PRIVACY POLICY
dr. Adrienn Fórizs
Introduction
Dr. Adrienn Fórizs (address: 116 Homoktövis Street, 2nd Floor, Door 12, 1048 Budapest,
Tax ID: 41950005-1-51, company registration number: 58188460) (hereinafter referred to as
the "Service Provider" or "Data Controller") adheres to the following regulations concerning
the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Regulation (EC) No 95/46 (General Data
Protection Regulation) (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016. The following information is provided in accordance with this regulation.
This privacy policy governs the data processing on the following websites/mobile
applications: https://www.zsabo.com
The privacy policy can be accessed at the following address:
http:\\www.zsabo.com/adatvedelem
Changes to the policy will become effective upon publication at the above address.
Data Controller and Contact Information
Name: Dr. Adrienn Fórizs
Registered Address: 116 Homoktövis Street, 2nd Floor, Door 12, 1048 Budapest
E-mail: info@zsabo.com
Phone: +36 30 524 1083
Definitions
1. "Personal data": any information relating to an identified or identifiable natural person
("data subject"); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier, or one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2. "Processing": any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as collection, recording,
organization, structuring, storage, adaptation, alteration, retrieval, consultation, use,
disclosure by transmission, dissemination, or otherwise making available, alignment, or
combination, restriction, erasure, or destruction.
3. "Controller": the natural or legal person, public authority, agency, or other body which,
alone or jointly with others, determines the purposes and means of the processing of
personal data; where the purposes and means of such processing are determined by Union
or Member State law, the controller or the specific criteria for its nomination may be provided
for by Union or Member State law.
4. "Processor": a natural or legal person, public authority, agency, or other body which
processes personal data on behalf of the controller.
5. "Recipient": a natural or legal person, public authority, agency, or another body, to which
the personal data are disclosed, whether a third party or not. However, public authorities
which may receive personal data in the framework of a particular inquiry in accordance with
Union or Member State law shall not be regarded as recipients; the processing of those data
by those public authorities shall be in compliance with the applicable data protection rules
according to the purposes of the processing.
6. "Consent of the data subject": any freely given, specific, informed, and unambiguous
indication of the data subject's wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of personal data relating to him or
her.
7. "Personal data breach": a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored, or otherwise processed.
Principles of Personal Data Processing
Personal data processing must adhere to the following principles:
1. Lawfulness, Fairness, and Transparency:
- Personal data must be processed lawfully, fairly, and in a transparent manner to the data
subject.
2. Purpose Limitation:
- Data collection should only occur for specified, explicit, and legitimate purposes, and data
should not be further processed in a manner that is incompatible with these purposes.
However, additional processing for archiving purposes in the public interest, scientific or
historical research purposes, or statistical purposes in accordance with Article 89(1) shall not
be considered incompatible with the initial purposes ("purpose limitation").
3. Data Minimization:
- Data should be adequate, relevant, and limited to what is necessary for the purposes for
which they are processed ("data minimization").
4. Accuracy:
- Data should be accurate and, where necessary, kept up to date. Appropriate measures
should be taken to ensure that inaccurate personal data are erased or rectified without delay
("accuracy").
5. Storage Limitation:
- Data should be kept in a form that permits identification of data subjects only for as long
as is necessary for the purposes for which the data are processed. Personal data may be
stored for longer periods if it is processed solely for archiving purposes in the public interest,
scientific or historical research purposes, or statistical purposes, subject to the
implementation of the appropriate technical and organizational measures required by this
Regulation in order to safeguard the rights and freedoms of the data subject ("limited
storage").
6. Integrity and Confidentiality:
- Personal data should be processed in a manner that ensures appropriate security,
including protection against unauthorized or unlawful processing, accidental loss,
destruction, or damage, using appropriate technical or organizational measures ("integrity
and confidentiality").
The data controller is responsible for ensuring compliance with these principles and must be
able to demonstrate such compliance ("accountability").
The data controller declares that data processing is carried out in accordance with the
principles outlined in this section.
Data Processing Related to Operating an Online Store/Using Services
1. Data Collection, Scope of Processed Data, and Purpose of Processing:
- Personal Data
- User Name: Identification and enabling registration. Legal basis: GDPR Article 6(1)(b)
and Act CXII of 2011, Section 13/A(3).
- Password: Ensuring secure access to the user account.
- First and Last Name: Necessary for communication, purchases, issuing invoices,
exercising the right of withdrawal.
- Email Address: Communication.
- Phone Number: Communication, efficient coordination regarding billing or delivery.
- Billing Name and Address: Issuing proper invoices, establishing, determining, modifying,
monitoring contract performance, invoicing fees, and enforcing related claims. Legal basis:
GDPR Article 6(1)(c) and Act C of 2000 on Accounting, Section 169(2).
- Shipping Name and Address: Enabling home delivery. Legal basis: GDPR Article 6(1)(b)
and Act CXII of 2011, Section 13/A(3).
- Date and Time of Purchase/Registration: Carrying out technical operations.
- IP Address at the Time of Purchase/Registration: Carrying out technical operations.
2. Data Subjects:
- All registered/purchasing individuals on the webshop website. Neither the username nor
the email address needs to contain personal data.
3. Data Retention Period and Deadline for Data Deletion:
- If any of the conditions in GDPR Article 17(1) are met, data will be retained until the data
subject's deletion request. The data controller will inform the data subject electronically in
accordance with GDPR Article 19. If the data subject's deletion request also covers the
provided email address, the data controller will delete the email address as well. Except for
accounting documents, as per Act C of 2000 on Accounting, Section 169(2), which requires
the preservation of such data for 8 years. The data subject's contractual data may be deleted
upon the data subject's deletion request after the expiration of the statutory limitation period.
4. Identity of Authorized Data Processors and Recipients of Personal Data:
- Personal data may be processed by the data controller and duly authorized employees,
while respecting the above principles.
5. Explanation of Data Subjects' Rights Concerning Data Processing:
- Data subjects have the right to request access to, rectification, erasure, or restriction of
processing of their personal data.
- Data subjects have the right to data portability and the right to withdraw their consent at
any time.
6. Initiating Access, Deletion, Modification, or Restriction of Data Processing:
- Data subjects can initiate these requests:
- By post to 116 Homoktövis Street, 2nd Floor, Door 12, 1048 Budapest.
- By email to info@zsabo.com.
- By phone at +36 30 524 1083.
7. Legal Basis for Data Processing:
1. GDPR Article 6(1)(b) and (c).
2. Act CXII of 2011, Section 13/A(3).
3. Act C of 2000 on Accounting, Section 169(2).
4. Act V of 2013 (Civil Code of Hungary) Section 6:22.
8. Notice:
- Data processing is necessary for contract performance and providing quotations.
- You are obligated to provide personal data to fulfill your order.
- Failure to provide data will result in the inability to process your order.
Handling of Cookies
1. It is not necessary to obtain prior consent from the data subjects for the use of so-called
"password-protected session cookies", "shopping cart necessary cookies", "security
cookies", "Essential cookies", "Functional cookies", and "cookies responsible for website
statistics".
2. The fact of data processing, the scope of processed data: Unique identification numbers,
dates, timestamps.
3. Data subjects: All individuals visiting the website.
4. Purpose of data processing: User identification, tracking of visitors, ensuring personalized
functionality.
5. Duration of data processing, deadline for data deletion:
- Type of Cookie | Legal Basis for Data Processing | Duration of Data Processing
- Session cookies or other cookies essential for website operation | GDPR Article 6(1)(f) |
Until the end of the relevant visitor session.
- Persistent or stored cookies | GDPR Article 6(1)(f) | Until deletion by the data subject or,
in the case of cookies with a specific expiration date (persistent, stored), until their expiration
date, whichever comes first.
- Statistical and marketing cookies | GDPR Article 6(1)(a) | 1 month to 2 years.
6. Possible data controllers who are authorized to access the data: The personal data can be
accessed by the data controller.
7. Description of data subjects' rights related to data processing: Data subjects have the
option to delete cookies in the browser's settings under the generally found Privacy settings
in the Tools/Settings menu.
8. Most browsers used by our users allow the customization of cookie settings, including
specifying which cookies to save and allowing the removal of (certain) cookies. If you restrict
the saving of cookies on specific websites or do not allow third-party cookies, it may, under
certain circumstances, result in our website not being fully functional. You can find
information on how to customize cookie settings for commonly used browsers here:
- Google Chrome (https://support.google.com/chrome/answer/95647?hl=en)
- Internet Explorer (https://support.microsoft.com/en-us/help/17442/windows-internet-
explorer-delete-manage-cookies)
- Firefox (https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-
preferences)
- Safari (https://support.apple.com/guide/safari/manage-cookies-and-website-data-
sfri11471/mac)
Application of Google Analytics
1. This website uses Google Analytics, a web analysis service provided by Google Inc.
("Google"). Google Analytics uses so-called "cookies", text files that are stored on your
computer and allow an analysis of your website usage.
2. Information created through cookies about your use of the website is usually transmitted to
and stored on a Google server in the United States. By activating IP anonymization on the
website, Google will shorten your IP address within the member states of the European
Union or other signatory states to the Agreement on the European Economic Area before
transmission.
3. Only in exceptional cases will the full IP address be transmitted to a Google server in the
United States and shortened there. On behalf of the operator of this website, Google will use
this information to evaluate your use of the website, compile reports on website activity, and
provide the website operator with other services related to website and internet usage.
4. The IP address transmitted by your browser as part of Google Analytics will not be merged
with other Google data. You can prevent the storage of cookies by adjusting your browser
software accordingly; however, please note that in this case, you may not be able to use all
functions of this website to their full extent. You can also prevent Google from collecting and
processing the data generated by cookies related to your website usage (including your IP
address) by downloading and installing the browser plugin available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=en
Newsletter and Direct Marketing Activities
1. In accordance with Section 6 of Act XLVIII of 2008 on the basic conditions and certain
restrictions of economic advertising activities, the User may give prior and express consent
for the Service Provider to contact them with advertising offers and other materials via the
contact information provided during registration.
2. Furthermore, the Customer, while adhering to the provisions of this notice, may consent to
the processing of their personal data necessary for sending advertising offers by the Service
Provider.
3. The Service Provider does not send unsolicited advertising messages, and the User can
unsubscribe from the offers without restriction or justification, free of charge. In this case, the
Service Provider deletes all personal data necessary for sending advertising messages from
its records and does not contact the User with further advertising offers. The User can
unsubscribe from advertisements by clicking on the link in the message.
4. The fact of data collection, the scope of processed data, and the purpose of data
processing:
Personal Data | Purpose of Data Processing | Legal Basis
Name, email address | Identification, enabling subscription to newsletters/promotional
coupons | Consent of the data subject, Article 6(1)(a) GDPR, Section 6(5) of Act XLVIII of
2008 on the basic conditions and certain restrictions of economic advertising activities.
Date of subscription | Execution of a technical operation.
IP address at the time of subscription | Execution of a technical operation.
5. Data subjects: All individuals subscribing to the newsletter.
6. Purpose of data processing: Sending electronic messages containing advertisements
(email, SMS, push messages) to the data subject, providing information about current news,
products, promotions, new features, etc.
7. Duration of data processing, deadline for data deletion: Until the withdrawal of consent,
i.e., unsubscribing from the newsletter.
8. Possible data controllers who are authorized to access the data, recipients of personal
data: The data controller and its sales and marketing employees may process personal data
while adhering to the above principles.
9. Description of data subjects' rights related to data processing:
- The data subject may request access to their personal data, its correction, deletion, or
restriction.
- The data subject has the right to object to the processing of their personal data.
- The data subject has the right to data portability.
- The data subject has the right to withdraw consent at any time.
10. The data subject can initiate access to their personal data, its deletion, modification, or
restriction, data portability, or objection in the following ways:
- By mail at 1048 Budapest, Homoktövis utca 116, 2nd floor, door 12, Hungary.
- By email at info@zsabo.com.
- By phone at +36 30 524 1083.
11. The data subject can unsubscribe from the newsletter at any time, free of charge.
12. Please note:
- Data processing is based on your consent and the legitimate interest of the service
provider.
- You are required to provide your personal data if you wish to receive newsletters from us.
- Failure to provide data will result in us being unable to send newsletters to you.
- You can withdraw your consent at any time by unsubscribing.
- The withdrawal of consent does not affect the legality of data processing prior to the
withdrawal.
Complaint Handling
1. The fact of data collection, the scope of processed data, and the purpose of data
processing:
Personal Data | Purpose of Data Processing | Legal Basis
First and last name | Identification, contact.
Email address | Contact.
Phone number | Contact.
Billing name and address | Identification, handling of quality complaints, questions, and
issues related to ordered products/services.
2. Data subjects: All customers who make purchases on the website and raise quality
complaints or file complaints.
3. Duration of data processing, deadline for data deletion: According to Section 17/A(7) of
Act CLV of 1997 on consumer protection, records and transcripts of complaints and
responses must be kept for 3 years.
4. Possible data controllers who are authorized to access the data, recipients of personal
data: The data controller and its authorized employees may process personal data while
adhering to the above principles.
5. Description of data subjects' rights related to data processing:
- The data subject may request access to their personal data, its correction, deletion, or
restriction.
- The data subject has the right to data portability.
- The data subject has the right to withdraw consent at any time.
6. The data subject can initiate access to their personal data, its deletion, modification, or
restriction, data portability, or objection in the following ways:
- By mail at 1048 Budapest, Homoktövis utca 116, 2nd floor, door 12, Hungary.
- By e-mail at info@zsabo.com.
- By phone at +36 30 524 1083.
7. Please note:
- Providing personal data is based on a legal obligation.
- The processing of personal data is a prerequisite for entering into a contract.
- You are required to provide personal data for us to handle your complaint.
- Failure to provide data will result in us being unable to process your complaint.
Recipients of Personal Data
"Recipient": Any natural or legal person, public authority, agency, or other body to whom or
which the personal data is disclosed, whether a third party or not.
1. Data Processors (those who process data on behalf of the Data Controller)
The Data Controller engages Data Processors for the purpose of supporting its own data
processing activities and to fulfill obligations required by contracts or laws.
The Data Controller places great emphasis on engaging only those Data Processors who
provide adequate guarantees for compliance with the requirements of data processing as
defined in the GDPR and for ensuring the protection of data subjects' rights through
appropriate technical and organizational measures.
Data Processors and any persons with access to personal data, operating under the
direction of the Data Controller or Data Processor, process personal data exclusively in
accordance with the instructions of the Data Controller.
The Data Processor is legally responsible for its activities concerning data processing. The
Data Processor is only liable for damages arising from data processing if it fails to comply
with the specific obligations imposed on Data Processors by the GDPR or if it disregards
lawful instructions from the Data Controller or acts contrary to them.
The Data Processor does not make substantive decisions regarding the processing of
data.
For ensuring IT infrastructure, the Data Controller may engage a hosting service provider,
and for delivering ordered products, a courier service provider, as Data Processors.
2. Some Data Processors
Data Processing Activity | Name, Address, Contact
Hosting Service | Webnode AG, Address: Badenerstrasse 47, CH-8004 Zurich,
Switzerland, E-mail: info@webnode.com
Other Data Processor (e.g., online invoicing, web development, marketing) | Billingo
Technologies Ltd., Address: 1133 Budapest, Árbóc utca 6., 1st floor, E-mail: hello@billingo.hu
"Third Party": Any natural or legal person, public authority, agency, or any other body other
than the data subject, the Data Controller, Data Processor, and persons who, under the
direct authority of the Data Controller or Data Processor, are authorized to process personal
data.
3. Data Transfer to Third Parties
Third-party Data Controllers process the disclosed personal data under their own name
and in accordance with their own privacy policies.
Data Processing Activity | Name, Address, Contact
Transportation | GLS General Logistics Systems Hungary Ltd., Address: 2351 Alsónémedi,
GLS Európa u. 2., Phone: +36 29 88 67 00, E-mail: info@gls-hungary.com;
MPL Hungarian Postal Logistics Ltd., Address: 1138 Budapest, Dunavirág utca 2-6., E-mail: ugyfelszolgalat@posta.hu,
Phone: (06-1) 767-82-82, General Terms and Conditions: https://www.posta.hu/general_terms_and_conditions,
Privacy Policy: https://www.posta.hu/static/internet/download/PRIVACY_NOTICE_MAGYAR_POSTA_ZRT.pdf
Online Payment | PayPal (Europe) S.à r.l. et Cie, S.C.A., Address: 22–24 Boulevard Royal,
L-2449 Luxembourg, E-mail: enquiry@paypal.com
Stripe, Address: 354 Oyster Point Boulevard, San Francisco, California, 94103, E-mail:
info@stripe.com
Social Media
1. Data Collection, Scope of Processed Data: Names and publicly available profile pictures of
individuals registered on social media platforms such as
Meta/Twitter/Pinterest/YouTube/Instagram, who have "liked" the Service Provider's social
media page or interacted with the Data Controller through these platforms.
2. Data Subjects: All individuals who have registered on social media platforms like
Meta/Twitter/Pinterest/YouTube/Instagram and have "liked" the Service Provider's social
media page or interacted with the Data Controller through these platforms.
3. Purpose of Data Collection: Sharing, "liking", following, and promoting certain content
elements, products, promotions, or the website itself on social media platforms.
4. Duration of Data Processing, Deadline for Data Deletion, Authorized Data Processors, and
Explanation of Data Subjects' Rights related to Data Processing: The source, handling,
mode, legal basis, duration, and the possibilities of deleting and modifying data are
determined by the respective social media platform's regulations, as data processing takes
place on these platforms.
5. Legal Basis for Data Processing: The data subject's voluntary consent to the processing of
their personal data on social media platforms.
Customer Relations and Other Data Processing
1. If questions arise or issues occur during the use of the Data Controller's services, the data
subject can contact the Data Controller through the methods provided on the website (phone,
email, social media, etc.).
2. The Data Controller deletes emails, messages, phone records, and other data provided by
the data subject within two years, along with the data subject's name, email address, and
other voluntarily provided personal data.
3. Information about data processing not listed in this notice will be provided when the data is
collected.
4. In case of exceptional authority requests or requests from other authorities based on legal
authorization, the Service Provider is obliged to provide information, disclose data, or make
documents available. In these cases, the Service Provider will only release personal data to
the extent necessary to achieve the purpose of the request, provided that the requester
specifies the exact purpose and scope of the data.
The Rights of Data Subjects
1. Right to access
You have the right to receive confirmation from the data controller as to whether or not
personal data concerning you is being processed, and if so, you have the right to access
your personal data and certain information listed in the regulation.
2. Right to rectification
You have the right to request the data controller to correct inaccurate personal data
concerning you without undue delay. Considering the purposes of the data processing, you
also have the right to request the completion of incomplete personal data, including by
means of providing a supplementary statement.
3. Right to erasure
You have the right to request the data controller to erase personal data concerning you
without undue delay, and the data controller is obliged to erase personal data under certain
conditions.
4. Right to be forgotten
If the data controller has made the personal data public and is obliged to erase it, they must
take reasonable steps, including technical measures, to inform other data controllers
processing the personal data that you have requested the erasure of any links to or copies or
replications of that personal data.
5. Right to restriction of processing
You have the right to request the data controller to restrict the processing of your personal
data under certain conditions:
- If you contest the accuracy of your personal data, the restriction will be for a period enabling
the data controller to verify the accuracy of the personal data.
- If the processing is unlawful, and you oppose the erasure of the personal data and request
the restriction of its use instead.
- If the data controller no longer needs the personal data for the purposes of the processing
but you require them for the establishment, exercise, or defense of legal claims.
- If you have objected to processing pending the verification of whether the legitimate
grounds of the data controller override your grounds.
6. Right to data portability
You have the right to receive your personal data, which you have provided to a data
controller, in a structured, commonly used, and machine-readable format and have the right
to transmit those data to another data controller without hindrance.
7. Right to object
In cases where personal data is processed for reasons of legitimate interests pursued by the
data controller or for public authority tasks, including profiling, you have the right to object to
the processing on grounds relating to your particular situation. The data controller must then
no longer process the personal data unless they demonstrate compelling legitimate grounds
for the processing which override your interests, rights, and freedoms or for the
establishment, exercise, or defense of legal claims.
8. Right to object to direct marketing
If personal data is processed for direct marketing purposes, you have the right to object at
any time to the processing of your personal data for such marketing, including profiling to the
extent that it is related to such direct marketing. If you object to processing for direct
marketing purposes, your personal data may no longer be processed for such purposes.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing,
including profiling, which produces legal effects concerning you or similarly significantly
affects you. This does not apply if the decision:
- Is necessary for entering into, or the performance of, a contract between you and the data
controller.
- Is authorized by Union or Member State law to which the data controller is subject and
which also lays down suitable measures to safeguard your rights and freedoms and
legitimate interests.
- Is based on your explicit consent.
Data Security
The data controller and data processor shall implement appropriate technical and
organizational measures, taking into account the state of the art, the costs of implementation,
the nature, scope, context, and purposes of processing, as well as the varying likelihood and
severity of risks to the rights and freedoms of natural persons, to ensure a level of security
appropriate to the risk. This includes, among other things:
1. Pseudonymization and encryption of personal data.
2. Ensuring the ongoing confidentiality, integrity, availability, and resilience of systems and
services used for personal data processing.
3. The ability to restore the availability and access to personal data in the event of a physical
or technical incident.
4. A process for regularly testing, assessing, and evaluating the effectiveness of technical
and organizational measures for ensuring the security of data processing.
5. Personal data must be stored in a way that prevents unauthorized access. For paper-
based data, this involves secure storage and filing procedures, while electronically processed
data requires the use of a central authorization control system.
6. The method of storing data in electronic form should be chosen in such a way that data
can be deleted when required, including meeting any specific deletion deadlines. Deletion
should be irreversible.
7. Paper-based data should be disposed of using shredders or by engaging specialized
organizations in data destruction. For electronic data carriers, destruction should follow the
rules for electronic data carrier disposal, ensuring secure and irreversible deletion if
necessary.
8. The data controller shall implement the following specific data security measures:
For the security of paper-based personal data:
1. Documents should be stored in secure, lockable areas.
2. If personal data on paper is digitized, the rules applicable to digitally stored documents
must be followed.
3. Employees handling personal data must ensure that they lock away data carriers or lock
the room where data processing takes place before leaving.
4. Only authorized personnel can access personal data, and it should not be accessible by
third parties.
5. The facilities and premises of the data controller are equipped with fire protection and
security systems.
For Information Technology (IT) security:
1. Computers and mobile devices used in data processing are owned by the data controller.
2. The computer systems used for personal data processing are equipped with antivirus
protection.
3. Backups and archives are maintained for digitally stored data.
4. Access to the central server is restricted to authorized personnel with appropriate access
rights.
5. Access to computer data requires a username and password.
Notification of Data Subjects in the Event of a Data Breach
If a data breach is likely to result in a high risk to the rights and freedoms of natural persons,
the data controller shall inform the data subject without undue delay.
The notification to the data subject must be clear and easily understandable. It should
include the nature of the data breach, provide the name and contact details of the data
protection officer or other contact point, describe the likely consequences of the data breach,
and explain the measures taken or proposed by the data controller to address the breach
and mitigate any potential adverse effects.
The data subject does not need to be notified if any of the following conditions are met:
- The data controller has implemented appropriate technical and organizational protection
measures, such as encryption, to render the data unintelligible to unauthorized persons.
- Subsequent measures have been taken to ensure that the high risk to the data subject's
rights and freedoms is no longer likely to materialize.
- Notifying the data subject would involve a disproportionate effort. In such cases, alternative
communication methods, such as public announcements, should be used to inform data
subjects.
If the data controller has not already notified the data subject of the breach, the supervisory
authority, after considering whether the data breach is likely to result in a high risk, may order
the data controller to inform the data subject.
Reporting Data Breaches to the Authority
The data controller shall report a data breach to the competent supervisory authority without
undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless
the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If
the notification is not made within 72 hours, it must be accompanied by the reasons for the
delay.
Mandatory Review for Compulsory Data Processing
In cases where the duration or periodic review of compulsory data processing is not defined
by law, local government regulations, or mandatory legal acts of the European Union, the
data controller shall conduct a review of data processing at least every three years from the
commencement of data processing or the last review, considering whether the processing of
personal data managed by the data controller or processed on behalf of or pursuant to a
mandate from the data controller is still necessary to achieve the purpose of data processing.
The results and circumstances of this review shall be documented by the data controller, and
this documentation shall be kept for ten years from the date of the review and submitted to
the National Authority for Data Protection and Freedom of Information (the Authority) at the
Authority'01s request.
Complaint Procedure
If the data subject believes that the data controller has violated their rights, they may file a
complaint with the National Authority for Data Protection and Freedom of Information:
National Authority for Data Protection and Freedom of Information
1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf. 9.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
Closing Remarks
This information was prepared in compliance with the following regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on
the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) (GDPR) (April 27, 2016).
- Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.).
- Act C of 2003 on Electronic Communications (specifically Section 155).
- Other relevant laws and recommendations by the National Authority for Data Protection and
Freedom of Information.