ÖREG-TÓ HOTEL Ltd.
Name: ÖREG-TÓ HOTEL Limited Liability Company
Headquarters: 2890 Tata, Fáklya utca 4.
Company registration number: 11-09-011942
Tax number: 13817291-2-11
Address of the actual data management: 2890 Tata, Fáklya utca 4.
Internet availability: https://www.oregtohotel.hu/
Phone number: +36 34 487 960, +36 30 756 6116
Independently represented by: Júlia Kiss
The Data Controller attaches great importance to the protection of personal data and continuously ensures the security of personal data. The Data Controller complies in all respects with the data protection provisions of the applicable legislation and with the General Data Protection Regulation 2016/679 of the European Parliament and of the Council. This data management information can be found on the Data Controller's website. The Data Controller may change the content of this information at any time, informing the data subjects in due time.
1. Data subject: any natural person identified or identifiable, directly or indirectly, on the basis of personal data, e.g. employee, a natural person applying for a job offer, a natural person using the services of the Data Controller.
2. Personal data: any information relating to an identified or identifiable natural person (ie the data subject); identifies a natural person who, directly or indirectly, in particular by reference to an identifier such as name, number, location, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable.
3. Specific data: all data belonging to special categories of personal data, ie personal data referring to racial or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data for the unique identification of natural persons, health data and personal data concerning the sexual life or sexual orientation of natural persons.
4. Data set: the totality of the data managed in one register.
5. Consent: the voluntary and firm expression of the data subject's will, based on appropriate information, giving his or her unambiguous consent to the processing of personal data concerning him or her, in whole or in part.
6. Data controller: a natural or legal person or an organization without legal personality who, alone or together with others, determines the purpose of data processing, makes and implements decisions on data processing (including the means used) or entrusts it with with a data processor. Pursuant to these Regulations, the Data Controller shall person specified in Chapter.
7. Data management: any operation or set of operations on data, regardless of the procedure used, in particular their collection, recording, recording, systematisation, storage, alteration, use, interrogation, transmission, disclosure, coordination or linking, blocking, deletion and destruction , and to prevent further use of the data, the taking of photographs, sound or images and the recording of physical characteristics capable of identifying the person.
8. Restriction of data management: marking of stored personal data in order to limit their future processing.
9. Profiling: any form of automated processing of personal data in which personal data are evaluated for the purpose of assessing certain personal characteristics of a natural person, in particular his performance, economic situation, state of health, personal preferences, interests, reliability, behavior, location or movement. used to analyze or predict related characteristics.
10. Alias: the processing of personal data in such a way that it is no longer possible to determine to which specific natural person the personal data relate without the use of additional information, provided that such additional information is stored separately and that technical and organizational measures are taken. that this personal data cannot be linked to identified or identifiable natural persons.
11. Data transfer: making the data available to a specific third party.
12. Data processing: the performance of technical tasks related to data management operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data. Eg performing legal advisory tasks.
13. Data erasure: making data unrecognizable in such a way that it is no longer possible to recover it.
14. Data blocking: the identification of data in order to limit their further processing permanently or for a specified period of time.
15. Data Destruction: The complete physical destruction of a data carrier. Eg shredding a document, destroying a hard drive.
16. Registration system: a file of personal data, subdivided in any way, centralized, decentralized or functional or geographical, which is accessible according to defined criteria.
17. Third party: a natural or legal person or an entity without legal personality who is not the same as the data subject, the controller or the processor, or the persons who are authorized to process personal data under the direct control of the controller or processor they got.
18. Data Protection Incident: A security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data that is transmitted, stored, or otherwise handled.
19. Partner: legal entities using the services of the Data Controller on the basis of a contract and / or facilitating the performance of the Data Controller's services (performance assistant), unincorporated companies to which the Data Controller transfers or may transfer personal data, or which perform or may perform activities for the Data Controller that facilitate data storage, processing, related IT and other secure data management;
20. Employee: a natural person in a mandate, employment or other legal relationship with the Data Controller, who is entrusted with the task of providing and performing the services of the Data Controller and comes into contact with or may come into contact with personal data during his / her data management or data processing tasks. towards the personnel and third parties involved.
21. Data controller: the Employee to whom the data was generated and / or who has the right to access the data and / or to whom the data was transmitted by another data controller or a third party and / or to whom the data came into their possession in any other way .
22. Website: the portal and all its sub-pages operated by the Data Controller.
23. Social site: the online platform maintained by the Data Controller.
1. "Purpose limitation principle": Personal data may only be processed for specified purposes, in order to exercise a right and fulfill an obligation. At all stages of data processing, it must be appropriate to the purpose of the data processing, and the recording and processing of data must be fair and lawful.
2. Principle of "lawfulness, fairness and transparency": Personal data must be processed lawfully and fairly and in a way that is transparent to the data subject.
3. Principle of "proportionality, necessity" or "economy of data": Only personal data which are essential for the purpose of the processing and suitable for that purpose may be processed. Personal data may only be processed to the extent and for the time necessary to achieve the purpose. Accordingly, the Data Controller handles only and exclusively data that is absolutely necessary.
4. Principle of "accuracy": The processing must ensure the accuracy, completeness and, where necessary, the up-to-dateness of the data, and that the data subject can only be identified for the time necessary for the purpose of the processing.
5. Principle of "limited storage": Personal data must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for a longer period only if the personal data will be processed for archiving in the public interest, for scientific and historical research purposes or for statistical purposes in accordance with Article 89 (1) of EU Regulation 2016/679, subject to the implementation of appropriate technical and organizational measures to protect the rights and freedoms of data subjects.
6. Principle of "Integrity and Confidentiality": The Data Controller shall ensure the prevention of accidental or unlawful destruction or loss, as well as unauthorized access, alteration or dissemination, by applying appropriate security measures to protect personal data stored in automated data files.
7. Principle of “Accountability”: The Data Controller is responsible for compliance with the provisions of the above paragraphs and the Regulations, and must be able to demonstrate such compliance.
8. “Privacy by design” principle: a very conscious data protection mindset, which means, in very brief terms, that the Data Controller implements appropriate technical and organizational measures, such as pseudonymisation, in the effective implementation of the above principles when defining the way of data management and during data management. , fulfillment of obligations, incorporation of legal guarantees, etc. and does so in a regulated and detailed manner. In practice, the way of thinking is facilitated by the training of employees, their data protection awareness, as well as the impact assessment, risk analysis and interest balance test used during the introduction and / or regular review of each data management.
9. Personal data shall retain their quality during data processing as long as their connection with the data subject can be re-established. The connection with the data subject can be restored if the data controller has the technical conditions necessary for the restoration.
5. The purpose, legal basis and scope of the processing of personal data
1. General provisions related to each data management activity, use of the services provided by the Data Controller and data management based on the contractual relationship between the Parties
1. As a general rule, the processing of all data related to the data subject in the scope of data management activities and services provided by the Data Controller is based on voluntary consent, and the general purpose is to ensure the provision of the service and to keep in touch.
2. The above general rule is supplemented by the data processing required by law, of which the Data Controller informs the data subjects during the definition of each data processing.
3. As a general rule, it shall:
• for some services it is possible to provide additional data that will help to fully understand the needs of the data subject, however, these are not conditions for the use of the services provided by the Data Controller.
• personal data provided during any data management activity is stored by the Data Controller in separate data files, separately from other provided data. These data files may only be accessed by the Authorized Employee (s) of the Data Controller.
• the modification, erasure and / or blocking of data recorded or stored in the course of any data management activity and the request for detailed information on data management are covered by Annex IV / 1. by sending a request to the e-mail address indicated in point 1, if no other contact details are specified in the definition of the given data management activity
• the provision of the data to be provided during each data management activity by the data subject is a condition for the use of the services provided by the Data Controller.
4. For the purpose of concluding a contract or legal transaction between the parties, and for the purpose of fulfilling or terminating an order, the Company may manage the following: name, date of birth, date of birth, mother's name, address, tax identification number, tax number, entrepreneurial, primary producer ID number, identity card number, personal identification number, home address, registered office address, telephone number, e-mail address, website address, bank account number, customer number. Such data processing is also considered lawful if the data processing is necessary to take steps at the request of the data subject (eg request for quotation) before concluding the contract. The controllers of personal data are the front-office and back-office employees of the Company performing customer service-related tasks, the employees performing accounting and tax tasks, and the data processors. Duration of storage of personal data: 5 years after the termination of the contract.
5. The data subject shall be informed before the start of the data processing that the data processing is based on the title of the performance of the contract, that information may also take place in the contract. The data processing consent related to the contract concluded with a natural person is included in the annex to these regulations.
6. Contact details of natural person representatives of legal entity customers, buyers, suppliers:
7. The scope of personal data that can be managed: the name, address, telephone number, e-mail address and online ID of the natural person.
8. Purpose of the processing of personal data: fulfillment of the contract concluded with the Company's legal entity partner, business relations, legal basis: consent of the data subject.
9. Duration of storage of personal data: up to 5 years after the existence of the business relationship or the status of the representative concerned.
2. Marketing related data management
1. Send a newsletter
1. The data subject may subscribe to the newsletter before or during the use of the services or in any other way with the data specified below.
2. Subscription to the newsletter is based on voluntary consent.
3. Stakeholders: Any natural person who wishes to be regularly informed about the Data Controller's news and therefore subscribes to the newsletter service by providing his or her personal data.
4. Scope and purpose of the data processed: name identification send e-mail newsletter
6. The purpose of data management related to the sending of the newsletter is to provide the recipient with full general or personalized information about the latest events, news and special products of the Data Controller.
7. The newsletter is sent by the Employee entrusted with this task.
8. Newsletters may be sent only with the prior consent of the data subject.
9. The Data Controller will only process the personal data collected for this purpose until the data subject has unsubscribed from the newsletter list or provided confirmation.
10. The data subject may unsubscribe from the newsletter at any time, at the bottom of the e-mails and in accordance with Annex IV / 1. by sending a cancellation request to the e-mail address specified in You can unsubscribe by mail to the registered office of the Company.
11. The Data Controller reviews the list of the newsletter every three years and requests confirmatory consent to send the newsletter after three years. The Data Controller deletes the data of the data subject who does not give confirmatory consent from the data file.
12. Duration of data processing: at the request of the data subject until cancellation or if the data subject does not give further consent.
13. The data controller keeps statistics on the readings of the sent newsletters.
14. The subscriber may subscribe to the feed published on social media, in particular on the Facebook page, by clicking on the "like" link on the page and by clicking on the "dislike" link on the page, or by clicking on the "dislike" link. message wall settings, you can delete unwanted feeds that appear on the message wall. You can find information about the feeds of social media sites, subscriptions and subscriptions, and the data management of the given social networking site on the social networking site.
2. Presence and marketing on social media:
1. Data manager is available on the Facebook social portal as well as other social networking sites.
2. The use of social networking sites, in particular the Facebook page, and the contact, contact and other operations permitted by the Data Controller through the Data Controller are based on voluntary consent.
3. Stakeholders: Natural persons who voluntarily follow, share and like the data pages of the Data Controller, in particular the page on the facebook.com social page or the content appearing on it.
4. Scope and purpose of data processed: identification of the public concerned affected public photo identification concerned public email address contact keep in touch with the message sent on the affected social site involved in the evaluation of quality improvement
6. The Data Controller communicates with the data subjects via the social network only if the purpose of the scope of the processed data becomes relevant if the data subject contacts the Data Controller via the social network.
7. The purpose of presence on social portals, especially Facebook, and the related data management is to share, publish and market the content on the website on the social network. With the help of the social site, the person concerned can be informed about the latest promotions.
8. Based on the terms and conditions of the social site, the data subject voluntarily consents to following and liking the contents of the Data Controller.
9. The data subject may evaluate the Data Controller in text and number if the social network allows it.
10. You will also publish pictures / videos of the various events, the services of the Data Controller, etc. on the social operator's social media page, especially on the Facebook page. The Data Controller may link the Facebook page to other social networking sites in accordance with the rules of the facebook.com social portal, so publication on the Facebook page shall also mean publication on such linked social networking sites.
11. If it is not a mass recording or a recording of a public performance (Section 2:48 of the Civil Code), the Data Controller will always ask for the written consent of the data subject before publishing the images.
12. The data subject may receive information on the data management of the given social site.
13. Duration of data processing: until canceled at the request of the data subject.
3. Website traffic data:
1. A IV / 1. When you visit the website indicated in point 1, the web server does not record user data.
3. The data controller uses the following cookies:
1. Essential cookies: Such cookies are essential for the proper functioning of the website. Without accepting these cookies, the Data Controller cannot guarantee that the website will function as expected or that the user will have access to all the information sought by the user. These cookies do not collect personal data from the data subject or data that can be used for marketing purposes.
2. Functional cookies: These cookies ensure a consistent appearance of the website tailored to the needs of the person concerned and remember the settings chosen by the person concerned.
3. Targeted cookies: Targeted cookies ensure that the advertisements displayed on the website are tailored to the interests of the person concerned.
4. The Data Controller places a set of codes on the website, or on any of its sub-pages, the purpose of which is to make the Data Controller's advertisement available to the user visiting that website while browsing Google's websites and / or the Data Controller or the Data Controller. search Google for terms related to your services. The code set does not collect, store or transmit personal data. For more information on how to use and operate the code set, visit http://support.google.com.
5. Based on the above, the Data Controller does not use analytical systems to collect personal data.
6. Data controller draws users' attention to the fact that most Internet browsers automatically accept cookies, but visitors have the option to delete them or reject them automatically
4. Customer database:
1. On the website, the natural person registering may consent to the processing of his or her personal data by ticking the appropriate box. It is forbidden to check the box in advance.
2. The scope of personal data that can be managed: the name (surname, first name), address, telephone number, e-mail address, online ID of the natural person.
3. The purpose of the processing of personal data: • Performance of services provided on the Website. • Contact, electronic, telephone, SMS, and mail inquiries. • Information about the Company's services, contractual terms and actions.
4. The legal basis for data processing is the consent of the data subject.
5. Recipients of personal data and categories of recipients: the Company employees performing tasks related to customer service and marketing activities, employees of the Company's IT service provider providing hosting services as data processors.
6. Duration of storage of personal data: until the registration / service exists or the data subject's consent is revoked (request for cancellation).
3. Operational data management Information request
1. Data controller allows data subjects to be detailed as follows request information from the Data Controller by entering their details.
2. The request for information is based on voluntary consent.
3. Stakeholders: Any natural person who contacts the Data Controller and requests information from the Data Controller in addition to providing his or her personal data.
4. Scope and purpose of data processed: address identification name identification address contact phone number contact email address contact message text is required to reply
6. The purpose of data processing is to provide the data subject with appropriate information and to keep in touch.
7. The activity and process involved in data management is as follows: The data subject may consult with the Data Controller about the services, products and / or other related issues of the Data Controller in a manner provided to him / her by the Data Controller. The data provided to the data controller via the website will be sent by e-mail. The Data Controller will answer the data subject's question through the Employee entrusted with this task and will forward it to him / her in the same way as the information request was received, unless the data subject has otherwise provided otherwise. The data subject, in accordance with the purpose of the data processing, voluntarily consents to the Data Controller contacting him / her during the request for information in order to clarify or answer the question.
8. Duration of data management: until the goal is achieved.
4. Management of data of job applicants
1. The Data Controller allows interested parties to apply for a job application announced by him / her in the manner or in the manner specified in the job application (eg on an electronic or paper basis). Unsolicited applicants will also be selected.
2. In the case of CVs containing personal data received for the purpose of applying for a job, the Data Controller does not differentiate between the manner of their arrival: CVs received on paper and electronically are treated in the same way.
3. The Company also stores the data of the applicants for admission electronically and / or in a lockable archive on paper.
4. The personal data of job applicants can be accessed by the Management of the Data Controller and the HR staff.
5. Applying for a job is based on voluntary consent.
6. Stakeholders: Any natural person who applies for a job application announced by the Data Controller or submits his / her CV to the Data Controller.
7. Scope and purpose of the data processed: name identification place of birth, time identification email address contact address contact name of the position applied for identification of the application a list of previous work experience is required to assess the position, to select a staff member with the appropriate competence education is required to assess the position, to select a staff member with the appropriate competence knowledge of a foreign language is required to assess the position and to select a staff member with the appropriate competence special data: PL: health data, medical data of a person with altered working capacity required for the assessment of the position, selection of a staff member with appropriate competence other data indicated in the submitted CV are necessary for the assessment of the position and the selection of a staff member with the appropriate competence a letter of motivation sent is required to assess the position and to select an employee with the appropriate competence an indication of consent to the processing of the data for a period of 2 years after the application, if the data subject does not obtain admission is necessary for the legal basis of further data processing in case of non-selection
8. The purpose of data management is to apply for a job application, to participate in the selection procedure, to fill the advertised position and to keep in touch.
9. Activity and process involved in data management:
• The head of the relevant organizational unit is responsible for the selection of the appropriate employee, so he / she is obliged to ensure the rights of the data subjects during the performance of his / her tasks related to this data management.
• The data subject submits his / her data to the Data Controller in accordance with the job application or for the purpose of inquiry.
• Applications are typically, but not exclusively, sent electronically via e-mail.
• The data controller examines the applications during the selection process and, on the basis of the comparison, invites the most suitable persons for a personal interview.
• The selection process continues with a personal interview and, where appropriate, a professional test.
• The selection ends with a contract with the most appropriate stakeholder.
• The Data Controller will indicate the result of the selection to the applicant stakeholders and ask the non-selected candidates for their consent (Annex) to fill the same or similar or equivalent job according to the competencies of the data subject for the further processing of the data for 2 years after the application.
• The Data Controller may also process the data of non-selected data subjects only if those data subjects have specifically agreed to it and requested it in a separate, verifiable manner. The data controller shall link and store such consents to the data.
• The data subject acknowledges that if you have provided a reference person when applying for a job, this data controller may be contacted by the Data Controller in order to verify the data subject's professional experience.
• The data subject acknowledges that the Data Controller may view his or her public information created on the data subject's social site. If the data on the Internet becomes part of the evaluation, the Data Controller must provide an opportunity for the data subject to get to know and discuss them.
10. Duration of data management: until the goal is achieved, ie until the advertised position is filled, until the conclusion of the employment contract, or until 2 years after the application with the consent of the data subject, or until the data subject requests cancellation in the meantime.
5. Customer Service
1. The Company may record the telephone communication with its customer service and employees by voice recording for the purpose of performing the services and informing about it. The legal basis for this data processing is the consent of the data subject.
2. The recording of the sound must be notified at the beginning of the call and your consent must be sought.
3. When recording telephone conversations, we store the following data: telephone number, time of the call, voice recording of the recorded conversation, personal data provided during the conversation.
4. Recipients of personal data and categories of recipients: employees of the Company performing customer service-related tasks.
5. Telephone conversations are kept for 5 years. Recorded audio can be retrieved by phone number and date of the conversation.
6. Complaint handling:
1. The Data Controller provides an opportunity for the data subject to communicate his / her complaint about the ordered product and / or the Data Controller's conduct, activity or omission orally (in person, by telephone) or in writing (by e-mail, post).
2. Stakeholders: Any natural person who wishes to complain about the activities of the Data Controller.
3. Scope and purpose of the data processed: Identification of the data subject and the complaint and recording of data resulting from the legal obligation.
4. The purpose of data processing is:
5. The purpose of data management is to ensure that a complaint is made and to keep in touch.
7. Activity and process involved in data management:
• The data subject communicates his or her complaint orally or in writing to the Data Controller.
• If the data subject makes his or her complaint orally, the Data Controller will record it.
• The Data Controller will investigate and respond to the complaint received within a reasonable time.
8. Duration of data management:
The Data Controller is a CLV of 1997 on consumer protection. Pursuant to Section 17 / A (7) of Act no. shall keep a record of the complaint and a copy of the reply for a period of five years.
6. Rights of data subjects
1. The Data Controller shall inform the data subjects that they may exercise their rights in person or by sending a request to the Company's e-mail address or postal address, or request information at these contact details.
2. The Data Controller shall examine and respond to the statement as soon as possible after receipt, but not later than within 25 days, and shall take the necessary steps in accordance with the provisions of the statement, the Regulations and the law.
3. Right of information, also known as the "right of access" of the data subject: at the request of the data subject, the Data Controller shall provide information:
0. the data it manages and the categories of personal data it handles,
1. the purpose of the data processing,
2. the legal basis of the data processing,
3. the duration of the data processing,
4. the period for which the data will be stored or, if that is not possible, the criteria for determining that period,
5. if the data were not collected from the data subject, information on their source,
6. where appropriate, automated decision-making, including profiling, and logical and comprehensible information on the significance of such data processing and the expected consequences for the data subject,
7. the data of the data processor, if you have used a data processor,
8. the circumstances, effects and remediation of the data protection incident the measures taken, and
9. in the case of a transfer of personal data of the data subject, the legal basis, purpose and recipient of the transfer.
4. The information shall be free of charge if the person requesting the information has not yet submitted a request for information to the Data Controller for the same data set in the current year. In other cases, reimbursement may be established. Reimbursement of costs already paid shall be reimbursed if the data have been processed unlawfully or if a request for information has led to a correction.
5. The controller shall refuse the information if, pursuant to a law, an international treaty or a binding act of the European Union, the controller receives personal data in such a way that the controller notifies the data subject of the rights under that law at the same time. or other restrictions on its management, in the interests of the external and internal security of the State, such as national defense, national security, the prevention or prosecution of criminal offenses, the security of law enforcement or the economic or financial interest of the State or local government. , and to prevent and detect breaches of labor law and occupational safety and health, including in all cases control and supervision, and to protect the rights of the person concerned or others.
6. The data controller shall notify the National Data Protection and Freedom of Information Authority of rejected requests for information by 31 January of the year following the year in question.
7. Right of rectification: The data subject has the right to have inaccurate personal data concerning him / her rectified by the Data Controller without undue delay upon request. Taking into account the purpose of the data processing, the data subject has the right to request that the incomplete personal data be supplemented, inter alia, by means of a supplementary declaration. If the personal data does not correspond to reality and the personal data corresponding to reality is available to the Data Controller, the Data Controller must rectify the personal data without the request of the data subject.
8. Right of cancellation, also known as “right of forgetting”: The data subject has the right to have his / her personal data deleted without undue delay at his / her request, and the data controller is obliged to delete the personal data of the data subject without undue delay. delete it unless it is precluded by mandatory data management. In addition to the above, the Data Controller is obliged to delete the data if:
0. the processing of the data is unlawful;
1. the data is incomplete or incorrect and this condition cannot be legally remedied, provided that deletion is not precluded by law;
2. the purpose of data processing has ceased or the term for the storage of data specified by law has expired;
3. it has been ordered by a court or the Authority;
4. personal data are no longer required for the purpose for which they were collected or otherwise processed;
5. the data subject objects to the processing and there is no overriding legitimate reason for the processing;
6. personal data must be deleted in order to fulfill a legal obligation under the law applicable to the Data Controller;
7. personal data have been collected in connection with the provision of information society services directly to children as referred to in Article 8 (1) of EU Regulation 2016/679.
9. In the event that the Data Controller has disclosed personal data for any reason and is obliged to delete it in accordance with the above, it shall take reasonable steps, including technical measures, to inform the data, taking into account the available technology and the cost of implementation. other data controllers that the data subject has requested the deletion of the links to the personal data in question or of a copy or duplicate of that personal data.
10. The controller draws the attention of data subjects to the limitations of the right to erase or the "right to forget" arising from the EU Regulation, which are as follows: 0. the exercise of the right to freedom of expression and information; 1. in compliance with an obligation under Union or Member State law applicable to the controller to process personal data or in the public interest or in the exercise of a public authority conferred on the controller Execution of task 2; 3. the public interest in the field of public health; 4. in the public interest in accordance with Article 89 (1) of EU Regulation 2016/679 5. for archiving, scientific and historical research purposes or for statistical purposes, where the right of erasure would be likely to make it impossible or seriously jeopardize such processing; obsession 6. filing, enforcing or defending legal claims.
11. Right to restrict or block data management: The data subject is entitled to have the data controller restrict the data management at his / her request. If, on the basis of the information available to it, it can be assumed that the deletion would harm the legitimate interests of the data subject, the data shall be blocked. Personal data blocked in this way may only be processed for as long as the purpose of the data processing, which precluded the deletion of personal data, exists. If the data subject disputes the accuracy and correctness of the personal data, but the inaccuracy or inaccuracy of the disputed personal data cannot be clearly established, the data shall be blocked. In this case, the restriction applies to the period of time that allows the Data Controller to verify the accuracy of the personal data. The data must be blocked if the data processing is illegal and the data subject opposes the deletion of the data and instead requests a restriction on their use, or the Data Controller no longer needs the personal data for data processing, but the data subject requests it to submit, enforce or protect legal claims, or the data subject has objected to the processing; in this case, the restriction shall apply for the period until it is determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the data subject. Where the processing is subject to a restriction (blocking), such personal data, with the exception of storage, shall be subject to the consent of the data subject or to the exercise, enforcement or protection of legal claims or the protection of the rights of another natural or legal person or the Union or a Member State. can be treated.
12. The Data Controller draws the attention of the data subjects to the fact that the data subject's right to rectification, erasure or blocking may be restricted by law for the external and internal security of the state, such as national defense, national security, crime prevention or prosecution, security of execution and economic or financial interest of the municipality, the significant economic or financial interest of the European Union and disciplinary and ethical misconduct in the pursuit of occupations, and the prevention and detection of breaches of labor and health and safety obligations, including in all cases control and supervision, and or to protect the rights of others.
13. The controller shall, without undue delay and within a maximum of 25 days of receipt of the request, inform the data subject of the details of his / her request and / or correct the data and / or delete and / or restrict (block) the data or take other action on the request. accordingly, if there is no reason to rule it out.
14. The Data Controller shall notify the data subject in writing of the rectification, deletion or restriction of data management, as well as to all those to whom the data was previously transmitted for the purpose of data management. Upon request, the Data Controller shall inform the data subject of these recipients. Notification may be omitted if it does not harm the legitimate interests of the data subject with regard to the purpose of the processing, or if the information proves impossible or requires a disproportionate effort. The data controller is also obliged to notify the data subject in writing if the data subject's exercise of rights cannot take place for any reason, and is obliged to indicate precisely the factual and legal reason and the legal remedies open to the data subject: the court and the National Data Protection and Freedom of Information.
15. "Right to data portability": The data subject has the right to receive personal data concerning him / her made available to the Data Controller in a structured, widely used, machine-readable format and to transfer such data to another data controller without that this would be prevented by the controller to whom the personal data have been made available if the processing is based on consent; and data management is automated. In exercising the right to data portability, the data subject shall have the right, if technically feasible, to request the direct transfer of personal data between data controllers. The exercise of this right shall not prejudice the right of cancellation. That law shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The exercise of the right must not adversely affect the rights and freedoms of others.
16. Right to protest: The data subject may object to the processing of his or her personal data, including profiling, if:
0. the processing (transfer) of personal data exclusively by the Data Controller or the
1. necessary for the exercise of the data subject's right or legitimate interest, except
2. in case of mandatory data management;
3. the use or transfer of personal data is a direct business acquisition,
4. for the purpose of opinion polls or scientific research;
5. the exercise of the right to protest is otherwise permitted by law.
6. The person concerned may object to the application of Article 21 (3) of EU Regulation 2016/679. against the processing of personal data for the purpose of direct business acquisition, in which case the personal data may no longer be processed for this purpose. Where personal data are processed for scientific and historical research or statistical purposes, the data subject shall have the right to object to the processing of personal data concerning him or her on grounds relating to his or her situation, unless such processing is necessary for the performance of a task carried out in the public interest.
17. With the simultaneous suspension of data processing, the Data Controller shall examine the protest as soon as possible, but not later than within 25 days from the submission of the request, and shall inform the applicant in writing of the result. If the applicant's objection is justified, the Data Controller shall terminate the data processing, including further data collection and data transfer, and block the data, as well as notify all persons to whom the personal data affected by the objection have previously been transmitted, and shall notify the who are obliged to take action to enforce the right to protest.
18. If the data subject does not agree with the decision of the Data Controller, or the Data Controller fails to comply with the referred deadline, he / she is entitled to apply to a court within 30 days of its notification.
19. Rights of the data subject with regard to automated decision-making, including profiling: A decision based solely on the assessment of the data subject's personal characteristics can only be taken by automated data processing if the decision was taken or initiated by the data subject. law, which also lays down measures to ensure the legitimate interests of the data subject. In the case of a decision taken by automated data processing, the data subject shall, upon request, be informed of the method used and its substance, and shall be given an opportunity to state his or her views.
20. Judicial enforcement: The person concerned can go to court if his or her rights are violated. The court is acting out of turn in the case. The Data Controller is obliged to prove that the data management complies with the provisions of the law.
21. In case of violation of the right to information self-determination, you can file a complaint or complaint with the National Data Protection and Freedom of Information Authority Address: 1125 Budapest, Szilágyi Erzsébet fasor 22 / c Phone: +36 (1) 391-1400 Fax: +36 (1) 391-1410 www: http://www.naih.hu e-mail: email@example.com
22. In case of violation of the rights of minors, incitement to hatred, exclusion, reparation, the rights of the deceased, violation of his / her reputation, he / she may file a complaint or complaint: National Media and Communications Authority 1015 Budapest, Ostrom u. 23-25. Mail address: 1525. Pf. 75 Tel: (06 1) 457 7100 Fax: (06 1) 356 5520 E-mail: firstname.lastname@example.org
23. Statutory rules on compensation and damages: In the event that the Data Controller violates the data subject's right to privacy by illegally processing the data subject's data or violating data security requirements, the Data Subject may claim damages from the Data Controller. In the event that the Data Controller has used a data processor, the Data Controller shall be liable to the data subject for the damage caused by the Data Processor and the Data Controller shall also pay the data subject in the event of personal injury caused by the Data Processor. The Data Controller shall be released from liability for the damage caused and the obligation to pay damages if it proves that the damage or the violation of the personal rights of the data subject was caused by an unavoidable cause outside the scope of data processing. There is no need to compensate for the damage and no claim for damages to the extent that the damage was caused by the intentional or grossly negligent conduct of the injured party or the breach of the right to privacy.
7. Data transmission
The data subject agrees that his / her personal data may be transferred by the Data Controller to his / her affiliates and data processors. In order to perform the administrative tasks of the Data Controller, in order to perform certain data management operations, the Data Controller may transfer a certain part or all of the personal data to a data processor, subcontractor or performance assistant entrusted by him as a data processor. If the Data Controller entrusts accounting, legal tasks, hosting / server services, system administration or other tasks that are data processing tasks to a third party, the data of this partner as data processor are defined in the appendix to this prospectus together with the members of the affiliated companies.
8. Data Security
1. The data controller shall ensure the security of the data. To this end, it shall take the necessary technical and organizational measures in respect of the files stored by means of IT.
2. The controller shall ensure that the data security rules provided for in the relevant legislation are complied with.
3. It shall ensure the security of the data, take the technical and organizational measures and establish the procedural rules necessary to enforce the applicable laws, data and confidentiality rules.
4. The controller shall take appropriate measures to protect the data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage and from inaccessibility due to changes in the technology used.
5. When defining and applying data security measures, the controller shall take into account the state of the art and shall choose from several possible data management solutions which ensure a higher level of protection of personal data, unless this would be a disproportionate burden.
9. Website Information