Privacy notice

The purpose of this “Privacy Policy” is to describe the privacy policy of Abacusan Stúdió Oktatásszervező Nonprofit Kft. and the data management and data protection rules applied in the ongoing operation of the company. To inform its customers, partners and users of their rights in relation to the organisation’s data management activities.

The date of entry into force of this “Privacy Notice” is 2018. May 25, 2018, date of publication: 2018. 18 May 2018.

• Before anything else, Abacusan Studio declares that
• collects and processes personal data only in accordance with the law
• DM mail will only be sent with your specific consent. We can send a system message without this.
• the data is stored as securely as possible.
• we will only disclose personal data to third parties with your consent.
• we will provide anyone with information about the data we hold about them if they request it in writing to info@abacusan.hu.
• you can request the deletion of your personal data at info@abacusan.hu.

ii.) Abacusan Stúdió Educational Organizing Nonprofit Ltd. has developed its data management policy with the following legal provisions in mind:

• Article VI of the Fundamental Law of Hungary. Article VI of the Constitution
• Regulation 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR)
• CXII. Act on the Right to Informational Self-Determination and Freedom of Information
• XLVIII. Act on the Basic Conditions and Certain Restrictions on Commercial Advertising
• Act V of 2007 on the Civil Code

If you have any questions or comments about this information, please contact us by e-mail at info@abacusan.hu or by mobile phone at +36-20-372-2628.

• Main interpretative terms used in the prospectus / §

Data set: the set of data managed in a single register.

Data processing: the activity consisting of the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;

Data processor: a natural or legal person or unincorporated body which processes data on the basis of a contract with the controller, including a contract concluded pursuant to a legal provision.

Data controller: the public sector body which has produced the public interest data subject to mandatory disclosure by electronic means or in the course of whose activities the data were generated.

Processing: any operation or set of operations which is performed on personal data, regardless of the procedure used, typically consisting of the collection, recording, processing and use of data, organisation, storage, retrieval, disclosure, alignment or combination, maintenance, correction, integration, recording of photographs, sounds or images, and the physical characteristics which make it possible to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans) of a person may be disclosed, transmitted, blocked or permanently erased. It may also prevent further use of the data.

Data controller: a natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which data are processed, takes and implements decisions regarding the processing (including the means used) or implements them through a processor on its behalf. The Abacusan Studio Kid Engineer Robotics Workshops and Abacusan Studio Talent Camps and Abacusan VándoRobot Program and Abacusan Championships and Abacusan Partner School Program, Abacusan Family Days, other programmes organised by the company itself or by third parties, as well as the operation of the Logicosan Playhouse, the sole data controller is Abacusan Studio Educational Organising Non-Profit Limited Liability Company – Head Office: 1193 Budapest, XIX; Klapka utca 47.; company registration number: 01-09-175864; tax number: 24658535-1-43

Data provider: a body with a public task which, if the data controller does not publish the data itself, publishes on a website the data supplied to it by the data controller.

Data marking: the marking of data with an identification mark to distinguish it.

Data destruction: the complete physical destruction of the data medium containing the data.

Transfer: making data available to a specified third party.

Data erasure: rendering data unrecognisable in such a way that it is no longer possible to recover it.

Data blocking: the marking of data with an identifier in order to limit its further processing permanently or for a limited period of time.

User / Data Subject: means any natural person identified or identifiable, directly or indirectly, on the basis of any specified personal data, who makes use of any of the services of the Website.

Third party: a natural or legal person or unincorporated body other than the data subject, the controller or the processor.

Website: the internet site operated exclusively by the data controller and accessible at http://www.abacusan.hu and the sub-sites accessible at the same address.

Consent: a voluntary and explicit expression of the data subject’s wishes, based on appropriate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, either in full or in relation to specific operations.

Special categories of data( a) personal data revealing racial or ethnic origin, political opinions or opinions, religious or philosophical beliefs, membership of an interest group or membership of a representative body, sex life.

b) personal data concerning health, pathological addiction and personal data concerning criminal offences.

Third party service provider: a third party used by the data controller in connection with the operation of the website, which may process personal data related to the content of the website in the scope of its own activities.

Disclosure: making the data available to anyone.

Registration: is the process whereby the user, by filling in the form on the website, with the intention of applying for a course, camp, tournament, accredited or other training, course or programme of Abacusan Studio, provides his/her personal data or data to the data controller.

Personal data: any data relating to a data subject which permits the direct or indirect identification of a natural person, in particular the name, the identification mark and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that data subject, and the conclusions which can be drawn from the data relating to that data subject.

Service: any service available to users and customers that is provided by the data controller on the website and/or program site operated by the data controller.

Objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the deletion of the processed data.

Client: a natural or legal person who actively uses the educational, training or other services of Abacusan Studio.

Introduction

The Abacusan Studio Educational Nonprofit Ltd.
( székhely/levelezési cím: 1193 Budapest, XIX; Klapka utca 47.; cégjegyzékszáma: 01-09-175864; adószáma: 24658535-1-43. e-mail: info@abacusan.hu) továbbiakban: Szolgáltató, adatkezelő) aláveti magát a következő tájékoztatónak.

The 2011 Act on the right to information self-determination and freedom of information.
CXII.
Act No 20.
§ (1) states that the data subject (in this case the website user, hereinafter referred to as the “user”) must be informed before the processing begins whether the processing is based on consent or whether it is mandatory.

The User shall be informed clearly and in detail of all facts relating to the processing of his/her data, in particular the purpose and legal basis of the processing, the person who is entitled to process the data and the duration of the processing, before the processing starts.

The user must be informed about the Info tv.
6.
§ (1) that personal data may be processed even if obtaining the consent of the data subject would be impossible or would involve disproportionate costs, and the processing of personal data

• necessary for compliance with a legal obligation to which the controller is subject; or
• is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, and the pursuit of those interests is proportionate to the restriction of the right to the protection of personal data.

The information shall also cover the rights and remedies of the User in relation to data management.

Where it would be impossible or disproportionate to inform Users in person, the information may be provided by disclosing the following information:

1. a) the fact of data collection,
2. b) the persons concerned,
3. (c) the purpose of the data collection,
4. (d) the duration of the processing,
5. (e) the identity of the potential controllers who have access to the data,
6. (f) a description of the data subjects’ rights and remedies with regard to data processing; and
7. (g) where the processing is subject to registration, the registration number of the processing.

Our Privacy Notice governs the data management of the abacusan.hu website and is based on the above content.
The notice is available at abacusan.hu/data-leadership.

Amendments to the Prospectus will enter into force upon publication at the above address.
The legal reference is also shown after each heading of the prospectus.

Legal basis for data processing / according to § 5.-6.

1. Personal data may be processed if

• with the consent of the User, or
• it is ordered by law or local government decree for a purpose in the public interest – by virtue of a law, within the scope specified therein.

2. Personal data may also be processed in cases where obtaining the User’s consent would be impossible or would involve disproportionate costs and the processing of personal data would.

• necessary for compliance with a legal obligation to which the controller is subject; or
• is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, and the pursuit of those interests is proportionate to the restriction of the right to the protection of personal data.

3. If the User is unable to give his or her consent due to incapacity or for other reasons beyond his or her control, the personal data of the data subject may be processed to the extent necessary to protect his or her vital interests or those of another person, or to prevent or counter an imminent threat to the life, physical integrity or property of a person, while the impediment to consent persists.
4. A 16.
   The consent or subsequent approval of a legal representative is not required for the validity of a declaration of consent by a minor User over the age of 16.
5. If the processing based on consent is aimed at the performance of a contract concluded in writing with the controller, the contract must contain all the information that the User needs to know about the processing of personal data, in particular the definition of the data to be processed, the duration of the processing, the purposes for which the data are to be used, the fact of the transfer of the data, the recipients of the data, the fact of the use of a processor.
   The contract must unambiguously state that the User, by signing it, consents to the processing of his/her data in accordance with the terms of the contract.
6. If the personal data was collected with the consent of the User, the data controller shall, unless otherwise provided by law,.

• to comply with a legal obligation to which it is subject, or
• for the purposes of the legitimate interests pursued by the controller or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the data subject’s consent

Purpose limitation of data processing / according to § 4 [1]-[2]

1. Personal data may only be processed for specified purposes, for the exercise of rights and the performance of obligations.
   At all stages of the processing, the purpose of the processing must be fulfilled and the collection and processing of the data must be fair and lawful.
2. Only personal data that is necessary for the purpose of the processing and is suitable for achieving that purpose may be processed.
   Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.

On the basis of the purpose limitation principle, the controller undertakes to use personal data only for the purposes specified in this notice and not to process data beyond what is necessary for the purposes for which they are collected.

The controller does not control the personal data provided, and the person providing the data is solely responsible for the content of the data and the lawfulness of the data.

A person under the age of 16 cannot give valid consent to the use of their personal data, but as the controller is not able or entitled to verify the age of the data subject, it is the responsibility of the person with parental responsibility to authorise the use of personal data in the case of a person under the age of 16.

In the course of the data management activities of the data controller, the e-mail address of the user provided at registration constitutes the unique identifier of the user on each evening.
It is the responsibility of the users and customers who use the services of the website and the language school to ensure that they only use the e-mail address provided.

The data controller shall ensure the security of personal data by taking the necessary technical and organisational measures.
The data controller shall take responsibility for the data processing activities of all its employees and ensure that only employees who are aware of the data processing and data protection rules are allowed to carry out data processing.

Purpose and legal basis for processing

The data controller will respond to requests sent to the e-mail addresses and telephone numbers published on the website with the aim of resolving the matter in question.
At the same time, the data controller shall assume that the user who has made the request consents to the processing of the data provided in the request for the purpose of resolving the matter raised.

On the basis of the principle of legal basis, the data controller undertakes to process the personal data of users and customers in accordance with the applicable legal requirements, in good faith, fairness, transparency and lawfulness.

The data controller operates a newsletter service in connection with the website it operates, the purpose of which is:

• Direct advertising, soliciting business, information about Abacusan Studio’s offer of courses, competitions, camps, accredited teacher training and other training, education programs, website updates.
• To provide information on educational and cultural events and activities organised by Abacusan Studio, either in-house or by third parties, related to its activities, mainly in the fields of mathematics, information technology – in particular robotics – engineering and science, and the arts, which help to understand them all.

The processing of data related to the newsletter service is based on the voluntary, prior and duly informed declaration of the users.

The data controller processes the personal data of its customers in connection with its workshops, camps and other educational, training and awareness-raising services for the purpose of:

• Providing training, education and information services.
• Identifying and contacting customers.
• To pursue the legitimate interests of the controller.
• Compliance with legal obligations, in particular adult learning and accounting rules.
• Direct advertising.

In the case of registration for the various courses and programmes of Abacusan Studio, the legal basis for data processing is the voluntary, prior and duly informed declaration of the users.
The processing of Abacusan Studio’s customers’ data is necessary for the implementation of the educational service and is lawful on the basis of the legitimate interests and legal obligations of Abacusan Studio.

Scope of personal data processed

The only information required to subscribe to the newsletter is the user’s e-mail address.

When registering for a service offered by the Data Controller, you will be asked to provide the following personal data:

• name (first and last name)
• telephone number(s)
• e-mail address(es)
• other relevant data voluntarily provided by you in connection with your application, training and billing

In the context of its operation, the Data Controller processes additional personal data of customers related to the implementation of the education, typically:

• billing name
• billing address
• other billing and financial data
• other relevant data voluntarily provided by you in relation to education, the programme concerned by the registration.
• Other technical data processed by the controller

The Data Controller does not process technical data directly in connection with the operation of the website in the course of its own activities.
In particular, it does not record the user’s IP address and does not place data packets (cookies) on the user’s computer.

However, the external service providers involved in the operation of the website process technical data in the course of their own activities, these services and service providers are:

• The hosting provider of the website, DotRoll (1148 Budapest, XIV; Fogarasi út 3-5.) logs the server traffic for the security of the operation.
• Facebook identifies its own registered users in connection with the social plug-in and the display of video content.
• Google identifies its own registered users in connection with the display of embedded video content.
• Google Analityics generates traffic statistics about the website.
• The online application forms are powered by the Google Drive form builder application for abacusan@gmail.com Google ID.
  The data is stored in this location.

Other principles of data management / according to § 4 [3]-[4]

The personal data will retain this quality during processing as long as the relationship with the data subject can be re-established.
The link with the data subject can be restored if the controller has the technical conditions necessary for restoration.

The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the data subject can be identified only for the time necessary for the purposes for which they are processed.

Donation offer

1. The 2011 Act on the right to information self-determination and freedom of information.
   CXII.
   Act No 20.
   § (1), the following shall be specified in the operation of the donation function of the website:

• the fact of data collection,
• the range of stakeholders,
• the purpose of the data collection,
• the duration of the processing,
• the identity of the potential controllers who have access to the data,
• the rights of data subjects with regard to data processing.

2. The fact of data collection, the data processed: first name, surname, first name, e-mail address, telephone number, address, age, gender, tax identification number, other personal data, payment method, amount of donation, date of donation, IP address at the time of donation.
3. Users / data subjects: all data subjects who donate on the website.
4. Purpose of data collection: to process donations on the website.
5. Duration of data processing, deadline for deletion of data: accounting documents are processed in accordance with the provisions of the Act on Accounting 2000.
   C. of 2000 Act C of 2000, 169.
   § Accounting records must be kept for a period of 8 years in accordance with Article 169 (2) of the CPA.

The accounting documents (including general ledger accounts, analytical or detailed records) directly and indirectly supporting the accounting accounts must be kept for at least 8 years in a legible form, retrievable by reference to the accounting records.

6. Potential data controllers who may have access to the data: personal data may be processed by the controller’s staff, in compliance with the principles set out above.
7. Description of data subjects’ rights in relation to data processing: data subjects may request the erasure or modification of their personal data in the following ways:

• by post: to 1193 Budapest, XIX; Klapka utca 47.
  at the following address and postal address.
• by e-mail: info@abacusan.hu.

8. Legal basis for data processing: the User’s consent, the Infotv.
   5.
   § Paragraph (1) of Article 5.2 of the Act on electronic commerce services and certain aspects of information society services of 2001.
   CVIII.
   13/A.
   § 13(3) of the Act on the Electronic Commerce Act:

The service provider may process personal data that are technically necessary for the provision of the service.
The provider must, other conditions being equal, choose and in any case operate the means used in the provision of the information society service in such a way that personal data are processed only to the extent strictly necessary for the provision of the service and for the fulfilment of the other purposes laid down in this Act, but only to the extent and for the duration necessary.

Cookie management (cookies)

1. The 2011 Act on the right to information self-determination and freedom of information.
   CXII.
   Act No 20.
   § (1), the following must be specified in the cookie processing of the website:

• the fact of data collection,
• the range of stakeholders,
• the purpose of the data collection,
• the duration of the processing,
• the identity of the potential controllers who have access to the data,
• the rights of data subjects with regard to data processing.

2. In the case of “password-protected session cookies” and “security cookies”, no prior consent is required from the data subject.
3. Fact of processing, scope of data processed: unique identifier, dates, times
4. Users / Data Subjects: all data subjects visiting the website.
5. The purpose of data processing: to identify users and track visitors.
6. Duration of data processing, deadline for deletion of data: the data controller shall, in the case of requests received by e-mail or telephone, no later than 90 days after the end of the case to which the request relates.
   The data relating to the request shall be deleted within 90 days of the date of receipt of the request.

The processing of the data voluntarily provided by users and customers will continue until the user unsubscribes from the service or otherwise requests the deletion of their data or restriction of their use.

The duration of the data processing is until the end of the visit to the websites in the case of session cookies, otherwise up to 10 years.

7. Potential data controllers who may have access to the data: personal data may be processed by the controller’s staff, in compliance with the principles set out above.
8. Description of data subjects’ rights in relation to data processing: data subjects have the possibility to delete cookies in the Tools/Preferences menu of their browsers, usually under the Privacy settings.
9. Legal basis for processing: no consent is required from the data subject where the sole purpose of the use of cookies is to provide a communication over an electronic communications network or where the service provider strictly needs the cookies to provide an information society service explicitly requested by the subscriber or user.
   Any individual may request information from the controller as to whether the controller is processing his or her personal data and, if so, may request access to those data.

Users and customers may request that their personal data be amended or corrected or supplemented.
The modification or correction will result in the loss of previously stored data!

Users and customers may request the deletion of their personal data.
As a consequence of the deletion, the stored data will be lost!
In the case of customers, the data controller may or must refuse a request for erasure on the grounds of legitimate interests if it is legally obliged to retain the data.
In this case, the customer may request the restriction of the processing of his data.

Users and customers may request the restriction of the use of their personal data, not only in the cases mentioned above, but also for other reasons.

Users and customers have the right to object to automated processing or profiling by the data controller, but the data controller does not carry out such processing or profiling.

Users and customers may request that the controller provide them with their personal data in a machine-readable format or transfer it to a data controller designated by them.

1. The Service Provider measures the traffic data of the webshop by using the Google Analytics service.
   The system creates a cookie when you visit the site in order to record information about your visit (pages visited, time spent on pages, browsing data, exits, etc.).
   This tool helps to improve the ergonomics of the website design, to create a user-friendly website and to enhance the online experience of visitors.
   Data is transmitted when using this service.
   The data transmitted cannot be used to identify the data subject.
   For more information on Google’s privacy policy, please visit: http://www.google.hu/policies/privacy/ads/
2. The website uses Google remarketing tracking codes.
   Remarketing is a service that allows the website to display relevant ads to users who have previously visited the website while browsing other sites in the Google Display Network.
   Remarketing code uses cookies to tag visitors.
   Users visiting the website can disable these cookies and find out more about Google’s privacy practices at http://www.google.hu/policies/technologies/ads/.
   If you disable remarketing cookies, you will not receive personalised offers from the website,

Newsletter, DM activity

1. The 2008 Act on the Basic Conditions and Certain Restrictions on Commercial Advertising.
   XLVIII.
   Act XL.
   §-According to Article XL.
   Article 6.
   § (4) of the aforementioned Act, however, postal advertising may be sent without the prior and express consent of the Recipient, provided that the Service Provider ensures that the recipient of the advertising may at any time prohibit the sending of the advertising free of charge and without restriction.
   In the event of such a prohibition, no further advertising may be sent to the person concerned.
2. By giving his/her prior and express consent to the sending of advertising offers, the Recipient agrees to the processing of his/her personal data by the Service Provider.
3. The Service Provider will not send unsolicited commercial messages and the Recipient may unsubscribe from receiving offers at any time, without restriction, without giving reasons and free of charge.
   In this case, the Service Provider shall delete all personal data necessary for sending the advertising messages from its records and shall not contact the Recipient with further advertising offers.
   The Recipient may unsubscribe from the advertising by clicking on the link in the message.
4. The 2011 Act on the right to information self-determination and freedom of information.
   CXII.
   Act No 20.
   § (1), the following shall be determined in the context of the data processing of the newsletter:

• the fact of data collection,
• the range of stakeholders,
• the purpose of the data collection,
• the duration of the processing,
• the identity of the potential controllers who have access to the data,
• the rights of data subjects with regard to data processing.

5. The fact of data processing, the scope of the data processed: name, e-mail address, address, telephone, date, time, sex, date of birth, connection with the Abacusan Studio Kids Engineering Robotics courses, Abacusan Championships, Abacusan Studio Talent Camps.
6. Data subjects: all data subjects who subscribe to the newsletter.
7. The purpose of the processing: sending electronic messages containing advertising to the data subject, providing information on current information, products, promotions, new services introduced or planned to be introduced, other opportunities.
8. Duration of data processing, deadline for deletion of data: data processing lasts until the consent is withdrawn, i.e. until unsubscription.
9. Potential data controllers who may have access to the data: personal data may be processed by the controller’s staff, in compliance with the principles set out above.
10. Description of the data subjects’ rights in relation to data processing: the data subject may unsubscribe from the newsletter at any time, free of charge.
11. Legal basis for data processing: the data subject’s voluntary consent, the Infotv.
    Article 5 (1) of the Act on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities of 2008.
    XLVIII.
    .
    Article 6(5) of the Act on the General Conditions and Restrictions on the Use of Personal Data:

The advertiser, the advertising service provider or the publisher of the advertisement shall keep a record of the personal data of the persons who have given their consent within the scope specified in the consent.
The data recorded in this register, relating to the recipient of the advertising, may be processed only in accordance with the consent given in the consent form, until it is withdrawn, and may be disclosed to third parties only with the prior consent of the person concerned.

Contact data management of the website

1. Letters sent to the e-mail addresses published on the website will also be sent by e-mail to the relevant colleague’s mailbox.
2. We will delete all correspondence received, together with the name and e-mail address of the sender and any other personal data voluntarily provided by the sender, after a maximum of six months from the date of the case.
3. If you have any questions or concerns about our activities, you can contact the data controller using the contact details provided in this notice.

Facebook

1. The 2011 Act on the right to information self-determination and freedom of information.
   CXII.
   Act No 20.
   § (1), the following shall be defined in the scope of the website’s data transfer activities:

• the fact of data collection,
• the range of stakeholders,
• the purpose of the data collection,
• the duration of the processing,
• the identity of the potential controllers who have access to the data,
• the rights of data subjects with regard to data processing.

2. The fact of data collection, the data processed: the name registered on the Facebook.com community site and the user’s public profile picture.
3. Data subjects: all data subjects who have registered on the Facebook.com community page and liked the website.
4. Purpose of processing: to share or “like” certain content, products, promotions or the website itself on Facebook.com.
5. The duration of the processing, the identity of the controllers who may access the data and the rights of the data subjects with regard to the processing of the data: the data subject can find out about the source of the data, the processing of the data and the method and legal basis of the transfer at http://www.facebook.com/about/privacy/.
6. The processing of data is carried out on the Facebook.com website, so the duration of data processing, the method of data processing and the possibility of deleting and modifying data are governed by the rules of the facebook.com community site (http://www.facebook.com/legal/terms?ref=pf), (http://www.facebook.com/about/privacy/)
7. Legal basis for processing: the data subject’s voluntary consent to the processing of his or her personal data on the Facebook.com website.

Data transmission

1. The 2011 Act on the right to information self-determination and freedom of information.
   CXII.
   Act No 20.
   § (1), the following shall be defined in the scope of the website’s data transfer activities:

• the fact of data collection,
• the range of stakeholders,
• the purpose of the data collection,
• the duration of the processing,
• the identity of the potential controllers who have access to the data,
• the rights of data subjects with regard to data processing.

2. The fact of processing, the scope of the data processed.
3. a) The scope of the data transmitted in order to process the online donation: billing name, billing address, amount to be paid.
4. Stakeholders: all stakeholders who request a donation online.
5. Purpose of the processing: to carry out online donations.
6. Duration of processing, deadline for deletion of data: until the online donation is completed.
7. Description of the data subjects’ rights in relation to data processing: the User / Data Subject may request the data controller of the online donation service provider to delete their personal data as soon as possible.
8. The legal basis for the transfer of data: the User’s consent, the Infotv.
   5.
   § Paragraph (1) of Article 5.1 of the Act on Electronic Commerce Services and Certain Aspects of Information Society Services of 2001.
   CVIII.
   13/A.
   § 13(3) of the Act on the Protection of Personal Data, as amended by § 13(3) of the Act on the Use of Personal Data.

Data security / according to § 7

1. The controller shall design and implement the processing operations in such a way as to ensure the protection of the privacy of the data subjects.
2. The data controller and the data processor in the scope of their activities shall ensure the security of the data, and shall take the technical and organisational measures and establish the procedural rules necessary to enforce the Info Act and other data protection and confidentiality rules.
3. In particular, appropriate measures must be taken to protect the data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or accidental damage and against inaccessibility resulting from changes in the technology used.
4. In order to protect the data files managed electronically in the different registers, appropriate technical arrangements should be in place to ensure that data stored in the registers cannot be directly linked and attributed to the data subject, unless permitted by law.
5. When processing personal data by automated means, the controller and the processor shall take additional measures to ensure that.
6. prevent unauthorised data entry;
7. preventing the use of automated data processing systems by unauthorised persons using data transmission equipment;
8. the verifiability and ascertainability of the bodies to which personal data have been or may be transmitted using data transmission equipment;
9. the verifiability and ascertainability of which personal data have been entered into automated data processing systems, when and by whom;
10. the recoverability of the installed systems in the event of a failure, and
11. that errors in automated processing are reported.
12. The controller and the processor shall take into account the state of the art when defining and implementing measures to ensure the security of the data.
    The choice between several possible processing solutions should be made which ensure a higher level of protection of personal data, unless this would impose a disproportionate burden on the controller.

Rights of data subjects / according to § 14-19

1. The data subject may request the Service Provider to provide information about the processing of his/her personal data, request the rectification of his/her personal data and request the erasure or blocking of his/her personal data, except for mandatory processing.
2. At the request of the data subject, the controller shall provide information about the data processed by the controller or by a processor on its behalf, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the processor and the activities related to the processing, and, in the case of transfer of personal data of the data subject, the legal basis and the recipient of the transfer.
3. For the purposes of monitoring the lawfulness of the transfer and informing the data subject, the controller shall keep a record of the transfer, including the date of the transfer of personal data processed by the controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other data specified in the legislation providing for the processing.
4. The data controller shall provide the information in writing in an intelligible form and at the request of the data subject within the shortest possible time from the request, but not later than 30 days from the request.
   The information shall be provided free of charge.
5. Upon the User’s request, the Service Provider shall provide information about the data processed by it, their source, the purpose, legal basis and duration of the data processing, the name and address of any data processor and its activities related to data processing, and – in the case of the transfer of personal data of the data subject – the legal basis and recipient of the data transfer.
   The service provider shall provide the information in writing and in an intelligible form within the shortest possible time from the date of the request, but not later than 30 days.
   The information shall be provided free of charge.
6. If the personal data is not accurate and the accurate personal data is available to the data controller, the Service Provider shall correct the personal data.
7. Instead of deletion, the Service Provider shall block the personal data if the User requests this or if, based on the information available to it, it can be assumed that deletion would harm the legitimate interests of the User.
   The blocked personal data may be processed only for as long as the processing purpose that precluded the deletion of the personal data persists.
8. The Service Provider shall delete the personal data if the processing is unlawful, the User requests it, the processed data is incomplete or incorrect – and this situation cannot be remedied by law – provided that the deletion is not excluded by law, the purpose of the processing has ceased, or the statutory deadline for storing the data has expired, or the court or the National Authority for Data Protection and Freedom of Information has ordered it.
9. The controller shall mark the personal data that it processes if the data subject contests the accuracy or correctness of the personal data, but the inaccuracy or incorrectness of the contested personal data cannot be clearly established.
10. Rectification, blocking, flagging and erasure must be notified to the data subject and to all those to whom the data were previously disclosed for processing.
    Notification may be omitted if this does not undermine the legitimate interests of the data subject having regard to the purposes of the processing.
11. If the controller does not comply with the data subject’s request for rectification, blocking or erasure, it shall, within 30 days of receipt of the request, communicate in writing the factual and legal grounds for refusing the request for rectification, blocking or erasure.
    In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority.

Remedies
1. You may object to the processing of your personal data if.

• the processing or transfer of personal data is necessary solely for the fulfilment of a legal obligation to which the Service Provider is subject or for the purposes of the legitimate interests pursued by the Service Provider, the data recipient or a third party, unless the processing is required by law;
• the personal data are used or disclosed for direct marketing, public opinion polling or scientific research purposes;
• in other cases specified by law.

2. The service provider shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, decide whether the objection is justified and inform the applicant in writing of its decision.
   If the Service Provider establishes that the objection of the data subject is justified, it shall terminate the processing, including further recording and transmission of the data, and block the data, and shall notify the objection and the measures taken on the basis of the objection to all those to whom it has previously transmitted the personal data concerned by the objection and who are obliged to take action to enforce the right to object.
3. If the User does not agree with the decision of the Service Provider, the User may appeal against it to the court within 30 days from the date of its notification.
   The court shall act out of turn.
4. Complaints against possible infringements by the data controller can be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Postal address: 1530 Budapest, P.O. Box 5.

Phone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Judicial enforcement / according to § 22

1. The controller must prove that the processing is in compliance with the law.
   It is for the recipient to prove the lawfulness of the transfer.
2. The court has jurisdiction to hear the case.
   The action may also be brought, at the option of the person concerned, before the court of the place of residence or domicile of the person concerned.
3. A person who does not otherwise have legal capacity to sue can also be a party to the lawsuit.
   The Authority may intervene in the proceedings in order to ensure that the person concerned is successful.
4. If the court upholds the application, the data controller shall be obliged to provide the information, rectify, block or erase the data, annul the decision taken by automated processing, take into account the right of the data subject to object, or disclose the data requested by the data subject.
5. If the court rejects the data subject’s request, the controller is obliged to delete the data subject’s personal data within 3 days of the judgment.
   The controller shall also be obliged to delete the data if the data subject does not apply to the court within the time limit.
6. The court may order the publication of its judgment, with the publication of the controller’s identification data, if the interests of data protection and the protected rights of a large number of data subjects so require.

Compensation and damages / § 23

1. If the data controller causes damage to another person by unlawful processing of the data subject’s data or by breaching data security requirements, the data controller must compensate the damage.
2. If the controller infringes the data subject’s right to privacy by unlawfully processing his or her data or by breaching data security requirements, the data subject may claim damages from the controller.
3. The controller is liable to the data subject for any damage caused by the processor and the controller is also liable to pay the data subject the damages due in the event of a personal data breach caused by the processor.
   The controller shall be exempted from liability for the damage caused and from the obligation to pay the damage fee if it proves that the damage or the infringement of the data subject’s personality rights was caused by an unavoidable cause outside the scope of the processing.
4. No compensation shall be due and no damages shall be payable where the damage or injury to the person concerned has been caused by the intentional or grossly negligent conduct of the victim or by an infringement of a right relating to personality.

Amendments to the prospectus

The data controller reserves the right to amend this information at any time by unilateral decision and undertakes to notify any changes to the persons concerned.

Additional information

The following legislation has been taken into account in the preparation of this information:

• CXII.
  Act on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.)
• CVIII.
  Act on certain aspects of electronic commerce services and information society services (in particular § 13/A)
• XLVII.
  Act on the Prohibition of Unfair Commercial Practices against Consumers;
• XLVIII.
  Act on the basic conditions and certain restrictions on commercial advertising (in particular § 6)
• XC.
  Act on Freedom of Electronic Information
• Act C of 2006 on Electronic Communications (specifically § 155)
• 16/2011.
  sz.
  vélemény a viselkedésalapú online reklám bevált gyakorlatára vonatkozó EASA/IAB-ajánlásról.