Privacy

DECODE Kortárs Építészeti és Művészeti Alapítvány (hereinafter referred to as: Foundation), as a data controller (hereinafter referred to as: Data Controller) shall, in the course of the operation of the website www.decode-foundation.hu, process your personal data in accordance with this privacy policy (hereinafter referred to as: Privacy Policy).

This Privacy Policy outlines the principles of the processing of personal data by the Foundation upon visiting the website www.decode-foundation.hu. Regarding the processing of other personal data (data of employees, contact persons of business partners, etc.), the Foundation shall inform the data subjects in a dedicated informative document or policy or upon the recording of data.

When you are sharing personal data with us or we otherwise gain access to your personal data upon your visiting our website, said data shall be processed in accordance with this Privacy Policy. Please read the Privacy Policy carefully in order to understand how we process your personal data and to learn about your data processing related rights. Should you have any questions or concerns regarding your personal data, please do not hesitate to contact us.

When developing the provisions of the Privacy Policy, the Foundation paid special attention to the provisions of Regulation No 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation”, “Regulation” or “GDPR”) and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”).

We are dedicated to protecting the personal data of the visitors of our website and our current and future customers and contracted partners and consider respect of the right to informational self-determination a priority. We treat personal data confidentially and will take all security, technical and organizational measures to guarantee data security.

By using the website, you agree to the provisions of the Privacy Policy. If you do not accept the contents of this Privacy Policy, kindly leave the website.

I. Details of the data controller

The Foundation shall be liable for the personal data you share with us; in accordance with applicable data protection regulations, the information of the Foundation acting as “Data Controller” are as follows:

Name of the Data Controller: DECODE Kortárs Építészeti és Művészeti Alapítvány

Registered office of the Data Controller: H-1068 Budapest, Felső erdősor 3. 3. em. 22.

Website: www.decode-foundation.hu

Electronic mailing address of the Data Controller: decode@bordstudio.hu

Phone number of the Data Controller: +36 20 939 6968

Registration number of the Data Controller: 01-01-0012850

Tax number of the Data Controller: 19188919-1-42

II. Definitions

Personal data: any information pertaining to an identified or identifiable person (“data subject”); an identifiable person shall mean a private individual who can be identified directly or indirectly, but particularly via identification information, for example name, number, location data, online ID or one or more factors concerning the physical, physiological, genetic, mental, economic, cultural or social identity of the given private individual.

Data processing: the totality of any procedure or procedures implemented in an automatic or non-automatic manner, concerning personal data or data files and including collecting, recording, systemizing, structuring, storing, transforming or modifying, querying, accessing, using, communicating, transferring, publishing or otherwise making accessible, coordinating or linking, limiting, erasing or terminating.

Data Controller: a private individual or legal entity, public authority, agency or any other body that may define, on its own or in cooperation with other entities, the purposes and tools of data processing; if the purposes and tools of data processing are defined by EU law or the laws of a member state, the identity of the data controller or the specific criteria for determining the identity of the data controller may be prescribed by EU law or the laws of a member state.

For the services described in this Privacy Policy, the data controller shall be the Foundation. The Data Controller is the operator of the website.

Data processor: a private individual or legal entity, public authority, agency or any other body that processes data on behalf of the data controller.

Recipient: a private individual or legal entity, public authority, agency or any other body that is the recipient of personal data, regardless of whether the given entity is a third party or not. Public authorities that, through specific investigations, are entitled to access personal data in accordance with EU law or the laws of a member state, are not considered recipients; processing of said data by such public authorities must comply with data protections regulations applicable based on the purposes of data processing.

Data subject’s consent: freely given, specific, informed and unambiguous indication of the data subject’s will, in which the data subject, by way of a statement or an action unambiguously indicating consent, consents to the processing of personal data relating to the data subject.

Personal data breach: a breach of security which results in the unintended or unlawful termination, loss, change of, or unauthorized publication or similar unauthorized access to transferred, stored or otherwise processed personal data.

Website: the website www.decode-foundation.hu and its subpages operated by the data controller.

User: a private individual who accesses the website and whose personal data is processed by the data controller.

External provider: service provider partners, acting as third parties, employed – directly or indirectly – by the data controller in regards of the operation of the website or the provisioning of the services available therein, to whom personal data is transferred or may be transferred as necessary for the provisioning of such services, and who may transfer personal data to the data controller. Service providers who are not in collaboration with the data controller, but who have access to the website relevant to the service and collect data concerning the users which, either by themselves or when combined with other data, can be used to identify the user are also considered external providers.

Privacy Policy: this privacy policy of the Data Controller.

III. Principles of data processing

The Data Controller shall be liable for the following:

  • processing personal data in a lawful and fair manner and while providing transparency to the data subject (“lawfulness, fairness and transparency”);
  • collecting personal data only for specific, unambiguous and lawful purposes and processing said data in a manner incompatible with these purposes (“purpose limitation”);
  • processing personal data that is appropriate and relevant for the purposes of data processing and is limited to what is necessary (“data minimization”);
  • ensuring that personal data are accurate and, if necessary, up-to-date and taking all reasonably necessary measures to ensure that personal data considered inaccurate in the context of data processing purposes are erased or corrected without delay (“accuracy”);
  • storing personal data in a format that enables the identification of data subjects only for the duration necessary for data processing purposes (“storage limitation”);
  • processing personal data in a manner that, through the implementation of necessary technical or organizational measures, ensures their security, including security against unauthorized or unlawful processing, unintended loss, termination or damage (“integrity and confidentiality”).

IV.  Personal data processed, the purpose, legal basis of data processing, and storage duration

Depending on the purpose of data usage, data may be processed on the following legal bases: your consent or our legitimate interest (of ensuring the protection and security, proper functioning and continuous development of the tools you use – our websites/applications/devices) or the fulfillment of contractual or legal obligations. For each data processing, we will inform you on what legal basis we process your personal data.

If data processing requires your consent, you may give consent freely, having received proper information, in a prior statement, which statement shall contain your express consent to the processing of the personal data provided while using the website. You, as a data subject user, in case of data processing requiring consent, are entitled to revoke consent at any time, which, however, does not affect the lawfulness of data processing carried out before the revocation. You shall have the right to withdraw your consent at any time, however, in accordance with the GDPR, the Data Controller may, unless otherwise provided by law, continue to process your data without further consent, even after the withdrawal of the consent, in order to fulfill a legal obligation or enforce its own or a third party’s legitimate interest, providing that the enforcement of such an interest is in proportion to the restriction of the right related to the protection of personal data.

Voluntary consent also means the conduct by which you accept that by using the website you are automatically bound by all regulations relating to the use of the website, including this Privacy Policy.

You are liable for any data you provide and, upon providing such data, also assume liability for ensuring that you are the only one procuring services via the specified e-mail address and using the data you have provided. We do not review personal data, the person providing such data shall bears sole liability for their accuracy.

For further details regarding data processing or the scope, purposes and legal bases of data processing, please see the information provided below.

1. Processing of website visitors’ data

When you login to the website, some data generated during the visit may be technically automatically recorded on the server behind the website. The automatically recorded data is logged by the system upon login and logout without a separate statement or action of the data subject (user).

The system processes this data for the shortest period of time required for operational security, typically less than 1 day, then the data is overwritten, namely erased. The following data may be stored in this manner: IP address, browser information, visit parameters.

Objectives of data processing: during the visit to the website, the IT support records the visitor data in order to ensure and control the operation of the website and to prevent misuse.

Legal basis of data processing: the consent of the data subject

Scope of data processed: IP address

Duration of data processing: maximum 7 days after visiting the website.

2. Use of cookies during the usage of the website

In order to provide customized services, the Data Controller may install a small data package, a so-called cookie on the user’s computer, which is rescanned when next accessing the website. When the browser returns a previously saved cookie, the service managing the cookie may link the user’s current session to previous sessions, but only as regards its own contents. The user is able to erase cookies from its computer or may disable the use of cookies in its browser. Declining to provide data may result in the website’s service not being fully available or analytical measurements being inaccurate.

What cookies do we use:

Change cookie settings

The website uses the “targeting and advertising cookies” of the following service providers:

“web statistics cookies”

The Data Controller uses “web statistics cookies” to collect information regarding the way users use the website. The purpose of these cookies is to develop the website in accordance with user requirements. These “cookies” may be used to track the number of visitors to the website and the contents users are interested in.

The website uses the analytical cookies of Google Tag Manager, Google Analytics, which collect information regarding the users’ usage of the website. For detailed information regarding the service, please see the following link:

https://www.google.com/analytics/terms/us.html

The purpose of data processing: identification, distinguishing of users, identification of the current browsing sessions of users, storing data provided during these sessions, prevention of data loss, web analytics surveys, verifying the operation of the website when visiting, preventing misuse and determination of user requirements.

Legal basis of data processing: Article 6, paragraph (1), item a) of the GDPR, the data subject’s consent, Section 13/A, paragraph (3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter referred to as: Electronic Services Act), and Article 6, paragraph (1), item f) of the GDPR.

Scope of the data processed: data, time, IP address, address of previously visited website, data regarding the operating system and browser of the user, time spent browsing the website.

Duration of data processing: as indicated above (session cookies are automatically erased upon leaving the website or closing the browser).

The portal’s HTML code contains links unrelated to the Data Controller and provided by and linking to external servers. Servers of external providers connect directly to the user’s computer. Please note that the providers of these links are able to collect user data (e.g. IP address, data of browser, operating system, cursor movements, clicks, the address of the visited website and the time and duration of the visit) due to the direct connection to their servers and direct communication with the user’s browser. An IP address is a series of numbers based on which the users’ computers and mobile devices used for online browsing can be clearly identified. Based on the IP address, the visitor using the given computer may even be located geographically. The addresses of the websites visited and data concerning times and dates are not sufficient to identify the data subject, but, when connected to other data, may be used to draw certain conclusions regarding the user.

Consent to the use of cookies

While the website is loaded, we ask for your consent to install cookies in a pop-up window. If you refuse to give your consent, we will only install cookies on your device that are inevitable for the operation of the website (you will find a list of these under ‘Which cookies are used’).

How to manage the use of cookies?

On the one hand, you can control the operation of the cookies used on the website in the privacy center.

In addition to the above, you can also control the use of cookies by setting your browser.

The default setting of most browsers allows the use of cookies.

The following websites describe how to set up cookies in the most commonly used browsers:

3.Social media site-related data processings

The Foundation is available on Facebook as well as
other social media sites (LinkedIn / Instagram). The primary purpose of the content placed on these sites is to present the activities of the Foundation, to share, publish and market the content on the website on the social media site. Social media sites inform the data subjects of upcoming events and latest news.

In the course of its activities, the Foundation may process the names and public information available on data subjects registered on Facebook / Google + / Twitter / LinkedIn / Pinterest / Youtube / Instagram, etc. who like the social media sites of the Foundation in order to share or “like” certain content elements of or the social media site itself. The Foundation communicates with the data subjects through the social media site and the purpose of the scope of the processed data becomes relevant only if the data subject contacts the Foundation through this forum, namely the social media site.

The legal basis of data processing: contacting or liaising with the Data Controller or any other operation permitted by the social media sites is based on voluntary consent. Based on the terms and conditions of the social media site, the data subject voluntarily consents to the following and liking of the contents of the Data Controller.

Scope of data subjects: natural persons who follow, share or like the Data Controller’s social media sites or content.

Purpose of data processing: identification, liaising

Scope of data processed: name, other information publicly available and provided by the data subject, e-mail address

The Data Controller may link one social media site to other social media sites in accordance with the rules applicable to the particular social media site. The data subject may receive information on the data processing policy of the given social media site, the source of the data, their processing, the method of transmission and the legal basis thereof over the particular social media site. The relevant data processing is performed over the social media sites, therefore, the duration and method of data processing as well as the possibilities of erasing and rectifying data are subject to the privacy policy of the particular social media site.

Duration of data processing: until erasure of data upon the request of the data subject.

4. Further website-related data processing

The Data Controller shall provide the data subjects with separate information on the processing of the names, images or other personal data of the natural persons appearing on the website, including the request for the necessary consent, if the legal basis for the data processing is the data subject’s consent.

V. Method of storing personal data, data processing security

The Data Controller’s computer systems and other data storage devices are located at its registered office and at its data processors.

The Data Controller shall select and operate the IT devices used for the processing of personal data and the provisioning of the service with the goal of ensuring that

  • processed data are accessible to authorized parties (availability)
  • the authenticity and authentication of processed data is provided for (authenticity of data processing)
  • the integrity of processed data is verifiable (data integrity)
  • processed data is protected against unauthorized access (data confidentiality).

The Data Controller shall ensure the security of data through appropriate measures, particularly as regards security against unauthorized access, modification, transfer, publication, erasure or termination, unintended termination, damage, and, furthermore, against data becoming inaccessible due to changes in the technology in use. In order to protect the data files electronically processed in the context of the Data Controller’s various records, the Data Controller shall employ an appropriate technical solution to ensure that the data stored are not directly connectible and assignable to the data subject – except where permitted by law. The Data Controller, with regard to the current state of technology, shall implement technical, managerial and organizational measures that ensure the security of data processing and provide a level of protection appropriate to the risks affecting data processing.

During data processing, the Data Controller shall provide for the following:

  • confidentiality: protecting information by ensuring that only authorized parties have access;
  • integrity: ensuring the accuracy and completeness of information and the data processing method;
  • availability: ensuring that, when needed, authorized users are actually able to access the requested information, and that the tools needed to access such information are available.

The IT systems and networks of the Data Controller and its partners are all protected against computer assisted fraud, spying, sabotage, vandalism, fire and flood, computer viruses, computer hacking and denial-of-service attacks. The operator guarantees protection via server-level and application-level security procedures.

We hereby inform you that electronic messages transmitted via the internet are vulnerable to network-level threats which may result in unethical activities, contractual disputes or the revealing, modification of information. The Data Controller shall take all reasonable steps to protect against such threats. It shall monitor systems in order to ensure that all security issues are reported, and proof is made available whenever a security incident occurs. System monitoring also enables the verification of the efficiency of the protective measures in use.

In case of a personal data breach, the Data Controller shall be obligated to report the issue without undue delay and, if possible, within 72 hours after learning of the personal data breach to the supervisory authority competent under Article 55, except if the given personal data breach is unlikely to pose a risk to the rights and freedoms of private individuals. If the issue is not reported within 72 hours, a description of the reasons justifying the delay must also be attached.

If the personal data breach is likely to pose a high risk to the rights and freedoms of private individuals, the Data Controller shall be obligated to inform the data subject of the issue without undue delay. The Data Controller is not obligated to inform the data subject if any of the following conditions apply:

  • the Data Controller has implemented appropriate technical and organizational measures and these measures were applied to the data affected by the personal data breach, particularly in the case of measures – such as the use of encryption – that make the personal data incomprehensible for unauthorized parties upon access;
  • following the personal data breach, the Data Controller has implemented measures that ensure that the high risk to the data subject’s rights and freedoms is unlikely to materialize in the future;
  • informing the data subject would require disproportionate effort. In such cases, data subjects are to be informed by making the information publicly available or by way of a similar measure suitable for ensuring efficient communication with data subjects.

If the Data Controller has not yet informed the data subject of the personal data breach, the supervisory authority, after evaluating the probable risk level of the personal data breach, may order the Data Controller to inform the data subject.

The website may contain links linking to or originating from the websites of our partner network and advertisers. If you follow any of the links to said websites, please note that they have their own privacy policies, for which we are not liable. Please read these privacy policies before sharing your personal data on these websites.

Do not forget that content published on any of our social media platforms will be visible to the public, so be careful when providing certain personal data, for example financial information or address data. We shall not be liable for the actions of third parties in case you publish personal data on our social media platforms, and, at the same time, we recommend that you do not share such information.

VI. Data transmission, data processing, external providers

1. General principles

Courts, attorneys, investigating authorities, authorities with competence over misdemeanors, public authorities, the Hungarian National Authority for Data Protection and Freedom of Information, the National Bank of Hungary, and other bodies granted legislative authority may approach the Data Controller for information, data, the communication, transfer of data, or access to documents. The Data Controller shall only share personal data with authorities at the level and to the extent strictly necessary for the realization of the outlined goals – if the given authority has specified the exact goal and the scope of relevant data.

The Data Controller shall not transfer personal data it processes to third parties other than the data processors and certain third-party service providers specified in this Privacy Policy. An exception to the provision outlined under this item is the usage of data in a statistically aggregated format, which contains no other data that can be used in any way to identify the data subject providing the data, and as such is not considered data processing or data transmission.

Data transmission to the data processors specified in this Privacy Policy may be carried out without the express consent of the data subject. Personal data – unless otherwise specified by relevant legislation – may only be made available to third parties or authorities on the legal basis of a regulatory decision or the data subject’s prior, express consent.

2. Data processors

The Data Controller shall employ the data processors specified in this Privacy Policy for the performance of its operation. Data processors are not entitled to make independent decisions and shall only be authorized to act in accordance with the agreement concluded with the Data Controller and the instructions they receive. Data processors shall record and/or process any personal data transferred to them and processed by the Data Controller in accordance with the provisions of the GDPR, and shall issue a corresponding statement to the Data Controller. The Data Controller shall monitor the work carried out by the data processors. Data processors may only employ subcontractors if authorized to do so by the Data Controller.

Hosting service provider:

Neue Medien Münnich

Hauptstrasse 68, 02742 Friedersdorf

info@all-inkl.com

3. External providers

As regards personal data processed via external providers’ systems, the provisions of the external providers own privacy policies shall apply. The Data Controller shall do everything in its power to ensure that external providers process personal data in accordance with relevant legislation, and that such data is used only for the purpose designated by the user or specified below in this Privacy Policy. External providers shall record, manage and/or process any personal data transferred to them and managed or processed by data controllers in accordance with the provisions of the GDPR, and shall issue a corresponding statement to the Data Controller.

External providers assisting in the login process:

The Data Controller, for the purpose of providing services, may cooperate with external providers providing access to applications to assist users in the registration and login processes. In the course of this cooperation, certain personal data (e.g. IP address, e-mail, login name) may be transmitted by external providers to the Data Controller and/or data processor. These external providers record, process and transmit personal data in accordance with their own privacy policies.

External providers cooperating with the Data Controller and assisting in the registration or login processes: Facebook Inc.

Web analytics and ad serving external providers:

The Data Controller cooperates with web analytics and ad serving external providers in the context of service-related subpages. Such external providers are authorized to access the user’s IP address and, additionally, often use cookies and, in certain cases, web beacons (online markers used in websites and, in certain cases, e-mails and mobile applications to record IP addresses, visited websites), click tags (meter codes identifying clicks on given advertisements) and other click tracking tools to provide for the customization or analytics of services and the preparation of statistical information.

Cookies installed by such external providers may be erased from the user’s devices at any time; using the appropriate browser settings, the use of these cookies may be altogether disabled. Cookies installed by external providers may be identified based on the domain associated with the given cookie. Web beacons, click tags and other click tracking tools may not be disabled. These external providers process the personal data transmitted to our Company in accordance with their own privacy policies.

Web analytics and ad serving external providers cooperating with the Data Controller: Facebook Inc., Google LLC.

External providers providing customized messaging services:

The Data Controller cooperates with external providers that enable the user to use certain provided services through other channels (e.g. Facebook, Messenger, Viber, etc.) also used by the same user. External providers may also collect additional data regarding the user by way of cookies, questionnaires or the user’s registration to the external providers’ websites or interfaces, which data may be used, either by themselves or when combined with other data, to identify the user. These external providers process the personal data transmitted to our Company in accordance with their own privacy policies.

Other external providers:

Certain external providers do not have a contractual relationship with the Data Controller or are purposefully avoided by the Data Controller in the context of a given data processing activity, but may otherwise have access to the website / services, and as such are able to collect data regarding the users or their activities on the websites, which data, in certain cases, can be used – either by themselves or when combined with other data collected by the given external provider – to identify the user. These external service providers include particularly, but are not limited to: Facebook Inc., Google LLC, Instagram LLC., Twitter International Company, Viber Media LLC, Vimeo INC., YouTube LLC. These external providers process the personal data they receive in accordance with their own privacy policies.

VII. Rights of data subjects

You are entitled to ask the Data Controller whether it is processing any of your personal data; if it is, you are also entitled to request access to the personal data it processes. You may request information regarding the issue in writing, by sending a registered letter or registered letter with acknowledgement of receipt to the Data Controller’s address or an e-mail to decode@bordstudio.hu.

In order to facilitate your request, the Data Controller may request the verification of your identity. The Data Controller shall consider your request for information to be valid if the given user can be clearly identified based on the request sent.

Information may be requested regarding the data processed by the Data Controller, the sources of such data, the purpose, legal basis, duration of data processing, the name and address of any data processors, data processing related activities, and, in case of transmission of personal data, who is the recipient and for what purpose is the data transmitted.

You are entitled to the following rights:

Your essentialrights
Right to informationYou are entitled to obtain clear, transparent and easy to understand information regarding the way your personal data is used and your rights, which we have detailed in this Privacy Policy.
Right of accessYou are entitled to information regarding whether your personal data is being processed, and if so, you are also entitled to access said personal data and the information listed by the GDPR.

We shall not answer any obviously unsubstantiated, excessive or repetitive requests.

Right to rectificationYou are entitled to have the Data Controller rectify any corresponding personal data without undue delay. Considering the purpose of data processing, you may also be entitled – including by means of providing a supplementary statement – to request the amendment of incomplete personal data.
Right to erasure / right to be forgottenIn certain cases, you are entitled to have your personal data erased. This is not an absolute right, as in certain cases (e.g. the fulfillment of legal obligations) we are entitled to retain your personal data.

Right to erasure:

You are entitled to have the Data Controller erase your corresponding personal data without undue delay; at the same time, the Data Controller, under specific circumstances, shall be obligated to erase your corresponding personal data without undue delay.

Right to be forgotten:

If the Data Controller has made a piece of personal data public and becomes obligated to erase said personal data, it shall be obligated to take all reasonable steps – including any technical measures -, with regard to the current state of technology and the costs of implementation, in order to inform the data processors processing the data in question that you have requested the erasure of links linking to such personal data and any copies or duplicates of said personal data.

Right to revoke consent at any time to data processing depending on such consentIf the processing of your data is dependent on consent, you are entitled to revoke the consent to data processing. The revocation of consent does not affect the lawfulness of data processing carried out before the revocation. For information regarding what processing of data is dependent on consent, see the provisions above.

If personal data is processed for the purposes of direct marketing, you are entitled to object to the processing of your personal data for such purposes at any time, including in the case of profiling, if carried out for a direct marketing purpose. If you object to the processing of personal data for the purposes of direct marketing, the Data Controller shall not be entitled to process such data in the future.

Right to object to data processing based on legitimate interestIf the processing of your data is based on legitimate interest, you are entitled to revoke your consent to such processing at any time. For information regarding what processing of data is based on legitimate interest, see the provisions above.
Right to lodge a complaint with a supervisory authorityYou are entitled to contact the data protection authority of your country or bring the matter to court in order to lodge a complaint regarding the Data Controller’s data protection practices. Please feel free to contact us via the contact information provided below before lodging a complaint to the competent data protection authority.
Right to data portabilityYou are entitled to receive a copy of your corresponding personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the data controller to which you have provided the personal data in question.
Right to restriction of processingYou are entitled to request that the Data Controller restricts the processing of data if any of the following conditions apply:

–          you are contesting the accuracy of personal data in which case the restriction shall apply to a period enabling the Data Controller to verify the accuracy of the personal data;

–          data processing is unlawful, and you oppose the erasure of data and instead request the restriction of their use instead;

–          the Data Controller no longer needs the personal data for the purposes of data processing, but you request access to such data for the establishment, exercise or defense of legal claims;

–          you have objected to data processing in which case the restriction shall apply to a period enabling the Data Controller to verify whether their legitimate interests take precedence over your legitimate interests.

Right to disable cookiesYou are entitled to disable cookies. The default settings of internet browsers generally enable the use of cookies, but you may simply disable them by modifying the settings of your browser.

Many cookies are used to enhance the utility or functionality of websites/applications, thus disabling cookies may prevent access to certain elements of websites/applications.

If you would like to restrict the use of all enabled cookies (thus preventing the use of certain elements of the website), you may do so modifying the settings of your browser. To change these settings, please see the Help function of your browser. For further information, please see the following link:

http://www.aboutcookies.org/;

Right to objectThe data subject shall be entitled to object at any time, on grounds relating to its particular situation, to the processing of its personal data carried out in the public interest or in the exercise of official authority vested in the Data Controller or to the processing of its personal data for purpose of the pursuit of the Data Controller’s or a third party’s legitimate interests, except if these legitimate interests fall behind in priority to the data subject’s interests or basic rights and freedoms which necessitate the protection of personal data, including profiling performed on the legal basis of the specified provisions. In such cases to Data Controller is not entitled to continue the processing of such personal data, except if the Data Controller is able to prove that data processing is made necessary by compelling legitimate grounds which take precedence over the interests, rights and freedoms of the data subject, or is required for the establishment, exercise or defense of the Data Controller’s legal claims.

If personal data is processed for the purposes of direct marketing, the data subject shall be entitled to object to the processing of its personal data for such purposes at any time, including in the case of profiling, if carried out for a direct marketing purpose. If the data subject objects to the processing of personal data for the purposes of direct marketing, the Data Controller shall not be entitled to process such data in the future.

The Data Controller shall inform you of the steps taken as result of the above requests without undue delay, but at the latest within 1 month following the submission of the request. This deadline may be extended by an additional period of 2 months if the Data Controller informs you of the reasons for the delay within 1 month following the submission of the request. If the Data Controller has taken no steps on basis of your request, it shall be obligated to inform you without undue delay, but at the latest within 1 month following the submission of the request of the reasons for its inaction and that you are entitled to lodge a complaint to the supervisory authority and to exercise your right to judicial remedy.

VIII. Data retention

The Data Controller shall only retain your personal data for as long as necessary for the purpose for which they are recorded.

Data recorded automatically, via technical means during the operation of the system may be stored following their generation in the system for as long as required to ensure the functioning of the system. The Data Controller shall ensure that such automatically recorded data cannot be connected to other personal data – except where required by legislation.

Automatically recorded IP addresses shall be retained no longer than 7 days after their recording.

In order to fulfill certain legal or regulatory obligations, to allow for the exercising of our rights (e.g. the enforcement of our claims in court), and for statistical or precedential reasons, we may retain certain personal data for longer periods of time. If we no longer need your personal data, we shall immediately remove it from our systems and records or anonymize it to the extent that it cannot be used to determine your identity.

IX. Amendment of the privacy policy

The Data Controller retains the right to unilaterally amend this Privacy Policy; in case of any such amendments, the Data Controller shall notify the users visiting the website in advance, via the website. The amendments applicable to the visitors of the website shall enter into force on the day specified in the relevant notification.  By using the website, that is by giving implicit consent, you accept the provisions of the amended Privacy Policy.

X. Contact and legal remedies

If you have any questions or comments regarding data processing, please do not hesitate to contact us via the Data Controller’s e-mail address or phone number specified under Item I. of this Privacy Policy.

Complaints regarding data processing may be submitted directly to the Hungarian National Authority for Data Protection and Freedom of Information (address: H-1055 Budapest, Falk Miksa utca 9-11., mailing address:  1363 Budapest, Pf. 9.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu) if you believe that your rights have been violated, you are also entitled to bring the issue to court. Such disputes fall within the jurisdiction of the regional court. Lawsuits may also be brought – depending on the preference of the data subject – to the court with competence of the data subject’s place of residence or habitation.

Budapest, 22 October 2020