Notification on data processing PDF download: Data processing

INTRODUCTION

NAIL SHOP Kereskedelmi és Szolgáltató Betéti Társaság [NAIL SHOP Trade and Services Limited] (Europe, Hungary, 4225 Debrecen, Tócós utca 5, Trade Register registration number: 09 06 013531, tax number: 22101594-2-09) (hereinafter: Supplier, data controller) takes note of the notification below.

According to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) we hereby issue the following notification.

This notification on data processing regulates data processing from the following webpages: http://www.diamondnails.eu

The notification on data processing is available at: http://www.diamondnails.eu/data-protection

All the alterations of the notification come into force after their publication at the above-mentioned address.

CONTACT DETAILS OF THE DATA CONTROLLER:

Denomination: NAIL SHOP Kereskedelmi és Szolgáltató Betéti Társaság
Head office: Europe, Hungary, 4225 Debrecen, Tócós utca 5.
E-mail: info@diamondnails.eu
Phone: +36 52 320 046

DEFINITION OF TERMS

1. "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. "data processing" is an operation or a set of operations which is performed on personal data or on sets of personal data, whether by manual or automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. "controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

4. "third party" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

5. "recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

6. "consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject"s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

7. "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

PRINCIPLES RELATED TO PERSONAL DATA PROCESSING

Personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency");

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes ("purpose limitation");

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy");

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ("storage limitation");

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ("integrity and confidentiality").

The controller shall be responsible for, and be able to demonstrate compliance with paragraph 1 ("accountability").

DATA PROCESSING

DATA PROCESSING FOR MANAGING AN ONLINE STORE

1. Data collection, range of processed data and scope of data processing:

Personal data Scope of data processing
Username Identification, facilitation of registration.
Password Contributes to a secured access to the user account.
Surname and first name Necessary for contacting, shopping and invoice issuance
E-mail address Keeping in touch.
Phone number Keeping in touch, a more effective settlement of invoice- or transport-related issues.
Name and invoicing address Invoice issuance, contract drafting, establishing, changing its contents, supervision of execution, invoicing related fees, namely the exercise of related claims.
Name and delivery address Facilitation of home delivery.
Date of purchase/registration Carrying out of technical operation.
IP address at the time of purchase/registration Carrying out of technical operation.

Neither the username nor the email address must comprise personal data.

2. Data subjects: All the persons who are registered/shopping in the online store.

3. Duration of data processing, data destruction delay: As soon as the registration is erased. Fiscal records are not subject to immediate destruction, as these data shall be kept for 8 years according to Act C of 2000 on fiscal operations, article. 169, paragraph (2).

Fiscal documents that are indirect and direct evidence of the financial position (including invoices from main bookkeeping, analytical and detailed registers) must be kept for a minimum of 8 years in a legible form, an easy-to-find manner based on the references from accountant books.

4. Potential third parties with right to access data, personal data recipients: personal data may be processed by the staff of the sales and marketing department of the controller, under the above-mentioned basic principles.

5. Notification of data subjects on their rights concerning data processing :
- The data subject shall be granted by the controller the right to access personal data, to correct, erase or restrict access to it and
- Object against the processing of their personal data, and
- The subject shall have the right to of data portability, namely to withdrawing at any time the validly given consent.

6. The access to personal data, their erasure, alteration or restriction of processing, the objection to data processing may be done as follows:

- By mail Europe, Hungary, 4225 Debrecen, Tócós utca 5. címen,
- By e-mail at info@diamondnails.eu,
- By calling +36 52 320 046.

7. Legal grounds for data processing: the consent of the subject, Article 6, par. (1), letter a), Infotv. 5. §, par. (1), namely Law CVIII of 2001 on electronic commerce services, that is information society services (hereinafter: Elker tv.), Article 13/A, par. (3):

The supplier may process with the purpose of providing services those personal data which are absolutely necessary for service supplying from a technical point of view. In case other conditions are identified, the supplier must choose the means used for the supply of information society-related services in such a way that the personal data processing is performed only when it is fundamental for the supply of that service and necessary for carrying out lawful scopes, but even so only for a minimum period and to the minimum extent needed.

8. Please be informed that:

- Data processing is based on your consent.
- You are bound to provide personal data so that we can process your order.
- Not providing personal data renders us unable to process your order.

OPERATORS ASSIGNED BY THE DATA CONTROLLER

Transportation

1. The activity carried out by the operator assigned by the controller: product delivery, transportation

2. Denomination and contact details of the operator assigned by the controller:
GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.
[GLS General Logistics Systems Hungary Parcels – Logistics Ltd]
2351 Alsónémedi, Európa u. 2.
info@gls-hungary.com
Telephone: +36 1 802 0265
https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat

3. Data processing, processed data: delivery name, delivery address, telephone number, e-mail address.

4. Data subjects: all the persons requesting home delivery.

5. Scope of data processing: Home delivery of the ordered product.

6. Duration of data processing, delay for data erasure: until home delivery is carried out.

7. Legal grounds for data processing: User agreement, Art. 6, par. (1), letter a), Act Infotv, Article 5, par. (1).

Online payment

1. Activity carried out by the operator assigned by the controller: online payment

2. Denomination and contact details of the operator assigned by the controller:


Barion Payment Zrt.
License number: H-EN-I-1064/2013
Fiscal code: 14859034
Telephone: + 36 1 464 70 99
E-mail: support@barion.com
CCG: https://www.barion.com/hu/vasarlok/arak-vasarloknak/

3. Data processing, processed data: invoicing name, invoicing address, e-mail address.

4. Data subjects: all the persons who are shopping online.

5. Scope of data processing: Carrying out online payment, confirmation of transactions and fraud detection for user protection (fraud monitoring).

6. Duration of data processing, delay for data erasure: until online payment is made.

7. Legal grounds for data processing: User agreement, Act Infotv, article 5, par. (1), art. 6, par. (1), letter a), namely Act CVIII of 2001 on electronic commerce services that is information society services, article 13/A., par. (3).

Supplier –storage space

1. Activity carried out by the operator assigned by the controller: services related to storage space supply

2. The data operator shall not resort to a storage space supplier, but carry out this task by itself.

3. Data processing, processed data: all the personal data communicated by data subjects.

4. Data subjects: all the persons using the webpage.

5. Data processing, processed data: webpage accessing and its proper function.

6. Duration of data processing, delay for data erasure: data processing lasts until the contract agreement between the data controller and the storage space supplier terminates or the request for erasure is made by the data subject to the storage space supplier.

7. Legal grounds for data processing: User agreement, Act Infotv., Article 5, par. (1), art. 6., letter a), namely Act CVIII of 2001 on electronic commerce services, that is information society services, Article 13/A., par. (3).

COOKIE MANAGEMENT

1. The cookies specific to online stores, the so-called ‘cookies for password protection’, ‘cookies for online shopping’ and ‘safety cookies’, that do not require previous approval from the data subjects.

2. Data processing, processed data: taxpayer identification number, dates, delays.

3. Data subjects: all the persons accessing the webpage.

4. Scope of data processing: User identification, record-keeping of the ‘shopping cart’ and visitor monitoring.

5. Duration of data processing, delay for data erasure:

Type of cookie Legal grounds for data processing Duration of data processing Processed data
Session cookies Act CVIII of 2001 on electronic commerce services, namely information society services, article. 13/A., par. (3). (Elkertv.) The time-span necessary for the completion of the ongoing session connect.sid

6. Data protection officer with right to access data: by using cookies the operator shall not process personal data.

7. Notification on the rights of subjects concerning personal data processing: data subjects may erase cookies from the browser menus, by accessing More/Settings, commonly found in the Data protection submenu.

8. Legal grounds for data processing: There is no need for consent from data subjects whether the sole scope is the communication by means of the electronic message network or where the supplier needs the data in order to provide the informational service that the subscriber or user has specifically requested.

USAGE OF GOOGLE ADWORDS FOR TRACKING CONVERSIONS

1. The data controller uses the ‘Google AdWords’ online advertisement programme that is the Google provided service for tracking conversions. Conversion tracking by Google is an analysis service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; ‘Google’).

2. As a User accesses a webpage through a Google ad, a cookie needed for conversion tracking is being installed on their computer. The validity of these cookies is limited and they do not contain any personal data, therefore no User can be identified by means of these cookies.

3. When the User surfs on certain pages from a specific site and the cookie is still valid, both Google and the data controller are able to see that the user has accessed the advert.

4. Each Google AdWords client is assigned a different cookie, so that these cannot be followed by means of the AdWords client web pages.

5. The information – which has been obtained by means of conversion tracking cookies – has the purpose of providing data for conversion statistics for the clients that choose AdWords conversion tracking. Subsequently, clients are informed on the number of users who access adverts and redirected towards pages comprising conversion tracking tools. On the contrary, they do not have access to the information which allows the identification of users.

6. In case you do not want to take part in conversion tracking, you may refuse it by not allowing cookies to be installed in your browser. After doing so, you shall not be included in the conversion tracking statistics.

7. Further information, that is the Google statement on data protection is available at: www.google.de/policies/privacy/

USAGE OF GOOGLE ANALYTICS

1. This page uses the Google Analytics app, which is a web analysis service of Google Inc. (”Google”). Google Analytics uses the so-called ‘cookies’, which are text files saved onto computers and therefore contribute to the analysis of the usage of the webpage that the User visits.

2. The information resulting from the cookies referring to the webpage used by the User normally gets on a US Google server where it is stored. By activating the IP web anonymization Google shall first abbreviate the User’s IP address in the case of EU member countries or in other EEA member countries.

3. Transmitting the full IP address to the US Google server and its abbreviation at the server location occurs only in exceptional cases. Pursuant to the license owned by the operator of this webpage, this information shall be used by Google to assess the way in which the User used the webpage, and consequently to generate reports on the webpage activity, as well as to provide other services related to the webpage and internet usage.

4. The IP address transmitted within Google Analytics by the User browser shall not be corroborated with other Google data. Storing cookies can be prevented by appropriate browser setting by the User, but please take note that in this case it is likely that some webpage functions are not available. Concurrently you can prevent data collecting and cookie processing by Google, which are connected to the usage of the User webpage (including the IP address) download and install the search plug-in available at https://tools.google.com/dlpage/gaoptout?hl=en

NEWSLETTER, DM ACTIVITY

1. According to Act XLVIII of 2008, art. 6 on basic requirements and certain restrictions of commercial marketing activity, the User can express its prior and clear consent on whether being contacted by the User for promotional offers or not, as well as other correspondence to the contact details transmitted upon the time of registration.

2. Considering the stipulations of the herein notification, the Client shall express his or her consent regarding the processing of personal data needed for sending the Supplier’s promotional offers.

3. The Supplier shall not send unwanted promotional messages and the User can unsubscribe from receiving offers free of charge and without any motivation restrictions. Should this be the case, the Supplier shall erase from the records all the personal data - which are necessary for sending promotional messages – and shall not contact the User with further promotional offers. The User shall unsubscribe from adverts by accessing the link provided in those messages.

4. Data collecting, data processing and scope of data processing:

Personal data Scope of data processing
Name, e-mail address Identification, facilitation of subscription to the newsletter.
Date of registration Carrying out the technical procedure.
IP address at the time of registration Carrying out the technical procedure.

5. Data subjects: all the newsletter subscribers.

6. Scope of data processing: sending electronic advertisements (e-mail, sms, push message) to the subjects, providing them notifications on up-to-date information, products, promotions, new functions, etc.

7. Duration of data processing, delay for data erasure: data processing is carried out until the revocation of the statement of consent, which is until unsubscribing from it.

8. Potential third parties with personal data access right, personal data recipients: personal data shall be processed by the staff of the sales and marketing department of the collector, abiding by the above-mentioned principles.

9. Notification of subjects on their rights concerning data processing:

- The subject shall request from the data collector the access to, the correction, erasure or restriction of access to to his or her personal data, and
- Shall protest against processing these personal data, namely
- The data subject has the right to data portability, that is the revocation at any time of their prior clear consent.

10. The access to personal data, erasure, alteration or restriction of processing, as well as the protest against data processing shall be done by means of the following contact details:

- By mail at: Europe, Hungary, 4225 Debrecen, Tócós utca 5. címen,
- By e-mail at info@diamondnails.eu,
- By calling +36 52 320 046.

11. The data subject may unsubscribe free of charge from the newsletter at any time.

12. Legal grounds for data processing: consent of the data subject, art. 6, par. (1), letter a), Infotv. art. 5, par. (1), namely Act XLVIII of 2008 on basic requirements and certain restrictions of marketing, art. 6, par. (5):

The advertiser, the advertisement supplier or the advertising publisher – within the limitations established by the clear consent of the subject – keeps the personal data records of the subjects who clearly expressed their agreement upon their entity. The data from the records – concerning the advertisement recipient – may be processed only according to those expressed in the statement of consent until its revocation and may be transmitted to third parties on the grounds of prior consent of the data subject.

13. Please be informed that:

- Data processing is based on your consent.
- You are bound to provide personal data whether you want to receive newsletters from us.
- Not providing personal data renders us unable to send you newsletters.

CLAIM SETTLEMENT

1. Data collecting, data processing and scope of data processing:

Personal data Scope of data processing
Surname and first name Identification, contacting
E-mail address Contacting
Phone Contacting
Name and invoicing address Identification, claim processing on the quality of the ordered product, questions and problem solving.

2. Data subjects: all the persons who are shopping via the webstore page and who complain about the quality.

3. Duration of data processing, delay for data erasure: report drafted on the registered claim, notification and copies of the reply are to be kept according to Act CLV of 1997 on consumer protection, article 17/A, par .(7) are to be kept for a duration of 5 years.

4. Potential third parties with personal data access right, personal data recipients: personal data shall be processed by the staff of the sales and marketing department of the collector, abiding by the above-mentioned principles.

5. Notification of subjects on their rights concerning data processing:

- The subject shall request from the data collector the access to, the correction, erasure or restriction of access to to his or her personal data, and
- Shall protest against processing these personal data, namely
- The data subject has the right to data portability, that is the revocation at any time of their prior clear consent.

6. The access to personal data, erasure, alteration or restriction of processing, as well as the protest against data processing shall be done by means of the following contact details :

- By mail Europe, Hungary, 4225 Debrecen, Tócós utca 5.
- By e-mail at info@diamondnails.eu,
- By calling +36 52 320 046.

7. Legal grounds for data processing: consent of the data subject, art. 6, par. (1), letter a), Infotv, art. 5, par. (1) and Act CLV of 1997 on consumer protection, art. 17/A, par. (7).

8. Please be informed that:

- personal data communication is based on contractual obligations
- personal data processing represents the grounds for contract conclusion.
- you are bound to provide personal data in order for us to be able to process your complaint.
- not providing your personal data renders us unable to process the claim you are sending us.

SOCIAL MEDIA PAGES

1. Data collecting, data processing: the name used for registration on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc., as well as the profile picture of the user.

2. Data subjects: all the persons registered on Facebook/Google+/ Twitter/Pinterest/Youtube/Instagram etc. who clicked on the ‘like’ button on our page.

3. Scope of data collection: the distribution, namely ‘liking’ of the page, its promotion on social media pages of web page content of the products, promotions and the webpage itself.

4. Duration of data processing, delay for data erasure, persons likely to access data, the recipients of personal data, notification of data subjects on the rights related to data processing: the data subject shall be informed via the concerned social media webpages about the source of the data, their processing, the way of transmitting and the legal grounds. Data processing is made on the social media webpages, therefore the duration, the way of data processing and the possibility of data erasure and modification is regulated by the provisions/stipulations of the concerned social media webpage.

5. Legal grounds for data processing: freely expressed consent of the data subject concerning personal data processing on social media web pages.

CUSTOMER CARE AND OTHER DATA PROCESSING

1. Should you have any inquiries while you benefit from the data controller services, and the involved subject data encounters certain issues, the data controller can be contacted by means of the contact details communicated on the webpage (phone, email, social media pages etc.).

2. The emails, messages, data transmitted by phone or Facebook etc. shall be erased by the data controller together with the name and email address, as well as other freely communicated personal data within a maximum 2 years from data transmission.

3. In regard to the aspects related to data management, which are not mentioned in the hereby notification, further information shall be provided at the moment of data registration.

4. Based on the special notification of authorities, namely the license granted by legal provisions, The Supplier is compelled, upon demand of other bodies, to supply information, to communicate, to transmit data, namely to make documents available.

5. In these cases, the Supplier shall communicate only those personal data and only to the extent to which they are minimally necessary for the scope of the request to be carried out – where the scope and the data were mentioned.

RIGHTS OF DATA SUBJECTS

1. Right of access

You shall have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information listed in the regulation.

2. Right to rectification

You shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to erasure

You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where certain grounds applies.

4. Right to be forgotten

Where the controller has made the personal data public and is obliged pursuant to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

5. Right to restriction of processing

- You shall have the right to obtain from the controller restriction of processing where one of the following applies:
- you contest the accuracy of the personal data, and in this case the restriction applies for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose to the erasure of the personal data and request the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- you have objected to processing; in this case the restriction is pending the verification whether the legitimate grounds of the controller override those of the data subject.

6. Right to data portability

You shall have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (...)

7. Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data (…), including profiling based on those provisions.

8. Objection to direct marketing

Where personal data are processed for direct marketing purposes you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

9. Automated individual decision-making process, including profiling

You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly you.

Paragraph 1 shall not apply if the decision:

- is necessary for entering into, or the performance of, a contract between the data subject and a data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard
- the data subject’s rights and freedoms and legitimate interests;
- or is based on the data subject’s explicit consent.

DISPUTE RESOLUTION DELAY

The controller shall notify you without delay, within one month from the reception of the request on the measures taken as a result of the aforementioned requests.

Where needed, this delay can be extended by up to 2 months. The controller shall inform you on the extension of the delay by mentioning the reasons for delay within 1 month from the reception of the request.

When the controller does not take any measures as a result of your request, without delay, but within one month from the reception of the request, the controller shall inform you on the reasons generating the lack of measures, namely on the fact that you can file a complaint with any surveillance authority and that you can exercise your right to appeal.

SECURITY OF PROCESSING

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain, as well as the name and contact details of the data protection officer or another contact point for further information; describe the likely consequences of the personal data breach; describe the measures taken or suggested to be taken by the controller in order to rectify the personal data breach including, where the case may be, the measures taken to mitigate its potential negative effects.

The notification of the data subject is not necessary when one of the following conditions are met:

- the controller has implemented technical and organisational protection measures which were applied for the personal data affected by the breach of personal data, especially measures providing assurance that personal data become illegible to any unauthorized person that may access them, such as by encrypting;
- after the data protection breach the controller has taken subsequent measures through which they made sure that the high risk for the rights and freedoms of data subjects is no longer likely to occur;
- the notification involves a disproportionate effort. In this case, a public notification is made instead or a similar measure is taken so that the subjects are notified in an equally effective way.

Where the controller has not already communicated the personal data breach to the data subject, the surveillance authority shall ask the controller to do so, after taking into consideration the fact that the personal data breach generates high risks.

NOTIFICATION ON A PERSONAL DATA BREACH TO THE SUPERVISORY AUTHORITY

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

RIGHT TO FILE A COMPLAINT

Should any infringements of the law by the data controller occur, complaints shall be filed to The National Authority for Data Protection and Freedom of Information:

The National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, c.p.: 5.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

APPENDIX

- When drafting the hereby notification we took into consideration the following legal acts:

- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC(General Data Protection Regulation)

- Act CXII of 2011 – on informational self-determination and the freedom of information (hereinafter: Infotv)

- Act CVIII of 2001 – on certain issues of electronic commerce services and information society services (namely Article 13/A)

- Act XLVII of 2008 – on the prohibition of unfair commercial practices against consumers;

- Act XLVIII of 2008 – on the basic requirements and certain restrictions of commercial advertising activities (namely Article 6)

- Act XC of 2005 on the freedom of electronic information

- Act C of 2003 on electronic communication of news (namely Article 155)

- Opinion no. 16/2011 on the EASA/IAB recommendation for the regular exercise of online behavioural advertising

- Recommendation of the National Authority for Data Protection and Freedom of Information on criteria of data protection upon prior notification
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC