PRIVACY POLICY

dr. Adrienn Fórizs

Introduction

Dr. Adrienn Fórizs (address: 116 Homoktövis Street, 2nd Floor, Door 12, 1048 Budapest,

Tax ID: 41950005-1-51, company registration number: 58188460) (hereinafter referred to as

the "Service Provider" or "Data Controller") adheres to the following regulations concerning

the protection of natural persons with regard to the processing of personal data and on the

free movement of such data, and repealing Regulation (EC) No 95/46 (General Data

Protection Regulation) (EU) 2016/679 of the European Parliament and of the Council of 27

April 2016. The following information is provided in accordance with this regulation.

This privacy policy governs the data processing on the following websites/mobile

applications: https://www.zsabo.com

The privacy policy can be accessed at the following address:

http:\\www.zsabo.com/adatvedelem

Changes to the policy will become effective upon publication at the above address.

Data Controller and Contact Information

Name: Dr. Adrienn Fórizs

Registered Address: 116 Homoktövis Street, 2nd Floor, Door 12, 1048 Budapest

E-mail: info@zsabo.com

Phone: +36 30 524 1083

Definitions

1. "Personal data": any information relating to an identified or identifiable natural person

("data subject"); an identifiable natural person is one who can be identified, directly or

indirectly, in particular by reference to an identifier such as a name, an identification number,

location data, an online identifier, or one or more factors specific to the physical,

physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2. "Processing": any operation or set of operations which is performed on personal data or on

sets of personal data, whether or not by automated means, such as collection, recording,

organization, structuring, storage, adaptation, alteration, retrieval, consultation, use,

disclosure by transmission, dissemination, or otherwise making available, alignment, or

combination, restriction, erasure, or destruction.

3. "Controller": the natural or legal person, public authority, agency, or other body which,

alone or jointly with others, determines the purposes and means of the processing of

personal data; where the purposes and means of such processing are determined by Union

or Member State law, the controller or the specific criteria for its nomination may be provided

for by Union or Member State law.

4. "Processor": a natural or legal person, public authority, agency, or other body which

processes personal data on behalf of the controller.

5. "Recipient": a natural or legal person, public authority, agency, or another body, to which

the personal data are disclosed, whether a third party or not. However, public authorities

which may receive personal data in the framework of a particular inquiry in accordance with

Union or Member State law shall not be regarded as recipients; the processing of those data

by those public authorities shall be in compliance with the applicable data protection rules

according to the purposes of the processing.

6. "Consent of the data subject": any freely given, specific, informed, and unambiguous

indication of the data subject's wishes by which he or she, by a statement or by a clear

affirmative action, signifies agreement to the processing of personal data relating to him or

her.

7. "Personal data breach": a breach of security leading to the accidental or unlawful

destruction, loss, alteration, unauthorized disclosure of, or access to, personal data

transmitted, stored, or otherwise processed.

Principles of Personal Data Processing

Personal data processing must adhere to the following principles:

1. Lawfulness, Fairness, and Transparency:

- Personal data must be processed lawfully, fairly, and in a transparent manner to the data

subject.

2. Purpose Limitation:

- Data collection should only occur for specified, explicit, and legitimate purposes, and data

should not be further processed in a manner that is incompatible with these purposes.

However, additional processing for archiving purposes in the public interest, scientific or

historical research purposes, or statistical purposes in accordance with Article 89(1) shall not

be considered incompatible with the initial purposes ("purpose limitation").

3. Data Minimization:

- Data should be adequate, relevant, and limited to what is necessary for the purposes for

which they are processed ("data minimization").

4. Accuracy:

- Data should be accurate and, where necessary, kept up to date. Appropriate measures

should be taken to ensure that inaccurate personal data are erased or rectified without delay

("accuracy").

5. Storage Limitation:

- Data should be kept in a form that permits identification of data subjects only for as long

as is necessary for the purposes for which the data are processed. Personal data may be

stored for longer periods if it is processed solely for archiving purposes in the public interest,

scientific or historical research purposes, or statistical purposes, subject to the

implementation of the appropriate technical and organizational measures required by this

Regulation in order to safeguard the rights and freedoms of the data subject ("limited

storage").

6. Integrity and Confidentiality:

- Personal data should be processed in a manner that ensures appropriate security,

including protection against unauthorized or unlawful processing, accidental loss,

destruction, or damage, using appropriate technical or organizational measures ("integrity

and confidentiality").

The data controller is responsible for ensuring compliance with these principles and must be

able to demonstrate such compliance ("accountability").

The data controller declares that data processing is carried out in accordance with the

principles outlined in this section.

Data Processing Related to Operating an Online Store/Using Services

1. Data Collection, Scope of Processed Data, and Purpose of Processing:

- Personal Data

- User Name: Identification and enabling registration. Legal basis: GDPR Article 6(1)(b)

and Act CXII of 2011, Section 13/A(3).

- Password: Ensuring secure access to the user account.

- First and Last Name: Necessary for communication, purchases, issuing invoices,

exercising the right of withdrawal.

- Email Address: Communication.

- Phone Number: Communication, efficient coordination regarding billing or delivery.

- Billing Name and Address: Issuing proper invoices, establishing, determining, modifying,

monitoring contract performance, invoicing fees, and enforcing related claims. Legal basis:

GDPR Article 6(1)(c) and Act C of 2000 on Accounting, Section 169(2).

- Shipping Name and Address: Enabling home delivery. Legal basis: GDPR Article 6(1)(b)

and Act CXII of 2011, Section 13/A(3).

- Date and Time of Purchase/Registration: Carrying out technical operations.

- IP Address at the Time of Purchase/Registration: Carrying out technical operations.

2. Data Subjects:

- All registered/purchasing individuals on the webshop website. Neither the username nor

the email address needs to contain personal data.

3. Data Retention Period and Deadline for Data Deletion:

- If any of the conditions in GDPR Article 17(1) are met, data will be retained until the data

subject's deletion request. The data controller will inform the data subject electronically in

accordance with GDPR Article 19. If the data subject's deletion request also covers the

provided email address, the data controller will delete the email address as well. Except for

accounting documents, as per Act C of 2000 on Accounting, Section 169(2), which requires

the preservation of such data for 8 years. The data subject's contractual data may be deleted

upon the data subject's deletion request after the expiration of the statutory limitation period.

4. Identity of Authorized Data Processors and Recipients of Personal Data:

- Personal data may be processed by the data controller and duly authorized employees,

while respecting the above principles.

5. Explanation of Data Subjects' Rights Concerning Data Processing:

- Data subjects have the right to request access to, rectification, erasure, or restriction of

processing of their personal data.

- Data subjects have the right to data portability and the right to withdraw their consent at

any time.

6. Initiating Access, Deletion, Modification, or Restriction of Data Processing:

- Data subjects can initiate these requests:

- By post to 116 Homoktövis Street, 2nd Floor, Door 12, 1048 Budapest.

- By email to info@zsabo.com.

- By phone at +36 30 524 1083.

7. Legal Basis for Data Processing:

1. GDPR Article 6(1)(b) and (c).

2. Act CXII of 2011, Section 13/A(3).

3. Act C of 2000 on Accounting, Section 169(2).

4. Act V of 2013 (Civil Code of Hungary) Section 6:22.

8. Notice:

- Data processing is necessary for contract performance and providing quotations.

- You are obligated to provide personal data to fulfill your order.

- Failure to provide data will result in the inability to process your order.

Handling of Cookies

1. It is not necessary to obtain prior consent from the data subjects for the use of so-called

"password-protected session cookies", "shopping cart necessary cookies", "security

cookies", "Essential cookies", "Functional cookies", and "cookies responsible for website

statistics".

2. The fact of data processing, the scope of processed data: Unique identification numbers,

dates, timestamps.

3. Data subjects: All individuals visiting the website.

4. Purpose of data processing: User identification, tracking of visitors, ensuring personalized

functionality.

5. Duration of data processing, deadline for data deletion:

- Type of Cookie | Legal Basis for Data Processing | Duration of Data Processing

- Session cookies or other cookies essential for website operation | GDPR Article 6(1)(f) |

Until the end of the relevant visitor session.

- Persistent or stored cookies | GDPR Article 6(1)(f) | Until deletion by the data subject or,

in the case of cookies with a specific expiration date (persistent, stored), until their expiration

date, whichever comes first.

- Statistical and marketing cookies | GDPR Article 6(1)(a) | 1 month to 2 years.

6. Possible data controllers who are authorized to access the data: The personal data can be

accessed by the data controller.

7. Description of data subjects' rights related to data processing: Data subjects have the

option to delete cookies in the browser's settings under the generally found Privacy settings

in the Tools/Settings menu.

8. Most browsers used by our users allow the customization of cookie settings, including

specifying which cookies to save and allowing the removal of (certain) cookies. If you restrict

the saving of cookies on specific websites or do not allow third-party cookies, it may, under

certain circumstances, result in our website not being fully functional. You can find

information on how to customize cookie settings for commonly used browsers here:

- Google Chrome (https://support.google.com/chrome/answer/95647?hl=en)

- Internet Explorer (https://support.microsoft.com/en-us/help/17442/windows-internet-

explorer-delete-manage-cookies)

- Firefox (https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-

preferences)

- Safari (https://support.apple.com/guide/safari/manage-cookies-and-website-data-

sfri11471/mac)

Application of Google Analytics

1. This website uses Google Analytics, a web analysis service provided by Google Inc.

("Google"). Google Analytics uses so-called "cookies", text files that are stored on your

computer and allow an analysis of your website usage.

2. Information created through cookies about your use of the website is usually transmitted to

and stored on a Google server in the United States. By activating IP anonymization on the

website, Google will shorten your IP address within the member states of the European

Union or other signatory states to the Agreement on the European Economic Area before

transmission.

3. Only in exceptional cases will the full IP address be transmitted to a Google server in the

United States and shortened there. On behalf of the operator of this website, Google will use

this information to evaluate your use of the website, compile reports on website activity, and

provide the website operator with other services related to website and internet usage.

4. The IP address transmitted by your browser as part of Google Analytics will not be merged

with other Google data. You can prevent the storage of cookies by adjusting your browser

software accordingly; however, please note that in this case, you may not be able to use all

functions of this website to their full extent. You can also prevent Google from collecting and

processing the data generated by cookies related to your website usage (including your IP

address) by downloading and installing the browser plugin available at the following link:

https://tools.google.com/dlpage/gaoptout?hl=en

Newsletter and Direct Marketing Activities

1. In accordance with Section 6 of Act XLVIII of 2008 on the basic conditions and certain

restrictions of economic advertising activities, the User may give prior and express consent

for the Service Provider to contact them with advertising offers and other materials via the

contact information provided during registration.

2. Furthermore, the Customer, while adhering to the provisions of this notice, may consent to

the processing of their personal data necessary for sending advertising offers by the Service

Provider.

3. The Service Provider does not send unsolicited advertising messages, and the User can

unsubscribe from the offers without restriction or justification, free of charge. In this case, the

Service Provider deletes all personal data necessary for sending advertising messages from

its records and does not contact the User with further advertising offers. The User can

unsubscribe from advertisements by clicking on the link in the message.

4. The fact of data collection, the scope of processed data, and the purpose of data

processing:

Personal Data | Purpose of Data Processing | Legal Basis

Name, email address | Identification, enabling subscription to newsletters/promotional

coupons | Consent of the data subject, Article 6(1)(a) GDPR, Section 6(5) of Act XLVIII of

2008 on the basic conditions and certain restrictions of economic advertising activities.

Date of subscription | Execution of a technical operation.

IP address at the time of subscription | Execution of a technical operation.

5. Data subjects: All individuals subscribing to the newsletter.

6. Purpose of data processing: Sending electronic messages containing advertisements

(email, SMS, push messages) to the data subject, providing information about current news,

products, promotions, new features, etc.

7. Duration of data processing, deadline for data deletion: Until the withdrawal of consent,

i.e., unsubscribing from the newsletter.

8. Possible data controllers who are authorized to access the data, recipients of personal

data: The data controller and its sales and marketing employees may process personal data

while adhering to the above principles.

9. Description of data subjects' rights related to data processing:

- The data subject may request access to their personal data, its correction, deletion, or

restriction.

- The data subject has the right to object to the processing of their personal data.

- The data subject has the right to data portability.

- The data subject has the right to withdraw consent at any time.

10. The data subject can initiate access to their personal data, its deletion, modification, or

restriction, data portability, or objection in the following ways:

- By mail at 1048 Budapest, Homoktövis utca 116, 2nd floor, door 12, Hungary.

- By email at info@zsabo.com.

- By phone at +36 30 524 1083.

11. The data subject can unsubscribe from the newsletter at any time, free of charge.

12. Please note:

- Data processing is based on your consent and the legitimate interest of the service

provider.

- You are required to provide your personal data if you wish to receive newsletters from us.

- Failure to provide data will result in us being unable to send newsletters to you.

- You can withdraw your consent at any time by unsubscribing.

- The withdrawal of consent does not affect the legality of data processing prior to the

withdrawal.

Complaint Handling

1. The fact of data collection, the scope of processed data, and the purpose of data

processing:

Personal Data | Purpose of Data Processing | Legal Basis

First and last name | Identification, contact.

Email address | Contact.

Phone number | Contact.

Billing name and address | Identification, handling of quality complaints, questions, and

issues related to ordered products/services.

2. Data subjects: All customers who make purchases on the website and raise quality

complaints or file complaints.

3. Duration of data processing, deadline for data deletion: According to Section 17/A(7) of

Act CLV of 1997 on consumer protection, records and transcripts of complaints and

responses must be kept for 3 years.

4. Possible data controllers who are authorized to access the data, recipients of personal

data: The data controller and its authorized employees may process personal data while

adhering to the above principles.

5. Description of data subjects' rights related to data processing:

- The data subject may request access to their personal data, its correction, deletion, or

restriction.

- The data subject has the right to data portability.

- The data subject has the right to withdraw consent at any time.

6. The data subject can initiate access to their personal data, its deletion, modification, or

restriction, data portability, or objection in the following ways:

- By mail at 1048 Budapest, Homoktövis utca 116, 2nd floor, door 12, Hungary.

- By e-mail at info@zsabo.com.

- By phone at +36 30 524 1083.

7. Please note:

- Providing personal data is based on a legal obligation.

- The processing of personal data is a prerequisite for entering into a contract.

- You are required to provide personal data for us to handle your complaint.

- Failure to provide data will result in us being unable to process your complaint.

Recipients of Personal Data

"Recipient": Any natural or legal person, public authority, agency, or other body to whom or

which the personal data is disclosed, whether a third party or not.

1. Data Processors (those who process data on behalf of the Data Controller)

The Data Controller engages Data Processors for the purpose of supporting its own data

processing activities and to fulfill obligations required by contracts or laws.

The Data Controller places great emphasis on engaging only those Data Processors who

provide adequate guarantees for compliance with the requirements of data processing as

defined in the GDPR and for ensuring the protection of data subjects' rights through

appropriate technical and organizational measures.

Data Processors and any persons with access to personal data, operating under the

direction of the Data Controller or Data Processor, process personal data exclusively in

accordance with the instructions of the Data Controller.

The Data Processor is legally responsible for its activities concerning data processing. The

Data Processor is only liable for damages arising from data processing if it fails to comply

with the specific obligations imposed on Data Processors by the GDPR or if it disregards

lawful instructions from the Data Controller or acts contrary to them.

The Data Processor does not make substantive decisions regarding the processing of

data.

For ensuring IT infrastructure, the Data Controller may engage a hosting service provider,

and for delivering ordered products, a courier service provider, as Data Processors.

2. Some Data Processors

Data Processing Activity | Name, Address, Contact

Hosting Service | Webnode AG, Address: Badenerstrasse 47, CH-8004 Zurich,

Switzerland, E-mail: info@webnode.com

Other Data Processor (e.g., online invoicing, web development, marketing) | Billingo

Technologies Ltd., Address: 1133 Budapest, Árbóc utca 6., 1st floor, E-mail: hello@billingo.hu

"Third Party": Any natural or legal person, public authority, agency, or any other body other

than the data subject, the Data Controller, Data Processor, and persons who, under the

direct authority of the Data Controller or Data Processor, are authorized to process personal

data.

3. Data Transfer to Third Parties

Third-party Data Controllers process the disclosed personal data under their own name

and in accordance with their own privacy policies.

Data Processing Activity | Name, Address, Contact

Transportation | GLS General Logistics Systems Hungary Ltd., Address: 2351 Alsónémedi,

GLS Európa u. 2., Phone: +36 29 88 67 00, E-mail: info@gls-hungary.com;

MPL Hungarian Postal Logistics Ltd., Address: 1138 Budapest, Dunavirág utca 2-6., E-mail: ugyfelszolgalat@posta.hu,

Phone: (06-1) 767-82-82, General Terms and Conditions: https://www.posta.hu/general_terms_and_conditions,

Privacy Policy: https://www.posta.hu/static/internet/download/PRIVACY_NOTICE_MAGYAR_POSTA_ZRT.pdf

Online Payment | PayPal (Europe) S.à r.l. et Cie, S.C.A., Address: 22–24 Boulevard Royal,

L-2449 Luxembourg, E-mail: enquiry@paypal.com

Stripe, Address: 354 Oyster Point Boulevard, San Francisco, California, 94103, E-mail:

info@stripe.com

Social Media

1. Data Collection, Scope of Processed Data: Names and publicly available profile pictures of

individuals registered on social media platforms such as

Meta/Twitter/Pinterest/YouTube/Instagram, who have "liked" the Service Provider's social

media page or interacted with the Data Controller through these platforms.

2. Data Subjects: All individuals who have registered on social media platforms like

Meta/Twitter/Pinterest/YouTube/Instagram and have "liked" the Service Provider's social

media page or interacted with the Data Controller through these platforms.

3. Purpose of Data Collection: Sharing, "liking", following, and promoting certain content

elements, products, promotions, or the website itself on social media platforms.

4. Duration of Data Processing, Deadline for Data Deletion, Authorized Data Processors, and

Explanation of Data Subjects' Rights related to Data Processing: The source, handling,

mode, legal basis, duration, and the possibilities of deleting and modifying data are

determined by the respective social media platform's regulations, as data processing takes

place on these platforms.

5. Legal Basis for Data Processing: The data subject's voluntary consent to the processing of

their personal data on social media platforms.

Customer Relations and Other Data Processing

1. If questions arise or issues occur during the use of the Data Controller's services, the data

subject can contact the Data Controller through the methods provided on the website (phone,

email, social media, etc.).

2. The Data Controller deletes emails, messages, phone records, and other data provided by

the data subject within two years, along with the data subject's name, email address, and

other voluntarily provided personal data.

3. Information about data processing not listed in this notice will be provided when the data is

collected.

4. In case of exceptional authority requests or requests from other authorities based on legal

authorization, the Service Provider is obliged to provide information, disclose data, or make

documents available. In these cases, the Service Provider will only release personal data to

the extent necessary to achieve the purpose of the request, provided that the requester

specifies the exact purpose and scope of the data.

The Rights of Data Subjects

1. Right to access

You have the right to receive confirmation from the data controller as to whether or not

personal data concerning you is being processed, and if so, you have the right to access

your personal data and certain information listed in the regulation.

2. Right to rectification

You have the right to request the data controller to correct inaccurate personal data

concerning you without undue delay. Considering the purposes of the data processing, you

also have the right to request the completion of incomplete personal data, including by

means of providing a supplementary statement.

3. Right to erasure

You have the right to request the data controller to erase personal data concerning you

without undue delay, and the data controller is obliged to erase personal data under certain

conditions.

4. Right to be forgotten

If the data controller has made the personal data public and is obliged to erase it, they must

take reasonable steps, including technical measures, to inform other data controllers

processing the personal data that you have requested the erasure of any links to or copies or

replications of that personal data.

5. Right to restriction of processing

You have the right to request the data controller to restrict the processing of your personal

data under certain conditions:

- If you contest the accuracy of your personal data, the restriction will be for a period enabling

the data controller to verify the accuracy of the personal data.

- If the processing is unlawful, and you oppose the erasure of the personal data and request

the restriction of its use instead.

- If the data controller no longer needs the personal data for the purposes of the processing

but you require them for the establishment, exercise, or defense of legal claims.

- If you have objected to processing pending the verification of whether the legitimate

grounds of the data controller override your grounds.

6. Right to data portability

You have the right to receive your personal data, which you have provided to a data

controller, in a structured, commonly used, and machine-readable format and have the right

to transmit those data to another data controller without hindrance.

7. Right to object

In cases where personal data is processed for reasons of legitimate interests pursued by the

data controller or for public authority tasks, including profiling, you have the right to object to

the processing on grounds relating to your particular situation. The data controller must then

no longer process the personal data unless they demonstrate compelling legitimate grounds

for the processing which override your interests, rights, and freedoms or for the

establishment, exercise, or defense of legal claims.

8. Right to object to direct marketing

If personal data is processed for direct marketing purposes, you have the right to object at

any time to the processing of your personal data for such marketing, including profiling to the

extent that it is related to such direct marketing. If you object to processing for direct

marketing purposes, your personal data may no longer be processed for such purposes.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing,

including profiling, which produces legal effects concerning you or similarly significantly

affects you. This does not apply if the decision:

- Is necessary for entering into, or the performance of, a contract between you and the data

controller.

- Is authorized by Union or Member State law to which the data controller is subject and

which also lays down suitable measures to safeguard your rights and freedoms and

legitimate interests.

- Is based on your explicit consent.

Data Security

The data controller and data processor shall implement appropriate technical and

organizational measures, taking into account the state of the art, the costs of implementation,

the nature, scope, context, and purposes of processing, as well as the varying likelihood and

severity of risks to the rights and freedoms of natural persons, to ensure a level of security

appropriate to the risk. This includes, among other things:

1. Pseudonymization and encryption of personal data.

2. Ensuring the ongoing confidentiality, integrity, availability, and resilience of systems and

services used for personal data processing.

3. The ability to restore the availability and access to personal data in the event of a physical

or technical incident.

4. A process for regularly testing, assessing, and evaluating the effectiveness of technical

and organizational measures for ensuring the security of data processing.

5. Personal data must be stored in a way that prevents unauthorized access. For paper-

based data, this involves secure storage and filing procedures, while electronically processed

data requires the use of a central authorization control system.

6. The method of storing data in electronic form should be chosen in such a way that data

can be deleted when required, including meeting any specific deletion deadlines. Deletion

should be irreversible.

7. Paper-based data should be disposed of using shredders or by engaging specialized

organizations in data destruction. For electronic data carriers, destruction should follow the

rules for electronic data carrier disposal, ensuring secure and irreversible deletion if

necessary.

8. The data controller shall implement the following specific data security measures:

For the security of paper-based personal data:

1. Documents should be stored in secure, lockable areas.

2. If personal data on paper is digitized, the rules applicable to digitally stored documents

must be followed.

3. Employees handling personal data must ensure that they lock away data carriers or lock

the room where data processing takes place before leaving.

4. Only authorized personnel can access personal data, and it should not be accessible by

third parties.

5. The facilities and premises of the data controller are equipped with fire protection and

security systems.

For Information Technology (IT) security:

1. Computers and mobile devices used in data processing are owned by the data controller.

2. The computer systems used for personal data processing are equipped with antivirus

protection.

3. Backups and archives are maintained for digitally stored data.

4. Access to the central server is restricted to authorized personnel with appropriate access

rights.

5. Access to computer data requires a username and password.

Notification of Data Subjects in the Event of a Data Breach

If a data breach is likely to result in a high risk to the rights and freedoms of natural persons,

the data controller shall inform the data subject without undue delay.

The notification to the data subject must be clear and easily understandable. It should

include the nature of the data breach, provide the name and contact details of the data

protection officer or other contact point, describe the likely consequences of the data breach,

and explain the measures taken or proposed by the data controller to address the breach

and mitigate any potential adverse effects.

The data subject does not need to be notified if any of the following conditions are met:

- The data controller has implemented appropriate technical and organizational protection

measures, such as encryption, to render the data unintelligible to unauthorized persons.

- Subsequent measures have been taken to ensure that the high risk to the data subject's

rights and freedoms is no longer likely to materialize.

- Notifying the data subject would involve a disproportionate effort. In such cases, alternative

communication methods, such as public announcements, should be used to inform data

subjects.

If the data controller has not already notified the data subject of the breach, the supervisory

authority, after considering whether the data breach is likely to result in a high risk, may order

the data controller to inform the data subject.

Reporting Data Breaches to the Authority

The data controller shall report a data breach to the competent supervisory authority without

undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless

the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If

the notification is not made within 72 hours, it must be accompanied by the reasons for the

delay.

Mandatory Review for Compulsory Data Processing

In cases where the duration or periodic review of compulsory data processing is not defined

by law, local government regulations, or mandatory legal acts of the European Union, the

data controller shall conduct a review of data processing at least every three years from the

commencement of data processing or the last review, considering whether the processing of

personal data managed by the data controller or processed on behalf of or pursuant to a

mandate from the data controller is still necessary to achieve the purpose of data processing.

The results and circumstances of this review shall be documented by the data controller, and

this documentation shall be kept for ten years from the date of the review and submitted to

the National Authority for Data Protection and Freedom of Information (the Authority) at the

Authority'01s request.

Complaint Procedure

If the data subject believes that the data controller has violated their rights, they may file a

complaint with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

1055 Budapest, Falk Miksa utca 9-11.

Mailing address: 1363 Budapest, Pf. 9.

Phone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Closing Remarks

This information was prepared in compliance with the following regulations:

- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of personal data and on

the free movement of such data, and repealing Directive 95/46/EC (General Data Protection

Regulation) (GDPR) (April 27, 2016).

- Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.).

- Act C of 2003 on Electronic Communications (specifically Section 155).

- Other relevant laws and recommendations by the National Authority for Data Protection and

Freedom of Information.