top of page

Privacy Policy
adriennherendi.com

Contents

​

  1. INTRODUCTION
     1.1. DATA CONTROLLER AND CONTACT DETAILS

  2. DEFINITIONS 

  3. PRINCIPLES OF PROCESSING PERSONAL DATA

  4. SPECIFIC PROCESSING ACTIVITIES
    4.1. CONTACT FORM
    4.2. CUSTOMER RELATIONSHIP
    4.3. NEWSLETTER, DIRECT MARKETING ACTIVITIES

  5. RECIPIENTS OF PERSONAL DATA DISCLOSURE
    5.1. DATA PROCESSORS (THOSE WHO PROCESS DATA ON BEHALF OF THE DATA CONTROLLER)
    5.2. SPECIFIC DATA PROCESSORS

  6. MANAGEMENT OF COOKIES

  7. USE OF GOOGLE ANALYTICS

  8. USE OF SOCIAL SERVICES
    8.1. SOCIAL MEDIA PLATFORMS

  9. CUSTOMER RELATIONSHIPS AND OTHER PROCESSING ACTIVITIES

  10. RIGHTS OF THE DATA SUBJECTS

  11. ENFORCEMENT DEADLINE

  12. SECURITY OF DATA PROCESSING

  13. INFORMING DATA SUBJECTS ABOUT DATA PROTECTION INCIDENTS

  14. REPORTING DATA PROTECTION INCIDENTS TO THE AUTHORITIES

  15. REVIEW IN CASE OF MANDATORY DATA PROCESSING

  16. COMPLAINT OPTIONS

  17. CLOSING REMARKS

​

​

1. INTRODUCTION

​

Adrienn Herendi (Herendi Adrienn e.v., entrepreneur) (6723 Szeged, Molnár u. 10. 4th fl./10., tax number: 56981229-1-26), hereinafter referred to as the Service Provider and Data Controller, submits to the following regulations: In accordance with the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we provide the following information. This privacy policy governs the processing of data on the following pages:

 

https://www.adriennherendi.com/

 

The privacy policy is available at the following link: https://www.adriennherendi.com/privacypolicy

 

 Modifications to the policy will take effect upon publication at the above address.

​

​

1.1. DATA CONTROLLER AND CONTACT DETAILS:

​

Name: Herendi Adrienn e.v.

Registered Address: 6723 Szeged, Molnár u. 10, 4th fl./10.

Email: hello@adriennherendi.com

Phone: 00 36 30 280 54 95

​

2. DEFINITIONS

​

  1. "personal data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

  2. "data processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;

  3. "data controller": a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

  4. "data processor": a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;

  5. "recipient": a natural or legal person, public authority, agency, or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

  6. "consent of the data subject": any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

  7. "data protection incident": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

​

3. PRINCIPLES OF PROCESSING PERSONAL DATA

​

Personal data must be:

a) processed lawfully, fairly, and in a transparent manner to the data subject ("lawfulness, fairness, and transparency");

b) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) shall not be considered incompatible with the initial purposes ("purpose limitation");

c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate for the purposes of processing are erased or rectified without delay ("accuracy");

e) kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to the implementation of the appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject ("limited storage");

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ("integrity and confidentiality").

The data controller is responsible for compliance with the above and must be able to demonstrate such compliance ("accountability").

The data controller declares that data processing is carried out in accordance with the principles set forth in this section.

​

4. SPECIFIC PROCESSING ACTIVITIES

4.1. CONTACT FORM

  1. The fact of data collection, the scope of processed data, and the purpose of data processing:

Personal Data Purpose of Data Processing Legal Basis Name Identification Article 6(1) paragraphs a), b), and c) Email Address Communication, sending response messages Article 6(1) paragraphs a), b), and c) Phone Number Communication Article 6(1) paragraphs a), b), and c) Message Content Required for response Article 6(1) paragraphs a), b), and c) Time of Contact Execution of technical operation Article 6(1) paragraphs a), b), and c) IP Address at the Time of Contact Execution of technical operation Article 6(1) paragraphs a), b), and c)

For email addresses, it is not necessary to contain personal data.

  1. Scope of Data Subjects: All data subjects sending messages through the contact form.

  2. Duration of data processing, deadline for data deletion: If any of the conditions in Article 17(1) of the GDPR exist, the processing lasts until the data subject's deletion request.

  3. Identity of possible data processors authorized to access the data, recipients of personal data: Personal data may be processed by authorized employees of the data controller.

  4. Explanation of data subjects' rights related to data processing:

• The data subject can request access to, correction, deletion, or restriction of processing of their personal data, and • The data subject has the right to data portability and the right to withdraw consent at any time.

  1. The data subject can initiate access to personal data, their deletion, modification, or processing restriction, and data portability in the following ways:

  • By mail at the address 6723 Szeged, Molnár u. 10, 4th fl./10.

  • By email at hello@adriennherendi.com,

  • By phone at +36 30 280 54 95.

  1. Legal basis for data processing: the consent of the data subject, Article 6(1) paragraphs a), b), and c). By contacting us, you consent to the processing of your personal data (name, phone number, email address) obtained during the contact process in accordance with this policy.

  2. We inform you that:

• This data processing is based on your consent or, in the case of providing an offer or contractual relationship, on a legal obligation (cooperation).

• You are required to provide personal data to contact us.

• Failure to provide the data will result in the inability to contact the Service Provider.

• Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

​

4.2. CUSTOMER CONTACT

  1. The fact of data collection, the scope of processed data, and the purpose of data processing:
     

Personal Data Purpose of Data Processing Legal Basis Name, Email Address, Phone Number Communication, identification, performance of contracts, business purposes Article 6(1) paragraphs b) and c), and in the case of enforcing claims arising from a contract, Section 6:21 of Act V of 2013 on the Civil Code

 

2. Scope of Data Subjects: All individuals contacting the data controller via phone/email/in-person or having a contractual relationship.

 

3. Duration of data processing, deadline for data deletion: Letters containing inquiries are kept until the data subject's deletion request, but for a maximum of 2 years.

​

4. Identity of possible data processors authorized to access the data, recipients of personal data: Personal data may be processed by authorized employees of the data controller, respecting the principles mentioned above.

​

5. Explanation of data subjects' rights related to data processing:
 

• The data subject can request access to, correction, deletion, or restriction of processing of their personal data, and

• The data subject has the right to data portability and the right to withdraw consent at any time.

 

6. The data subject can initiate access to personal data, their deletion, modification, or processing restriction, and data portability in the following ways:
 

  • By mail at the address 10 Molnár Street, 6723 Szeged, Hungary

  • By email at hello@adriennherendi.com,

  • By phone at +36 30 280 54 95.

    7. Legal basis for data processing:

    8. We inform you that:
     

• Data processing is necessary for the performance of contracts and providing quotations. • You are required to provide personal data for us to fulfill the contract/other requests.
• Failure to provide the data will result in our inability to fulfill the contract/ process the request.

​

4.3. NEWSLETTER, DM ACTIVITIES

​

  1. Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Business Advertising Activities, Users may provide prior and explicit consent for the Service Provider to contact them with advertising offers and other communications at the contact details provided during registration.
     

  2. Furthermore, considering the provisions of this notice, the Customer may consent to the Service Provider processing their personal data necessary for sending advertising offers.
     

  3. The Service Provider does not send unsolicited advertising messages, and the User can freely unsubscribe from receiving offers without restriction or justification. In this case, the Service Provider deletes all personal data necessary for sending advertising messages from its records and does not contact the User with further advertising offers. The User can unsubscribe from advertisements by clicking on the link provided in the message.
     

  4. The fact of data collection, the scope of processed data, and the purpose of data processing:

​

Personal Data Purpose of Data Processing Legal Basis Name, Email Address Identification, enabling subscription to newsletters/promotional coupons User's consent, Article 6(1) paragraph a. Section 6(5) of Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Business Advertising Activities. Subscription Date Execution of a technical operation. IP Address at the time of subscription Execution of a technical operation.

​

5. Range of Data Subjects: All individuals subscribing to the newsletter

​

5.1 Purpose of Data Processing: Sending electronic messages containing advertisements (email, SMS, push notifications) to the data subjects, providing information about current news, products, promotions, new features, etc.

5.2 Duration of Data Processing, Deadline for Data Deletion: The data processing continues until the withdrawal of consent, i.e., until unsubscribing.

5.3 Possible Data Controllers and Recipients of Personal Data: The personal data can be handled by the sales and marketing staff of the data controller, respecting the principles mentioned above.

​

5.4 Explanation of Data Subjects' Rights Related to Data Processing:

  • Data subjects can request access to, correction, deletion, or restriction of their personal data from the data controller.

  • They can object to the processing of their personal data.

  • Data subjects have the right to data portability and can withdraw their consent at any time.

5.5 Initiating Requests for Access, Deletion, Modification, or Restriction of Personal Data, Data Portability, or Objection:

  • By mail to the address 6723 Szeged, Molnár u. 10, 4th floor/10.

  • By email to hello@adriennherendi.com.

  • By phone at +36 30 280 54 95.

Data subjects can unsubscribe from the newsletter at any time for free.

​Information:

  • Data processing is based on your consent and the legitimate interest of the service provider.

  • Providing personal data is obligatory if you want to receive a newsletter from us.

  • Failure to provide data will result in the inability to send you newsletters.

  • You can withdraw your consent at any time by clicking on the unsubscribe link.

  • Withdrawal of consent does not affect the lawfulness of data processing based on consent before withdrawal.

​

5. RECIPIENTS WITH WHOM PERSONAL DATA IS SHARED

​

"Recipient": Any natural or legal person, public authority, agency, or any other body to whom or with which personal data is shared, regardless of whether they are a third party.

5.1. DATA PROCESSORS (THOSE WHO PROCESS DATA ON BEHALF OF THE DATA CONTROLLER)

For the purpose of facilitating its own data processing activities and fulfilling contractual obligations with data subjects or legal requirements, the data controller engages data processors.

The data controller places a strong emphasis on employing only those data processors who provide adequate guarantees for compliance with the requirements of data processing in the GDPR and ensure the protection of the rights of data subjects through appropriate technical and organizational measures.

The data processor and any person acting under the control of the data controller or the data processor, with access to personal data, shall process the personal data only in accordance with the instructions of the data controller as outlined in this policy.

The data controller holds legal responsibility for the activities of the data processor. The data processor is only liable for damages resulting from data processing if it fails to comply with the specific obligations imposed on data processors by the GDPR or if it disregards lawful instructions from the data controller or acts contrary to them.

The data processor does not have substantive decision-making power regarding the processing of data.

To ensure the IT infrastructure, the data controller may engage hosting service providers, and for the delivery of ordered products, courier services can be appointed as data processors.

​​

5.2. DATA PROCESSORS

​

DATA PROCESSING ACTIVITY - NAME ADDRESS, CONTACT INFORMATION

​

Hosting Services:

Wix.Com Ltd.

40 Namal Tel Aviv St.

TEL AVIV-YAFO 6350671

 

Newsletter Sending:

​

Convertkit LLC

750 W Bannock St #761, Boise, Idaho, 83701, United States

Phone Number: (208) 571-3990 Website: www.convertkit.com"

​

6. HANDLING OF COOKIES

​

  1. The fact of data processing, the scope of processed data: Unique identifier, dates, timestamps

  2. Scope of data subjects: All visitors to the website.

  3. Purpose of data processing: User identification and tracking of visitors.

  4. Duration of data processing, deadline for data deletion: 

​

​

 

​

​

Cookie name

hs

​

svSession

​

SSR-caching

​

_wixCIDX

​

_wix_browser_sess

​

consent-policy

​

smSession

​

TS*

​

bSession

​

fedops.logger.sessionId

​

wixLanguage

Purpose

Usedforsecurityreasons

​

Usedforsecurityreasons

​

Used in

connectionwithuserlogin

​

Usedtoindicatethesystemfromwhichthesite was rendered

​

Usedforsystemmonitoring/debugging

​

Usedforsystemmonitoring/debugging

​

Usedforcookiebannerparameters

​

Usedtoidentifylogged in sitemembers

​

Usedforsecurity and anti-fraudreasons

​

Usedforsystemeffectivenessmeasurement

​

Usedforstability/effectivenessmeasurement

​

Used on multilingual websitesto save userlanguagepreference

Duration

Session

​

Session

​

2 years

​

1 minute

​

3 months

​

session

​

12 months

​

Session

​

Session

​

30 minutes

​

12 months

​

12 months

Cookie type

Essential

​

Essential

​

Essential

​

Essential

​

Essential

​

Essential

​

Essential

​

Essential

​

Essential

​

Essential

​

Essential

​

Functional

5. The possible data controllers authorized to access the data: The data controller does not handle personal data through the use of cookies.

 

6. Explanation of the data subject's rights related to data processing: Data subjects have the option to delete cookies in the browser's Tools/Settings menu, generally under the Privacy settings.

 

7. Legal basis for data processing: Consent from the data subject is not required if the sole purpose of using cookies is the transmission of communication via an electronic communications network or when the provider absolutely needs it to provide a service explicitly requested by the subscriber or user related to the information society.

 

8. Most browsers used by our users allow the customization of which cookies to save and enable the deletion of (specific) cookies. If you restrict the saving of cookies on specific websites or do not allow third-party cookies, under certain circumstances, this may result in our website not being fully usable. Here you can find information on how to customize cookie settings for common browsers:

​

Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu)

Internet Explorer (https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies)

Firefox (https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn

Safari (https://support.apple.com/kb/PH21411?locale=hu_HU)

​

7. USE OF GOOGLE ANALYTICS

​

  1. This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies,” which are text files stored on your computer, to help analyze how users interact with the website.

  2. Information generated by the cookies about your use of this website is typically transmitted to and stored on a Google server in the United States. With IP anonymization activated on this website, Google will truncate your IP address within member states of the European Union or other parties to the Agreement on the European Economic Area before transmission.

  3. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compile reports on website activity for the website operator, and provide additional services related to website and internet usage.

  4. The IP address transmitted by your browser through Google Analytics will not be merged with other Google data. You can prevent the storage of cookies by configuring your browser settings accordingly; however, please note that this may limit your ability to use the full functionality of this website. You can also prevent Google from collecting and processing data related to your website use (including your IP address) through cookies by downloading and installing the plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.


8. USE OF SOCIAL SERVICES

8.1. SOCIAL MEDIA

  1. The fact of data collection, the scope of processed data: Names registered on Meta/Twitter/Pinterest/YouTube/Instagram, etc. social media platforms, as well as the user's public profile picture.

  2. The scope of data subjects: All individuals who have registered on Meta/Twitter/Pinterest/YouTube/Instagram, etc. social media platforms and have 'liked' the Service Provider's social media page or have contacted the data controller through the social media platform.

  3. The purpose of data collection: Sharing, 'liking,' following, and promoting certain content elements, products, promotions, or the website itself on social media platforms.

  4. Duration of data processing, deadline for data deletion, identity of possible data controllers authorized to access the data, and explanation of data subjects' rights related to data processing: Information about the source of data, its processing, transfer methods, and legal basis can be found on the respective social media platform. Since data processing occurs on social media platforms, the regulations of the specific social media platform apply to the duration, method of processing, and options for deleting and modifying data.

  5. Legal basis for data processing: The voluntary consent of the data subject to the processing of personal data on social media platforms.

​

9. CUSTOMER RELATIONS AND OTHER DATA PROCESSING

  1. In case questions arise or issues occur during the utilization of the data controller's services, the data subject can contact the data controller through the provided methods on the website (phone, email, social media, etc.).

  2. The data controller deletes received emails, messages, phone calls, Facebook, etc., provided data with the inquirer's name and email address, and any other voluntarily provided personal data, within a maximum of 2 years from the date of communication.

  3. Information regarding data processing not listed in this notice will be provided at the time of data collection.

  4. In exceptional cases of authority requests or inquiries from other entities based on legal authorization, the Service Provider is obligated to provide information, disclose data, transfer information, or make documents available.

  5. In such cases, the Service Provider only discloses personal data to the inquirer to the extent necessary for the precise purpose and scope of the inquiry.

​

10. RIGHTS OF THE DATA SUBJECT

 

1. Right of access:

You have the right to receive feedback from the data controller regarding whether your personal data is being processed, and if such processing is in progress, you are entitled to access the personal data and information listed in the regulation.

 

2. Right to rectification:

You have the right to request the data controller to promptly rectify inaccurate personal data concerning you. Considering the purpose of data processing, you are entitled to request the completion of incomplete personal data, among other things, through a supplementary statement.

 

3. Right to erasure:

You have the right to request the data controller to erase your personal data without undue delay, and the data controller is obliged to delete your personal data without undue delay under specific conditions.

 

4. Right to be forgotten:

If the data controller has made your personal data public and is obligated to erase it, taking into account the available technology and implementation costs, reasonable steps, including technical measures, are taken to inform the data controllers processing the data that you have requested the deletion of the links to, or copies or reproductions of, the personal data in question.

​

5. Right to restriction of processing:

You have the right to request the data controller to restrict processing if one of the following conditions is met:

• You contest the accuracy of the personal data, in which case the restriction applies for a period allowing the data controller to verify the accuracy of the personal data;

• The processing is unlawful, and you oppose the erasure of the data, instead requesting the restriction of their use;

• The data controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise, or defense of legal claims; or

• You have objected to processing; in this case, the restriction applies for the time it takes to determine whether the legitimate grounds of the data controller override your legitimate grounds.

​

6. Right to data portability:

You have the right to receive your personal data, which you have provided to a data controller, in a structured, commonly used, and machine-readable format, and have the right to transmit this data to another data controller without hindrance from the initial data controller (...)

 

7. Right to object:

In cases of data processing based on legitimate interests or the exercise of public authority, including profiling based on these provisions, you have the right to object to the processing of your personal data for reasons related to your particular situation, at any time.

​

8. Right to object to direct marketing:

If personal data processing is carried out for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling related to such direct marketing. If you object to the processing of personal data for direct marketing, the personal data may no longer be processed for these purposes.

 

9. Automated individual decision-making, including profiling:

​

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The preceding paragraph does not apply if the decision:

 

• Is necessary for entering into, or performance of, a contract between you and the data controller;

• Is authorized by union or member state law applicable to the data controller, which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

• Is based on your explicit consent.

​

11. ENFORCEMENT DEADLINE

​

The data controller will inform you without undue delay, but in any case within 1 month from the receipt of the request, about the measures taken following the requests mentioned above. If necessary, this period can be extended by 2 months. The data controller will inform you of the extension, stating the reasons for the delay, within 1 month of receiving the request. If the data controller does not take measures following your request, you will be informed without undue delay, but no later than 1 month from the receipt of the request, about the reasons for the lack of action, and you have the right to lodge a complaint with a supervisory authority and seek judicial remedy.

​

12. SECURITY OF DATA PROCESSING

The data controller and the data processor shall implement appropriate technical and organizational measures, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of data security appropriate to the risk, including, where applicable:

​

a) Pseudonymization and encryption of personal data;

b) Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services used for personal data processing;

c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d) A procedure for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing;

e) Storing processed data in a way that prevents unauthorized access. For paper-based records, this involves establishing the order of physical storage and filing, while electronic data should be managed through a central authorization control system.

f) Selecting a method of storing data electronically that allows for deletion, considering the specified deletion deadlines or other requirements. The deletion must be irreversible.

g) Physically destroying paper-based records using a document shredder or, if necessary, arranging for the secure and irreversible deletion of electronic data in accordance with the rules for the disposal of electronic records.

h) The data controller implements the following specific security measures:

a. For paper-based personal data security, the Service Provider applies the following measures (physical protection):

​

i. Place documents in a secure, well-lockable, dry area. ii. The Service Provider's building and premises are equipped with fire and security equipment. iii. Only authorized personnel may have access to personal data, and third parties may not access them. iv. The Service Provider's employee performing data processing can only leave the room where data processing takes place by securing the entrusted data carriers or closing the room. v. If paper-based personal data is digitized, the rules applicable to digitally stored documents must be followed.

b. Information security

i. Computers and mobile devices (other data carriers) used in data processing belong to the Service Provider. ii. Data on computers can only be accessed with a username and password. iii. The central server machine can only be accessed with the appropriate authorization and only by designated individuals. iv. For the security of digitally stored data, the Service Provider uses data backups and archives. v. The computer system used by the Service Provider containing personal data is equipped with antivirus protection.

​

13. INFORMING DATA SUBJECTS ABOUT DATA PROTECTION INCIDENTS

​

If a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject about the data breach without undue delay.

The information provided to the data subject should clearly and understandably describe the nature of the data breach. It should also provide the name and contact details of the Data Protection Officer or other contact person providing further information. The information must outline the probable consequences of the data breach and the measures taken or planned by the data controller to remedy the data breach, including, where applicable, measures to mitigate potential adverse effects arising from the data breach.

The data subject does not need to be informed if any of the following conditions are met:

• The data controller has implemented appropriate technical and organizational protection measures applied to the data affected by the data breach, making the data unintelligible to unauthorized persons, especially through encryption.

• The data controller has taken further measures after the data breach to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialize.

• Informing the data subject would require disproportionate effort. In such cases, data subjects should be informed through publicly available information or similar measures ensuring effective communication.

​

If the data controller has not notified the data subject of the data breach, the supervisory authority, after considering whether the data breach is likely to result in a high risk, may order the data subject to be informed.

 

14. REPORTING DATA PROTECTION INCIDENTS TO THE AUTHORITIES

The data controller shall notify the competent supervisory authority pursuant to Article 55 without undue delay and, where feasible, no later than 72 hours after becoming aware of the data breach unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons for the delay must be included.

15. REVIEW IN CASE OF MANDATORY DATA PROCESSING

If the duration or periodic necessity of mandatory data processing is not determined by law, local government regulations, or mandatory legal acts of the European Union, the data controller shall review at least every three years, starting from the commencement of data processing, whether the processing of personal data managed by the data controller or by a data processor acting on its behalf or under its instructions is necessary to achieve the purpose of data processing.

​

The data controller shall document the circumstances and results of this review, keep this documentation for ten years following the review, and provide it to the National Authority for Data Protection and Freedom of Information (hereinafter: Authority) at the request of the Authority.

​

16. COMPLAINT OPTIONS​

In case of an alleged violation by the data controller, a complaint can be filed with the National Authority for Data Protection and Freedom of Information:

​

National Authority for Data Protection and Freedom of Information 1055 Budapest, Falk Miksa utca 9-11.

Mailing address: 1374 Budapest, Pf.: 603.

Phone: +36 -1-391-1400

Fax: +36-1-391-1410

Email: ugyfelszolgalat@naih.hu 

//

​Nemzeti Adatvédelmi és Információszabadság Hatóság
1055 Budapest, Falk Miksa utca 9-11.
Levelezési cím: 1374  Budapest, Pf.: 603.
Telefon: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

​

17. CLOSING REMARKS

This document has been prepared in compliance with the following legal provisions:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) of April 27, 2016, on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.)

  • Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (particularly Section 13/A)

  • Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices Against Consumers

  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (particularly Section 6)

  • Act XC of 2005 on the Freedom of Electronic Information

  • Act C of 2003 on Electronic Communications (specifically Section 155)

  • Opinion 16/2011 on EASA/IAB Best Practice Recommendations on Online Behavioural Advertising

  • The recommendation of the Hungarian National Authority for Data Protection and Freedom of Information on the data protection requirements for prior information notices

bottom of page