the number of times a user has visited the website and to save the time of the first and last visit 2 years
wp-wpml_current_language	Useful cookies	.helpee.hu	IP address	It selects the country code based on the user’s IP address. It is used to determine the language used by the visitor.

 

Source of personal data

The source of the personal data is the data subject.

Recipients of personal data made available

The personal data provided by the data subject can only be seen by the employees of the Data Controller who absolutely need it for the performance of their duties. The personal data of the data subject can also be seen by the vicarious agent entrusted with the operation of the website.

The data processor may process personal data only for the purposes specified by Helpee Kft. and contractually agreed, in accordance with its instructions, and has no autonomous right to decide on the processing. The data processor has undertaken confidentiality obligations and contractual guarantees with regard to the retention of personal data obtained in the course of its duties.

External cookies used by the Data Controller also transmit personal data to the third party providing the Service.

Transfer of personal data to a third country or international organisation

The personal data of the data subject will not be transferred to any third country or to internal organisations by the Data Controller.

However, the external cookies used by the Data Controller transmit personal data to their installers whose seats are outside the EEA.

Duration of the processing of personal data

The duration of data processing for individual cookies is adjusted to the expiration times described in the table in the section on the cookies used by the Data Controller’s website and the legal basis for data processing (or until logout from the user account, as the case may be), however, with regard to cookies that require the consent of the data subject, the Data Controller will process the data subject’s personal data until the data subject’s consent is withdrawn.

With regard to cookies that require consent, the data subject can withdraw their consent by deleting the cookies from their computer.

It is possible to delete cookies in different ways depending on the browser and with external programs; on the links below you will find detailed information on how to remove cookies manually.

https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DAndroid&hl=hu https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torlese-szamito https://support.microsoft.com/hu-hu/help/278835/how-to-delete-cookie-files-in-internet-explorer https://support.apple.com/hu-hu/guide/safari/sfri11471/mac

The data subject also has the option to delete cookies using various hard disk maintenance programs (e.g. CCleaner), however, the Data Controller recommends the manual removal method available at the links above.

Automated decision-making and profiling

Neither of them takes place during the data processing.

Providing personal data

The provision of personal data is a condition for the display of the website and the proper functioning of the service specifically requested by the data subject.

Google, as an external service provider, can also manage cookies in order to achieve its goals. The data controller provides information about cookie management by Google at the http://www.google.com/intl/hu/policies/ link.

4. Data processing for other data processing purposes:

Information on data processing not listed in this Notice is provided at the time of data collection.

Please note that the court, the prosecutor, the investigating authority, the law enforcement authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, or other bodies authorised by law may contact the data controller to provide information, to disclose or transfer data, or to provide documents.

The extent to which the Data Controller will disclose personal data to such authorities — provided that the exact purpose and the scope of data was specified — is limited to what is strictly necessary for ensuring compliance with the purposes of such request.

5. Registration

On the www.helpee.hu website, it is possible to create an online user account, but there is no possibility of open registration.

In order to speed up the purchase process, the Data Controller automatically generates a registration for the customers on the webshop based on the email address provided for the first purchase, about which they receive an email notification. Customers do not need to provide a separate password in this process, as the email notifying them of the registration contains a basic password. If the customer wishes to make a purchase with the same email address the next time, they must log in to the website to make the purchase.

The purpose of data processing is to provide a more convenient shopping experience in the webshop, to register and distinguish customers from each other, and to maintain customer contact.

Legal basis for data processing: data processing is necessary for the performance of the contract [Article 6 (1) (b) of the GDPR].

Types of personal data processed: customer number, first name, surname, other address, home address, email address, telephone number, email address and password required for login, billing address, delivery address.

Duration of data processing: for profile data, 8 years from the last login.

6. Purchase

Online shopping is possible on the website www.helpee.hu. It is possible to shop as a guest or as a registered user.

The purpose of data processing is: shopping on the website, issuing invoices, fulfilling orders, documenting purchases and payments, fulfilling accounting obligations, maintaining customer contact.

Legal basis for data processing: data processing is necessary for the performance of the contract [Article 6(1) b) of the GDPR], as well as purchase data (date, time, purchased product, value of purchase), billing address, delivery address, Article 6(1) c) of the GDPR, in view of Section 169(2) of the Accounting Act.

Types of personal data processed: name, address, email address, phone number, details of individual purchases (date, time, purchased product, value of the purchase, item number, order number), billing address, delivery address.

Duration of data processing: 8 years for the data on purchases in accordance with Section 169(2) of the Accounting Act.

In the course of purchases through the webshop, the Data Controller issues an invoice using the services of szamlazz.hu, in the framework of which the company operating the website as a data processor receives the billing data of the Customers (name, address, tax number, tax identification number).

The data controller’s invoices (with the data contained therein) are forwarded to the data processor providing the accounting.

Payment methods:

– ONLINE bank card payment via the SimplePay system

Payment is made directly after placing the order. After clicking the “Submit Order” button, the webshop will automatically redirect you to the SimplePay page. In all cases, the transaction takes place within SimplePay’s own system, with special security.

Steps of the transaction:

1. By clicking the “Submit Order” button, the Customer is transferred to the SimplePay payment page, where they start the transaction by entering their bank card details;
2. After entering the card data, we always recommend that the Customer check the correctness of the data.
3. The processing of the bank transaction is started by the bank processor
4. The Customer will be notified of the result of the payment by email, and will be redirected by SimplePay to the website

More information on the SimplePay website: For customers – Simplepay.hu

Data transmission:

• in case of payment, the payer’s ID, the amount, date and time of the transaction to OTP Mobil Szolgáltató (H-1143 Budapest, Hungária krt. 17-19., company registration number: 01-09-174466, tax number: 24386106-2-42)

Legal basis of data transmission: the data processing is necessary for fulfilling the contract [Article 6(1)

1. (b) of the GDPR].

 

CHAPTER III

DATA PROCESSORS

Data processor: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller; (Article 4, 8 of the Regulation)

The engagement of a data processor does not require the prior consent of the data subject, but requires their notification. Accordingly, we provide the following information.

We have listed the data processors in detail for each data processing purpose, below they are summarised in table format for greater clarity:

accountant		monthly/ occasional
invoicing management system	szamlazz.hu	regular
web analytics	Google Analytics	regular
online storage insurance, logging	DiMa.hu Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság H-4032 Debrecen, Békessy Béla utca 9. C. ép. 3. em. 10.	regular

	H-4032 Debrecen, Békessy Béla utca 9. C. ép. 3. em. 10. company registration number: 09-09-014017 tax number: 14079665-2-09 community VAT number: HU14079665 https://www.dima.hu/
improving user experience

DATA STORAGE, DATA PROCESSING SECURITY

The Data Controller’s computer systems and other data storage locations can be found at its seat in paper and electronic form.

The IT tools used during the provision of services for the processing of personal data are selected and operated by the Data Controller in a manner that the processed data:

1. are accessible to authorised persons (availability);
2. authentic and verified (authenticity of data processing);
3. verifiably unchanged (data integrity);
4. protected against unauthorised access (confidentiality of data)

The Data Controller shall protect the data with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, erasure or destruction, as well as unavailability due to accidental destruction, damage or changes in the technique used.

In order to protect the data files electronically processed in the context of the Data Controller’s various records, the Data Controller shall employ an appropriate technical solution to ensure that the data stored are not directly connectible and assignable to the data subject – except where permitted by law.

The Data Controller, with regard to the current state of technology, shall implement technical, managerial and organizational measures that ensure the security of data processing and provide a level of protection appropriate to the risks affecting data processing.

During its processing activities, the Data Controller shall maintain

1. confidentiality: it protects information so that only those who are entitled to it have access to it;
2. integrity: it protects the accuracy and completeness of the information and the method of processing;
3. availability: grants that when an authorised user needs it, he or she can actually access the requested information and that the means to do so are available.

The Data Controller’s IT system and network are both protected against computer-supported fraud, espionage, sabotage, vandalism, as well as computer viruses, computer intrusions and denial-of-service attacks. The operator ensures security through server-level and application-level protection procedures.

Please note that electronic messages transmitted over the Internet, regardless of protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that could lead to fraudulent activity, contract disputes, or the disclosure or modification of information. In order to ensure protection against such threats, the Data Controller shall take all the precautionary measures that can be expected from the Controller. It monitors the systems in order to record any security deviance and provide evidence of any security incidents. System monitoring also makes it possible to check the effectiveness of the precautions taken.

 

CHAPTER V

INFORMATION ON THE DATA SUBJECT’S RIGHTS

The data subject may request information on the processing of his or her personal data and may request the rectification, erasure or withdrawal of his or her personal data, except for mandatory processing, restriction of processing, and exercise his or her right to data portability and objection as indicated when the data were collected.

Right to prior information

The data subject has the right to be informed of the facts and information related to the data processing before the data processing starts.

(Articles 13-14 of the Regulation)

Right of access of the data subject

The data subject shall have the right to obtain from the Data Controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the following information: the purposes of the data processing; the categories of personal data concerned; the recipients or categories of recipients to whom or with which the personal data have been or will be disclosed, including in particular recipients in third-countries or international organisations; the envisaged period of storage of the personal data; the right to rectification, erasure or restriction of data processing and the right to object; the right to lodge a complaint with a supervisory authority; information on the data sources; the fact of automated decision-making, including profiling, and clear information on the logic used and the significance of such data processing and its likely consequences for the data subject. In the event of a transfer of personal data to a third-country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards for the transfer. (Article 15 of the Regulation).

The right to rectification

The data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

(Article 16 of the Regulation).

Right to erasure (‘right to be forgotten’)

If one of the following reasons exists, the data subject has the right to have the Data Controller delete the personal data concerning them without undue delay at their request, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay if one of the following reasons exists:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• the data subject withdraws the consent on which the data processing is based and there is no other legal basis for the data processing;
• the data subject objects to the data processing and there are no overriding legitimate grounds for the data processing;
• the personal data have been unlawfully processed;
• the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the Data Controller is subject;

• the personal data are collected in connection with the provision of information society services

(Article 17 of the Regulation)

Right to restriction of the data processing

The data subject shall have the right to obtain from the Data Controller the restriction of the processing if any of the following applies:

• the accuracy of the personal data is contested by the data subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the Data Controller no longer needs the personal data for the purposes of data processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
• the data subject has objected to the data processing (in this case, the restriction applies for the period until it is established whether the legitimate grounds of the Data Controller override those of the data subject).

Where data processing is restricted, personal data, except for storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

Helpee Kft. shall inform the data subject in advance of the lifting of the restriction on data processing. (Article 18 of the Regulation)

Notification obligation regarding rectification or erasure of personal data or restriction of processing

The Data Controller shall inform each recipient to whom the personal data have been disclosed about all cases of correction, deletion or limitation of data processing unless it proves impossible or involves disproportionate effort. The Data Controller shall inform the data subject about those recipients if the data subject requests it.

(Article 19 of the Regulation)

Right to data portability

In accordance with the conditions required by the Regulation, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided.

(Article 20 of the Regulation)

Right to object

The data subject shall have the right to object at any time, on grounds relating to their particular situation, to the data processing of their personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third-party, including profiling based on those provisions.

In the case of objection, the Data Controller may no longer process the personal data, unless it is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.

In case of objection to the processing of personal data for direct marketing purposes, the data will not be processed by Helpee Kft. for this purpose.

(Article 21 of the Regulation)

Automated decision-making in individual cases, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated data processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The above right cannot be applied if the decision is:

• necessary for the conclusion or performance of a contract between the data subject and the Data Controller;
• permitted by Union or Member State law applicable to the Data Controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
• based on the explicit consent of the data subject. (Article of the Regulation)

Right of withdrawal

The data subject shall have the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of data processing based on consent prior to its withdrawal.

Restrictions

Union or Member State law applicable to a data controller or data processor may, by legislative measures, limit the scope of the rights and obligations set out in Article 5 in respect of its provisions in Articles 12 to 22 and Article 34 and in accordance with the rights and obligations set out in Articles 12 to 22, if the limitation respects the essential content of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard the rights and freedoms referred to in Article 23(1)a) to j).

(Article 23 of the Regulation)

Communication of a personal data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the data subject without undue delay.

(Article 34 of the Regulation)

Right to file a complaint with a supervisory authority (Right to an administrative remedy)

The data subject shall have the right to file a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the Regulation.

(Article 77 of the Regulation)

Right to an effective judicial remedy against a supervisory authority

Each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, or, if the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint filed.

(Article 78 of the Regulation)

Right to an effective judicial remedy against a data controller or processor

The data subject shall have the right to effective judicial remedy if he or she considers that his or her rights under the regulation have been infringed as a result of the processing of his or her personal data in non-compliance with the regulation.

(Article 79 of the Regulation)

Right to compensation

Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the Data Protection Regulation shall be entitled to receive compensation from the data controller or data processor for the damage suffered. The data processor shall be liable for damage caused by the data processing only if it has failed to comply with the obligations expressly imposed on data processors by law or if it has disregarded or acted contrary to lawful instructions from the data controller.

Where more than one data controller or more than one data processor or both the data controller and the data processor are involved in the same data processing and are liable for the damage caused by the data processing, each data controller or data processor is jointly and severally liable for the total damage.

The data controller or the data processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

 

CHAPTER VI

LODGING A REQUEST BY DATA SUBJECT, DATA CONTROLLER’S MEASURES

The data subject may request information about the processing of their personal data and may request the rectification, erasure or blocking of their personal data, except for mandatory processing, as indicated when the data were collected.

The Data Controller shall provide information on action taken on the request to the data subject without undue delay and in any event within one month of receipt of the request.

If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Data Controller shall inform the data subject of any such extension no later than one month after the request has been received and shall provide the reasons for the delay.

If the Data Subject has submitted the request by electronic means, the information shall be provided by electronic means where possible, unless the Data Subject requests otherwise.

If the Data Controller does not take action on the request of the data subject, it shall inform the data subject of the reasons for not taking action without delay but not later than one month after the request has been received, and shall inform the data subject of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy.

Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge by the Data Controller. Where the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Data Controller may, taking into account the administrative costs of providing the information or communication requested or of taking the action requested, refuse to act on the request, but the burden of proving that the request is manifestly unfounded or excessive shall lie with the Data Controller.

Where the Data Controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

In exercising the right to data portability, the data subject may request, where technically feasible, the direct transfer of personal data between data controllers.

The Data Controller, as the Data Controller, shall provide information on the data processed by it or by a processor it has appointed, their source, the purpose, legal basis and duration of the processing, the name and address of the data processor and its activities related to the processing, and, in the case of data transfers, the legal basis and the recipient of the transfer. The Data Controller shall provide this information in writing within the shortest possible time after the submission of the relevant request. This information shall be provided free of charge if the person requesting the information has not yet submitted a request for information to the Data Controller for the same set of data in the current year. In other cases, the Data Controller will set a fee.

The Data Controller may not delete the data subject’s data if it is based on a contract, the performance of a legal obligation or the legitimate interest of the Data Controller.

In the case of data processing based on legitimate interests, the data subject has the right to object under Article 21 of the Regulation, i.e. they may object to the processing at any time. In this case, the Data Controller may not continue processing the personal data unless the Data Controller demonstrates that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The Data Controller shall compensate any damage caused to others by the unlawful processing of the data subject’s data or by the breach of data security requirements. The Data Controller shall be exempt from liability if the damage was caused by an unavoidable cause outside the scope of the processing. It will not compensate the damage if it is the result of intentional or grossly negligent conduct of the injured party.

You can lodge a complaint with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
Registered seat: H-1055 Budapest, Falk Miksa utca 9-11.

Website: http://www.naih.hu Telephone number: +36 1 391 1400

Fax: +36 1 391 1410

Email: ugyfelszolgalat@naih.hu

The data subject shall have the right to seek judicial remedy against the Data Controller if their rights have been violated. The court shall act out of turn in the case.

Updating the notice, monitoring changes in legislation

The Notice is continuously reviewed and updated by the Data Controller in accordance with changes in the legal environment and the requirements of the authorities. You can keep up to date with the current Notice by requesting information from the Data Controller.