Effective from: 25 May 2018

I. Introduction

The aim of the websites of BioTech USA Kft. (hereinafter referred to as “Service Provider” or “Data Controller”) at the domains https://biotechusa.hu and https://shop.biotechusa.hu (hereinafter jointly referred to as the “Website”) is to serve its target audience consisting of health-conscious people pursuing or wishing to pursue sports, to facilitate communication between people interested in sports and health and to provide an online platform for sharing experiences and for the sale of related products.

The Service Provider’s Privacy Notice relating to its websites https://biotechusa.hu and https://shop.biotechusa.hu is available at all times on the homepage.

As far as data processing is concerned, the Service Provider as data controller hereby informs the users of the Website about the personal data it processes on the Website, the principles and practices followed regarding the processing of personal data, the organisational and technical measures taken to protect personal data, as well as the means and options available for users to exercise their rights.

Data processing rules applicable to the following platform and services available on the Website are found in specific separate notices on the relevant platform: Career, Newsletter, Loyalty Program, Athlete Registration. Detailed rules on data processing concerning cookies are also set out in a separate notice.

The Service Provider will not verify the personal data received or their accuracy. The person, user or contracting party providing such data shall be solely liable for the adequacy of the data provided. The person providing a user’s email address also agrees to be liable for ensuring that only the relevant user and no one else will use the services from the email address in question. In view of that, the user who provided the given email address will be held liable for the consequences of logins with the given email address.

The Service Provider as data controller processes the recorded personal data confidentially, in line with data protection regulations, international recommendations and the provisions of this Notice. The Service Provider is committed to protecting the personal data of its partners and users, and considers it particularly important to respect the rights of Website users to informational self-determination. The Service Provider processes the personal data confidentially and takes all security, technical and organisational measures required to guarantee the security of such data.

In drafting and applying this Notice, the Service Provider acts in the spirit of Act CXII of 2011 on Informational Self-Determination and Freedom of Information, Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services, and Regulation (EU) 2016/679 of the European Parliament and of the Council, by applying and fully complying with the above in all regards.

The personal data processed on the Website may primarily be accessed by the Service Provider and its staff members.

The Service Provider may at any time amend this Privacy Notice at its own discretion. The Service Provider will notify users about any amendment through the Website. When the Website loads, visitors are notified about the amendment, if any, in a pop-up window, and they can access the notice by clicking on the link in the pop-up message. Visitors can accept the notice by ticking the checkbox in the pop-up window. The Service Provider may apply the provisions of the amended Privacy Notice to those who have accepted it.

Should you have any questions about anything that is not clearly answered in this Privacy Notice, please feel free to send your inquiry to adatvedelem@biotechusa.com and one of our staff will answer it.

II. Details of the Data Controller

Name: BioTech USA Korlátolt Felelősségű Társaság

Registered seat: H-1033 Budapest, Huszti út 60, Hungary

Company registration number: 01-09-352550

Tax number: 25114681-2-44

Registered by: Tribunal of Budapest Region

Postal address: H-1033 Budapest, Kiscsikós köz 11, Hungary

Electronic mailing address: info@biotechusa.com

Phone number: +36 1 453 2716

III. Details of the Data Controller’s data protection officer

Name: Béla Nádas

Postal address: H-1277 Budapest, Pf. 83, Hungary

Electronic mailing address: dpo.btu@dnui.hu

Phone number: +36 1 788 3035

V. The Data Controller’s processing activities performed on the website https://shop.biotechusa.hu  

Please note that in the event of data processing based on your consent, you have the right to withdraw your consent at any time. The withdrawal will not affect the lawfulness of processing performed before the withdrawal of such consent.

Please note that you have the right to object at any time to processing of personal data concerning you which is based on the Data Controller’s or a third party’s legitimate interests.

A) Registration for the Loyalty Program and/or in the online shop

Personal data processed: name, email, statement on being at least 18 years old, purchase information (date of purchase, type of products purchased, data on the collection and redemption of points, login data), and, if the profile diversification questionnaire is completed as part of the Loyalty Program, date of birth and sex.

Purpose of processing: to keep records of and distinguish the people registered in the online shop, to verify the prerequisite (legal age as) of contracting, to ensure the functions available with registration in the online shop: to shorten the ordering process, to re-order previously ordered products, to view previous orders, to give the discounts available in the Loyalty Program, to analyse customer habits to better meet customer demands, to provide information to Customers more efficiently on purchase opportunities, to manage prize games.

Legal basis of processing: the consent of the data subject as per Article 6(1)(a) of the GDPR, which is a prerequisite of entering the Loyalty Program and using the functions available upon registration in the online shop.

Duration of processing: The Data Controller will retain the list of participants during their participation in the Loyalty Program or until their online shop registration is cancelled, but no longer than for 3 years from the date of last use or, in lack of use, from the date of registration (inactivity period). Upon expiry of the inactivity period, the Data Controller will erase the personal data obtained through registration without delay. Personal data shall be erased upon the registered user’s erasure request, by the end of the time period available for managing such request at the latest.

Recipients: as data processor, Shopify International Ltd. (address: 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32), and as part of its services personal data may be transferred to Canada or the USA, which countries have an adequacy decision with the European Union. [When adequacy has been established, personal data can be freely transferred to countries outside the European Union without the EU resident data exporter having to apply additional safeguards or having to meet further conditions.]. Other data processor: EMARSYS eMarketing SystemsAG (registered seat: 1150 Vienna, Märzstrasse 1., company registration number: FN 197024t, tax number: ATU50359801, phone number: 01/4782080-0, www.emarsys.com, email: vienna@emarsys.com, website: https://www.emarsys.com/en/).

The Data Controller has engaged the following company to participate as a data processor in designing the Loyalty Program and ensuring the background for the platform: Antavo Ltd. (registered seat: 9th floor, 107 Cheapside, London EC2V 6DN, United Kingdom; company registration number: 8046168; tax number: GB137725793; website: https://www.antavo.com/). The Data Controller processes the following data: date of subscription, price and amount of purchase, login, date of purchase (activities related to the collection and redemption of points), type of products purchased, sex, date of birth.

After purchase, customers can give reviews of the Data Controller’s products by using the Judge.me application. Details of the data processor company: Judge.me LLC (Box 7403, Jackson, Wyoming 83002, USA). The European Union has an adequacy decision with the USA.

Furthermore, the Data Controller’s current franchise partners as Data Processors have access your personal data for the purpose of operating the Loyalty Program and giving discounts.

B) Registration for the Lifestyle Program

Personal data processed: name, email, statement on being at least 18 years old, purchase information (date of purchase, type of products purchased, data on the collection and redemption of points, login data), and if the questionnaire prior to registering in the Lifestyle Program is completed, age, sex and the lifestyle-related answers given.

Purpose of processing: to manage the Lifestyle Program, to assess lifestyle-related habits to better meet participants’ demands, to inform participants more efficiently on how to purchase the products best meeting their needs, as well as on the workout plans and diets developed by the Data Controller.

Legal basis of processing: the consent of the data subject as per Article 6(1)(a) of the GDPR, which is a prerequisite of registering for the Lifestyle Program. Where, after completing the Lifestyle Program questionnaire and receiving its results, you decide to purchase the product package recommended by the Data Controller and also register for the Loyalty Program, the further legal basis of processing is that processing is necessary prior to entering into a contract as per Article 6(1)(b) of the GDPR. The conclusion of the contract is subject to the provision of personal data. No purchase in the online shop may be initiated without providing the personal data.

Duration of processing: The Data Controller will retain the list of participants during their participation in the Lifestyle Program or until their registration is cancelled, but no longer than for 3 years from the date of last use or, in lack of use, from the date of registration (inactivity period). Upon expiry of the inactivity period, the Data Controller will erase the personal data obtained through registration without delay. Personal data shall be erased upon the registered user’s erasure request, by the end of the time period available for managing such request at the latest.

Recipients: as data processor, Shopify International Ltd. (address: 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32), as part of whose services personal data may be transferred to Canada or the USA, which countries have an adequacy decision with the European Union. [When adequacy has been established, personal data can be freely transferred to outside the European Union without the data exporter within the EU having to apply additional safeguards or having to meet further conditions.].

Other data processor: EMARSYS eMarketing SystemsAG (registered seat: 1150 Vienna, Märzstrasse 1., company registration number: FN 197024t, tax number: ATU50359801, phone number: 01/4782080-0, www.emarsys.com, email: vienna@emarsys.com, website: https://www.emarsys.com/en/).

The Data Controller has engaged the following company to participate as a data processor in designing the Loyalty Program and ensuring the background for the platform: Antavo Ltd. (registered seat: 9th floor, 107 Cheapside, London EC2V 6DN, United Kingdom; company registration number: 8046168; tax number: GB137725793; website: https://www.antavo.com/). The Data Controller processes the following data: date of subscription, price and amount of purchase, login, date of purchase (activities related to the collection and redemption of points), type of products purchased, sex, date of birth.

C) Purchasing in the online shop as a guest

Personal data processed: name, email, statement on being at least 18 years old.

Purpose of processing: to keep records of customers and distinguish them regarding their purchases in the online shop.

Legal basis of processing: the consent of the data subject as per Article 6(1)(a) of the GDPR which, in the case of online shop purchases, is a prerequisite of concluding the contract. No purchase in the online shop may be initiated if personal data are not available.

Duration of processing: data other than those necessary for making out the invoice (name, delivery address) will be retained by the Data Controller for 14 days.

Recipients: as data processor, Shopify International Ltd. (address: 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32), and as part of its services personal data may be transferred to Canada or the USA, which countries have an adequacy decision with the European Union.

As other data processor: Antavo Ltd. (registered seat: 9th floor, 107 Cheapside, London EC2V 6DN, United Kingdom; company registration number: 8046168; tax number: GB137725793; website: https://www.antavo.com/)

D) Conclusion of contract (placing and processing orders)

Personal data processed: name, email, country, postcode, city, street, number, phone number.

Purpose of processing: to learn about the terms and conditions of the offer aimed at concluding a contract (order) and to send a statement of acceptance thereof in a confirmation email.

Legal basis of processing: it is necessary to enter into a contract as specified in Article 6(1)(b) of the GDPR. The conclusion of the contract is subject to the provision of personal data. No purchase in the online shop may be initiated without providing the personal data.

Duration of processing: data are erased upon expiry of the general statute of limitations period as per the Civil Code of Hungary.

E) Performing a contract

i) Delivery

Personal data processed: name, email, country, postcode, city, street, number, phone number, order number. Furthermore, if cash on delivery is selected as the payment method, the price of the order.

Purpose of processing: delivery of the ordered products.

Legal basis of processing: the performance of a contract under Article 6(1)(b) of the GDPR.

Duration of processing: data are erased upon expiry of the general statute of limitations period as per the Civil Code of Hungary.

Recipients: as recipient, GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (address: H-2351 Alsónémedi, GLS Európa utca 2; the Privacy Notice is available at https://gls-group.eu/HU/hu/altalanos-uzleti-feltetelek ) and Foxpost Zrt. (address: H-3200 Gyöngyös, Batsányi János u. 9; the Privacy Notice is available at http://www.foxpost.hu/altalanos-szerzodesi-feltetelek/ ).

ii) Payment

Personal data processed: name, delivery address, billing address, phone number, email, transaction amount, IP address, date and time of the transaction.

Purpose of processing: payment of the price of the ordered products.

Legal basis of processing: the performance of a contract under Article 6(1)(b) of the GDPR.

Duration of processing: data are erased upon expiry of the general statute of limitations period as per the Civil Code of Hungary.

Recipients: as data processor and the provider of the SimplePay service, OTP Mobil Kft. (address: H-1093 Budapest, Közraktár u. 30-32; its privacy notice is available at: http://simplepay.hu/old/docs/201804/simplepay_b2b_aszf_20180416.pdf ).

iii) Invoicing

Personal data processed: name, country, postcode, city, street, number, order number.

Purpose of data processing: accounting documentation (issuing invoices), retention of invoices.

Legal basis of processing: the Service Provider’s legal obligation under Article 6(1)(c) of the GDPR [Section 166(3) and 169(2) of Act C of 2000 on Accounting]

Duration of processing: 8 years.

Recipients: as data processor, IFS Hungary Kft. (address: H-1132 Budapest, Váci út 22-24).

iv) Returning the product the right of withdrawal is exercised

Personal data processed: name, country, postcode, city, street, number, order number.

Purpose of processing: fulfilling the customer’s request (reimbursement of money).

Legal basis of processing: the Service Provider’s legal obligation under Article 6(1)(c) of the GDPR [Section 23(1) of Government Decree No. 45/2014. (II. 26.) on the detailed rules of contracts concluded between consumers and businesses].

Duration of processing: data are erased upon expiry of the general statute of limitations period as per the Civil Code of Hungary.

F) Product reviews

Personal data processed: name provided for the review, other personal data provided in the text of the review.

Purpose of processing: reviewing products in words and with scores, publication of the reviews on the website.

Legal basis of processing: the consent of the data subject as per Article 6(1)(a) of the GDPR.

Duration of processing: until the withdrawal of consent. In order to ensure that the data are not kept longer than necessary, the Data Controller will erase the personal data after 3 years from the date of such consent even if consent is not withdrawn.

Recipients: Antavo Ltd. (registered seat: 9th floor, 107 Cheapside, London EC2V 6DN, United Kingdom; company registration number: 8046168; tax number: GB137725793; website: https://www.antavo.com/) as data processor.

G) Communication through the chat window

Personal data processed: name, email, other personal data provided in the message.

Purpose of processing: responding to the messages received.

Legal basis of processing: the consent of the data subject as per Article 6(1)(a) of the GDPR.

Duration of processing: a) in lack of a reply by the user, 15 days from sending the Service Provider’s response. b) 1 day from the data subject’s response closing the discussion.

Recipients: Zendesk Inc. (address: 1019 Market St., San Francisco, California, USA 94103-1612) as data processor and the provider of the communication platform. The European Union has an adequacy decision with the USA.

V. The Data Controller’s processing activities performed on the website https://biotechusa.hu  

A) Communication

Personal data processed: name, email, phone number, other personal data provided in the text of the mail.

Purpose of processing: responding to the messages received.

Legal basis of processing: the consent of the data subject as per Article 6(1)(a) of the GDPR.

Duration of processing: a) in lack of a reply by the user, 15 days from sending the Service Provider’s response. b) 1 day from the data subject’s response closing the discussion.

B) Use of the ‘Ask the Expert’ menu

Personal data processed: name, email, sex, age, weight, height, other personal data provided in the text of the mail.

Purpose of processing: to respond to messages received; with the data subject’s consent, to display the data subject’s question and the Service Provider’s response on the website (without the data subject’s full name and email).

Legal basis of processing: the consent of the data subject as per Article 6(1)(a) of the GDPR.

Duration of processing: until the withdrawal of the data subject’s consent. In order to ensure that the data are not kept longer than necessary, the Data Controller will erase the personal data after 2 years from the date of such consent even if consent is not withdrawn.

Recipients: the current experts of ‘Ask the Expert’ menu.

VI. The Data Controller’s processing activities performed on both the websites https://shop.biotechusa.hu and https://biotechusa.hu  

A) Cookies

Anonymous visitor identifiers (cookies) are files or pieces of information stored on your computer (or other internet-compatible devices such as smartphones or tablets) when you visit one of our websites. A cookie generally contains the name of the website where it came from, its own “lifetime” (i.e. how long it will remain on your device) and its value that is usually a randomly generated unique number.

We use cookies so that we can better customise our websites and offer you products matching your interests and needs, thereby making it easier for you to use our websites. Cookies help accelerate your future activities and improve your user experience on our websites. Cookies are also suitable for preparing anonymous aggregated statistics, helping us understand how people use our websites so that we can improve their structure and content.

As for their duration, there are so-called session cookies or persistent cookies. Session cookies are temporary, that is, they remain on your device only until you are browsing our website. Persistent cookies remain on your device for much longer; they may stay up to the point when you delete them manually.

Pixel tags are used by other sites to collect information that can be disclosed to third parties. This directly supports our promotional activities and website development. For example, the information on website usage by our visitors can be shared with marketing agencies so that we can use online advertisements on our website more efficiently.

Most internet browsers accept cookies by default. You can change the settings to disable cookies and/or request a notification on cookies being stored on your device. There are several ways to manage cookies. Please check your browser information or the help menu if you want to learn more about browser settings and how to change them.

If you disable the cookies we use, this may affect your experience while browsing our websites. For example, you may not be able to visit certain parts of the BioTechUSA website or you may not receive personalised information while browsing a BioTechUSA site.

If you use different devices (e.g. computer, smartphone, tablet etc.) for visiting and using BioTechUSA websites, make sure that all browsers on such devices are set to meet your cookie preferences.

Cookies used on our website can be categorised as follows:

Essential

These cookies help making the website suitable for use by providing fundamental functions such as site navigation. The website cannot properly operate without these cookies, and so it is mandatory to accept them.

Preferences

These cookies allow the website to remember information (such as the language used or the region) that change the website’s behaviour or appearance. Accepting these cookies is optional.

Marketing

These cookies are used to monitor website visitors. The aim is to display advertisements that are relevant and interesting for the given visitor, and therefore are more valuable for the displaying party and third-party advertisers. Accepting these cookies is optional.

Other

The categorisation of these cookies with the help of their individual providers is underway. Accepting these cookies is optional.

See the Cookie Policy for detailed information on the cookies used on the websites.

Upon your first visit to the website, a window pops up at the bottom of the screen with the Cookie Policy. It contains a description of the individual cookies used on the website, their function and duration.

You can allow cookies by clicking the “Accept all cookies” button. By clicking the “Cookie settings” button, the cookies stored by the individual groups (categories) can be allowed or disabled.

Cookies can be abled or disabled by groups (categories), and the operation of the relevant cookies can be confirmed by clicking the “Accept” button.

If new cookies are used on the website, they need to be accepted and allowed. In such a case, the window at the bottom of the screen pops up again and highlights the groups of cookies where there has been a change. New cookie(s) can be accepted in the manner described above.

Previously accepted cookies can, of course, be checked and changed at any time. Click here to review cookies: Cookie settings.

Where a cookie also stores personal data, its description contains a notice to that effect.

The company Emarsys eMarketing Systems AG (address: Märzstrasse 1, 1150 Vienna, Austria) participates in the processing of the data collected by the cookies in its capacity as data processor.

B) Profiling

Profiling means any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's personal preferences or interests, location or movements.

With the help of profiling, the Service Provider can send you targeted, customised offers and messages based on your previous orders and online behaviour.

The Service Provider can obtain data necessary for profiling through the following activities:

- completion of the profile diversification questionnaire: name, email, date of birth, sex, purpose (what is your goal with using food supplement products? e.g. getting ripped, diet, bulking up).

- online shop purchase: purchase data (what, when, for how much, from where, payment method).

- browsing the website, behaviour: website use (the page visited is a product page, category page, cart content, search).

On the basis of purchase and behaviour information and by using artificial intelligence, Emarsys eMarketing Systems AG identifies data concerning the user based on which the Service Provider can create segments suitable for running personalised campaigns.

Personal data processed: a) collected from the data subject: name, email, city, postcode, date of birth, phone number, sex, purchase data, IP address (used for registration); b) derived data collected other than from the data subject: (based on prediction or machine learning algorithm): favourite products, favourite categories, date and duration of last website visit; c) in addition, there are other data which the Service Provider can filter and use for creating segments: email interactions (opening/clicking/affinity for email categories, device and city of clicking/opening), user’s purchase life cycle, customer status (based on spending), average spending.

Purpose of processing: sending targeted, personalised offers and messages.

Legal basis of processing: the consent of the data subject as per Article 6(1)(a) of the GDPR. The data processor uses marketing cookies for profiling; therefore, when accepting the Cookie Policy, the consent to or disagreement with profiling can be expressed by granting or refusing to grant the consent to the use of marketing cookies.

Duration of processing: until the withdrawal of the data subject’s consent. In order to ensure that the data are not kept longer than necessary, the data controller will erase the personal data after 3 years from the date of such consent even if consent is not withdrawn.

Recipients: as data processors, Emarsys eMarketing Systems AG (address: Märzstrasse 1, 1150 Vienna, Austria) and Antavo Ltd. (registered seat: 9th floor, 107 Cheapside, London EC2V 6DN, United Kingdom; company registration number: 8046168; tax number: GB137725793; website: https://www.antavo.com/

C) Remarketing

Remarketing allows the Service Provider to display advertisements for persons who have visited its website earlier or have provided their email address.

Personal data processed: email address, purchase data.

Purpose of processing: displaying advertisements for Website users on Facebook and Google.

Legal basis of processing: the Service Provider’s legitimate interest as per Article 6(1)(f) of the GDPR (direct marketing). The Service Provider obtains the user’s email address when the user subscribes to the newsletter, based on the subscriber’s consent. This means that the Data Controller is processing the provided email address also for a purpose (remarketing) other than the purpose of data collection (delivery of newsletters).

Duration of processing: the data subject shall have the right to object at any time to processing of personal data concerning him or her for such remarketing purposes. Should the user withdraw his or her consent given to the delivery of newsletters (which he or she may do at any time), the user’s data will not be processed for remarketing purposes either. In order to ensure that the data are not kept longer than necessary, the data controller will erase the personal data after 3 years from the date of last opening a newsletter even if no objection or the withdrawal of consent is submitted.

Recipients: Emarsys eMarketing Systems AG as data processor (address: Märzstrasse 1, 1150 Vienna, Austria), that, based on the Service Provider’s instructions, transfers the advertisement to be displayed, along with the email addresses, to Facebook Ireland Ltd. (address: 4 Grand Canal square, Grand Canal Harbour, D2 Dublin, Ireland; Facebook Ads) and to Google Inc. (address: 1600 Amphitheatre Pkwy, Mountain View, California 94043, USA) (Google AdWords), which are also data processors and display the advertisement for their registered users whose email address kept on record with them is included in the list received from Emarsys. The European Union has an adequacy decision with the USA.

D) Other

The Data Controller’s online marketing activity is also coordinated by a contracted service provider who, in the context of its activity, has access to the personal data stored and processed by the Data Controller, but who only processes such data for the purpose they were collected and in compliance with data processing and privacy regulations: CoffeeBreak Consulting Kft. (registered seat: H-2030 Érd, Technikus utca 78; company registration number:13 09 189915, tax number: 26166124-2-13, email: hello@thecoffeebreak.hu).

Information on processing not listed herein will be provided the relevant data is recorded.

Please note that the courts, prosecution services, investigating authorities, the authorities dealing with administrative offences, administrative authorities, the Hungarian National Authority for Data Protection and Freedom of Information or other bodies authorised by law may contact the Data Controller for information, disclosure or transfer of data, or the provision of documents.

Provided that the requesting authority has specified the exact purpose of use and the scope of the data, the Data Controller will only disclose those personal data to the requesting authority and only to such extent that is indispensable for the implementation of the purpose of the request.

VII. Rights of Website visitors and users related to data processing

You may request information free of charge on the details of processing of your personal data, you may request the rectification, erasure, restriction of processing of your data, and may object to the processing of such personal data. Such requests can be submitted using the Data Controller’s contact details specified in Section II above.

The Data Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient (data processor) to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We will provide you with information on such recipients upon your request.

The Data Controller shall provide information on actions taken on a request as per sub-sections (a)-(f) below without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Data Controller shall provide information on any such extension within one month of receipt of the request, together with the reasons for the delay.

Where you make the request by electronic means, the information shall be provided by the Data Controller by electronic means where possible, unless you request otherwise.

If the Data Controller does not take action on your request, it shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

a) Right of access: you shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access the personal data and the following information: the purpose of processing, the categories of personal data concerned, data processors, duration of processing and, where the personal data are not collected from you, any available information as to their source.

b) Right to rectification: you shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed.

c) Right to erasure (“right to be forgotten”): you shall have the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw your consent on which the processing is based and there is no other legal ground for the processing; you object to processing; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation in EU or Member State law to which the Data Controller is subject.

Where the Data Controller has made the personal data public and is obliged to erase the personal data, the Data Controller shall take reasonable steps to inform data controllers which are processing the personal data that you have requested the erasure by such data controllers of any links to, or copy or replication of, the personal data.

d) Right to object: you shall have the right to object at any time to processing of personal data concerning you which is based on the Data Controller’s legitimate interests. In such a case, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

e) Right to restriction of processing: you shall have the right to obtain from the Data Controller restriction of processing where you contest the accuracy of the personal data; the processing is unlawful; the Data Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; you have objected to processing. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a Member State.

f) Right to data portability: where the processing is based on consent or contract or serves the performance of a contract, and is carried out by automated means, you shall have the right to receive the personal data concerning you, which you have provided, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data Controller.

VIII. The method of storing personal data, the security of processing

The Data Controller’s servers are operated, and maintained in the event of any arising problems, by companies employed for this purpose.

Details of the data processor company: Mongouse Kft. (address: H-1117 Budapest, Budafoki út 183)

Details of the data processor company: Servergarden Kft. (address: H-1023 Budapest, Lajos utca 28-32)

The Data Controller uses a server service, which is operated, and maintained in the event of any arising problems, by another company employed for this purpose: JLM PowerLine Kft. (address: H-2111 Szada, Ipari park út 12-14).

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller shall implement appropriate technical and organisational measures to ensure a level of data security appropriate to the risk.

The Data Controller implements appropriate measures to protect the data in particular from unauthorised access, alteration, transfer, disclosure to the public, erasure or destruction, accidental destruction and compromise, as well as from becoming inaccessible due to changes in the technology applied.

The Data Controller’s IT system and network are protected against computer-assisted fraud, spying, sabotage, vandalism, fire and flood, computer viruses, hacking and denial-of-service attacks. The Data Controller has server-level and application-level protection mechanisms in place to provide for security.

Electronic messages forwarded through the internet, irrespective of protocol (email, web, ftp, etc.) are vulnerable to network threats which may lead to unfair activities, challenging the contract, or the disclosure or alteration of information. The Data Controller will take all reasonable precautions to provide protection against such threats. It monitors its systems so that any security discrepancies can be logged and that it has evidence in case of security incidents. In addition, system monitoring also allows for the efficiency of the precautions applied to be verified.

The Data Controller documents any personal data breaches, if any, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

IX. Lodging complaints

If you believe that the processing of personal data concerning you infringes on the legal provisions regarding data protection, you have the right to turn to court or lodge a complaint with the supervisory authority against the Data Controller.

Supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság)

registered seat: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C

postal address: H-1530 Budapest, Pf. 5

phone: (+36 1) 391-1400

fax: (+36 1) 391-1410

email: ugyfelszolgalat@naih.hu

website: https://naih.hu/