Privacy Policy

      Privacy Statement

      REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on
      the protection of natural persons with regard to the processing of personal data and on the free
      movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as ‘GDPR’)
      provides that the controller shall take appropriate measures to provide any information and any
      communication relating to processing of personal data to the data subject in a concise, transparent,
      intelligible and easily accessible form, using clear and plain language, and that the controller shall
      facilitate the exercise of data subject rights.
      Right to prior information of the data subject is also foreseen by Act CXII of 2011 on the right to
      informational self-determination and on the freedom of information (hereinafter referred to as
      ‘Infotv.’).
      By providing the information below we fulfil these legal obligations.
      This statement shall be published on the company's website or shall be sent to the data subject at their
      request. Personal data shall only be collected and processed in accordance with the law.
      Data storage shall be as secure as possible.
      Personal data shall be transmitted to third parties only upon consent.
      Should you need information on your personal data stored by us, you may send us a written request to
      hello@teodoraphotography.com
      You may request your personal data to be deleted at hello@teodoraphotography.com.
      Name of the Data Controller
      Name: Teodóra Simon, self-employed (hereinafter referred to as: Service Provider or Data Controller
      Contact person: Teodóra Simon
      Registered address: Madách street 17. Vonyarcvashegy, Hungary, 8314
      Tax number: 66615811-1-40
      Community tax number: HU66615811
      Registration number: 36679888
      Email: hello@teodoraphotography.com
      Website: www.teodoraphotography.com
      ‘Processor’ means a natural or legal person, public authority, agency or other body which processes
      personal data on behalf of the controller (GDPR, Article 4(8)). No prior consent is needed from the
      data subject for the use of a processor, however the data subject shall be informed. Accordingly, the
      following information is hereby provided:

      2
      The IT provider of the Data Controller
      The Data Controller relies on an external service provider to maintain and manage her website. This
      external service provider provides IT services (hosting, operation of the web-store interface), in the
      framework of which it processes personal data entered on the website, for the duration of our contract
      with them. Operation carried out by the IT provider: storing personal data on the server.
      Name of the Processor:
      Company name: Net-tech Consulting Liability Company
      Tax number: 13414300-2-43
      Community tax number: HU13414300
      Email: ufsz@domainadminisztracio.hu
      Seat/Head office: Kisfaludy street 16. 6/18., Budapest, Hungary, 1191
      Privacy statement (in Hungarian): https://www.domainadminisztracio.hu/Adatvedelmi-Szabalyzat
      Names of other potential processors when using the website www.katamorocz.com
       WordPress.com Automattic Inc. 60 29th Street #343 San Francisco, CA 94110 USA,
      telephone: 1-877-273-3049 www.wordpress.com GDPR: https://automattic.com/privacy/
       Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
      www.googleanalytics.com GDPR:
      https://analytics.google.com/analytics/web/provision/#/provision
       Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA, telephone:+1 650-543-
      4800. www.facebook.com GDPR: http://www.facebook.com/legal/terms?ref=pf),
      http://www.facebook.com/about/privacy/
       Instagram: www.instagram.com GDPR: https://help.instagram.com/519522125107875
      The Service Provider as Data Controller hereby informs visitors of her
      website www.teodoraphotography.com about personal data processed in connection with the operation
      of the website and its services, the identity of data controller(s) and their details, guiding principles
      and practices for the processing of personal data, transmission of data, organizational and technical
      measures taken to protect personal data, as well as the way and possibilities for data subjects to
      exercise their rights.
      Section 20(1) of Act CXII of 2011 on the right to informational self-determination and on the freedom
      of information provides that the data subject (hereinafter: user) shall be informed prior to the start of
      the processing of data that this processing is either consent-based or mandatory.
      The data subject shall receive information, prior to the start of processing, on all relevant facts
      connected to the processing, in particular the purpose and legal basis of data processing, the person
      entitled to data processing and data control, as well as the duration of data processing.
      Under Section 6(1) of Infotv. the data subject shall be informed that personal data may be processed
      even if it is impossible to obtain the consent of the data subject or if it caused disproportionate costs,
      and the processing of personal data is necessary to
       fulfil a legal obligation applicable to the data controller, or

      3

       enforce a legitimate interest of the data controller or a third party, and the enforcement of this
      interest is proportionate to the restriction of the right to the protection of personal data.
      The information shall include the rights of the data subject related to data processing and legal
      remedies available.
      If it is impossible to directly inform the data subject or if it entailed disproportionate costs (such as on
      the website, in this case), information may be provided also by publishing the following information:
      1. a) the fact of data collection,
      2. b) the group of data subjects,
      3. c) the purpose of data collection,
      4. d) the duration of data processing,
      5. e) the identity of potential data controllers entitled to have access to these data,
      6. f) description of the rights of data subjects related to data processing and legal remedies
      available, and
      7. g) if the data protection registration of data processing has a location, the registration number
      of data processing.
      This privacy statement regulates the data processing of the following
      website: www.teodoraphotography.com
      The amendments to this statement will enter into force by being published at the above address.
      Interpretative provisions
      1. data subject/user: any specified natural person identified or identifiable directly or indirectly
      by personal data;
      2. personal data: any information relating to a data subject, in particular the name and
      identification number of the data subject, as well as one or more factors specific to their
      physical, physiological, mental, economic, cultural or social identity, and conclusions relating
      to that data subject that can be drawn from the data in question;
      3. sensitive data:
      4. a) personal data revealing racial or ethnic origin, political opinion or party affiliation, religion
      or belief, trade union membership, sexual life,
      5. b) personal data revealing health status or addictions, as well as criminal personal data;
      6. consent: any freely given, specific, informed and unambiguous indication of the data subject's
      wishes, by which he, by a statement or a clear affirmative action, signifies agreement to the
      processing of personal data relating to them;
      7. objection: statement made by the data subject objecting the processing of their personal data
      and requesting the termination of data processing, or the deletion of data processed;
      8. data controller: a natural or legal person, or an organisation having no legal personality which,
      alone or jointly with others, determines the purposes of the processing of personal data; makes
      and implements decisions relating to the processing of data (including the tools used), or
      entrusts a data processor to implement such decisions for them;
      9. processing: any operation or set of operations that is performed on data, regardless of the
      procedure applied; in particular collecting, recording, registering, organising, storing,
      modifying, using, retrieving, transferring, disclosing, synchronising or connecting, blocking,
      erasing and destroying the data, as well as preventing their further use; taking photos and

      4

      making audio or visual recordings, as well as registering physical characteristics suitable for
      personal identification (such as fingerprints or palm prints, DNA samples and iris scans);
      10. data transfer: providing access to the data for a designated third party;
      11. disclosure: making the data accessible to anyone;
      12. data erasure: making the data unrecognisable in such a way that its restoration is no longer
      possible;
      13. data identification: assigning identifiers to data with the purpose of distinguishing them;
      14. data blocking: assigning an identifier to the data with the purpose of limiting their further
      processing permanently or for a fix term;
      15. data destruction: the complete physical destruction of the data medium that contains the data;
      16. data control: performing technical tasks in connection with data processing activities,
      regardless of the methods and tools used for executing the operations, or the location where
      they are performed, provided that such technical tasks are performed on data;
      17. processor: a natural or legal person, or an organisation having no legal personality which
      processes personal data under an agreement concluded with the controller, including contracts
      as provided by the relevant legislation;
      18. data source: the organ performing public duties, which generated the data of public interest
      that is to be published through electronic means, or during the operations of which such data
      was generated;
      19. data publisher: the organ performing public duties which, if the data source itself does not
      publish the data, uploads the data sent to it by the data source to a website;
      20. dataset: all data processed in a single registry;
      21. third party: a natural or legal person, or an organisation having no legal personality, other than
      the data subject, controller, processor and the persons who, under the direct authority of the
      controller or processor, carry out operations aimed at processing personal data.
      I. Legal basis of data processing
      1. Personal data may be processed if
       the data subject has given their consent, or
       it is prescribed in an Act or, based on the authorisation of an Act, within the limits set forth
      therein, in a local government decree for purposes in the public interest.
      2. Personal data may be processed also if it is impossible to obtain the consent of the data subject
      or it would cause disproportionate costs, and processing of personal data is necessary to
      3. a) fulfil a legal obligation applicable to the data controller, or
      4. b) to enforce a legitimate interest of the data controller or a third party, and the enforcement of
      this interest is proportionate to the restriction of the right to the protection of personal data.
      5. If the data subject is unable to give consent due to incapacity or any other unavertable reason,
      then the personal data of the data subject may be processed during the existence of
      circumstances beyond their control that prevent them to give consent, to the extent that is
      necessary to protect an interest which is essential for the data subject's or another person's vital
      interests, including physical integrity or life.
      6. The legal statement of a minor over 16 years of age containing their consent shall be valid
      without the consent or subsequent approval of their legal representative.
      7. If the purpose of data processing based on consent is the performance of a contract concluded
      with the data controller in writing, such contract shall contain all the information that the data

      5

      subject should be aware of during the processing of personal data, such as, in particular, the
      personal data to be processed, the duration of processing, the purpose of use, the fact and the
      recipients of data transmission, and the fact of using a data processor. The contract shall
      contain in an unambiguous manner that by signing the contract, the data subject gives their
      consent to the processing of their personal data pursuant to the terms and conditions of the
      contract.
      8. If the recording of personal data takes place upon consent by the data subject, unless otherwise
      provided for by the law, the data controller shall process the recorded data to
       fulfil a legal obligation applicable to the data controller, or
       enforce a legitimate interest of the data controller or a third party, if the enforcement of this
      interest is proportionate to the restriction of the right to the protection of personal data.
      Article 13/A (1) of Act CVIII of 2001 on certain aspects of electronic commerce and
      information society services:
      ‘The service provider may – for the purpose of providing the service – process personal data
      indispensable for providing the service for technical reasons. Should other conditions be
      identical, the service provider shall select and operate the means applied in the course of
      providing information society service at all times, so that personal data be processed only if it
      is absolutely indispensable for providing the service or achieving other objectives stipulated in
      this Act, and only to the required extent and duration.’
      II. Purpose limitation of data processing
      1. Personal data shall be processed only for clearly specified purposes, in order to exercise
      certain rights and fulfil obligations. The purpose of processing shall be met in all stages of
      processing; data shall be collected and processed fairly and lawfully.
      2. Only personal data that is essential and suitable for achieving the purpose of processing may
      be processed. Personal data may be processed only to the extent and for the period of time
      necessary to achieve its purpose.
      3. The visitor of the website is entitled to be informed of personal data breaches if they are likely
      to present a high risk to their rights and freedoms. A personal data breach occurs when
      personal data is lost, destroyed or accessed by unauthorised persons. Personal data breaches
      shall be reported to the data protection authority within 72 hours. If the data processor is
      informed of such data protection breach, they are obliged to report this to the owners of the
      webstore (data controllers).
      III. Other principles of data processing
      In the course of processing, data shall retain their personal character as long as their connection with
      the data subject can be restored. The connection with the data subject shall, in particular, be considered
      restorable if the controller is in possession of the technical means necessary for the restoration.
      The accuracy and completeness, and, if deemed necessary with respect to the purpose of the
      processing, the up-to-date status of the data shall be ensured throughout the processing; the
      identification of the data subject shall be possible for no longer than necessary for the purpose of the
      processing.

      6
      IV. Functional data processing
      Pursuant to Section 20(1) of Act CXII of 2011 on the right to informational self-determination and on
      the freedom of information the following shall be determined within the operation of the functionality
      of the website:
      1. a) the fact of data collection,
      2. b) the group of data subjects,
      3. c) the purpose of data collection,
      4. d) the duration of data processing,
      5. e) the identity of potential data controllers entitled to have access to these data,
      6. f) description of the rights of data subjects related to data processing.
      1. The fact of data collection, set of data processed: last name and first name, email address,
      phone number, secondary phone number
      2. Group of data subjects: All users sending a message via the website shall be considered as
      data subjects.
      3. The purpose of data collection: The Service Provider shall process the personal data of Users
      in order to ensure fully fledged use of the website and to contact Users.
      4. Duration of data processing, deadline for the erasure of personal data: Immediately after the
      execution of the order. Except in the case of accounting documents as Section 169(2) of Act C
      of 2000 on accounting provides that these data shall be retained for 8 years.
      The accounting documents underlying the accounting records directly or indirectly (including ledger
      accounts, analytical records and registers) shall be retained for minimum eight years, shall be legible
      and retrievable by means of the code of reference indicated in the accounting records.
      5. The identity of potential data controllers entitled to have access to these data: Personal data
      can be processed by the data controller, in compliance with the above principles.
      6. Description of the rights of data subjects related to data processing: Erasure or modification of
      personal data may be requested by the data subject in the following ways:
      – by ordinary mail sent to Madách street 17. Vonyarcvashegy, Hungary, 8314
      – by email sent to hello@teodoraphotography.com
      Legal basis of data processing: the User's consent, Section 5(1) of Infotv., as well as Article 13/A(3) of
      Act CVIII of 2001 on certain aspects of electronic commerce and information society services
      (hereinafter referred to as ‘Elker tv.’):
      The service provider may – for the purpose of providing the service – process personal data
      indispensable for providing the service for technical reasons. Should other conditions be identical, the
      service provider shall select and operate the means applied in the course of providing information
      society service at all times, so that personal data be processed only if it is absolutely indispensable for
      providing the service or achieving other objectives stipulated in this Act, and only to the required
      extent and duration.

      7

      V. Principles relating to functional data processing (Elker tv. Article 13/A)
      1. For the purpose of billing the charges arising under the contract for the information society
      service, the service provider may process data related to the use of such service, such as
      identification data of a natural person, address, as well as the data regarding the time, duration
      and place of using the service.
      2. The service provider may – for the purpose of providing the service – process personal data
      indispensable for providing the service for technical reasons. Should other conditions be
      identical, the service provider shall select and operate the means applied in the course of
      providing information society service at all times, so that personal data be processed only if it
      is absolutely indispensable for providing the service or achieving other objectives stipulated in
      Elker tv., and only to the required extent and duration.
      3. The service provider may process data related to the use of the service for any other purposes
      – thus, in particular, for the purposes of enhancing the efficiency of the service, forwarding of
      electronic advertisements or other direct communications addressed to the recipient of the
      service, or market surveys – only with the prior specification of the purpose of data processing
      and subject to the consent of the recipient of the service.
      4. Recipient of the services shall be allowed, at all times, prior to and during the course of using
      the information society service to prohibit the data processing.
      5. Data processed shall be deleted if the contract is not concluded, is terminated and after the
      billing. Data processed shall be deleted if the purpose of data processing has ceased or upon
      the instruction of the recipient of the service to this effect. Unless provided otherwise by the
      law, deletion of the data shall take place without delay.
      6. The service provider shall ensure that the recipient of the service of the information society
      service may, at any time prior to and in the course of using the service, get acquainted with the
      types of data processed by the service provider and the objective of processing such data,
      including the processing of data directly not associated with the recipient of the service.
      VI. Managing cookies
      Managing cookies
      The current cookie policy contains the terms applicable to the use of the website operated by
      www.teodoraphotography.com as service provider (‘Service Provider’).When designing this website
      the rules applicable to the further use of cookies were observed. As regards this use, we observed the
      following rules and use cookies accordingly:
      Act C of 2003 on Electronic Communications
      Act CVIII of 2001 on certain issues of electronic commerce services and information society services
      Act CXII of 2011 on the right of informational self-determination and the freedom of information
      Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
      processing of personal data and the protection of privacy in the electronic communications sector
      (Directive on privacy and electronic communications)
      Please read the document carefully and use my services only if you agree with all the terms herein and
      accept them as binding to you as a User. Please note that this cookie policy applies only to cookie

      8

      management on this specific Website. If you click on a link on this website that directs you to another
      website, please find and read the cookie policy of that particular website too.
      What is a cookie?
      Cookies are little text files or pieces of information which are saved by your browser from our website
      and stored on your computer. Next time you visit our website these cookies help the server computer
      that stores the materials of our website to recognize that you have already visited our website.
      The default setting of the majority of browsers is to accept cookies. If you prefer, you can change your
      settings so that your browser refuses cookies or alerts you that cookies have been sent to your
      computer. Our website uses such cookies in order to ensure certain functions or for reasons of
      convenience. The cookies we use won’t load, slow down or cause harm to your computer.
      The website also uses third-party cookies. Cookies can be deleted or disabled in your browser.
      Cookies can also be disabled. You will find information about such settings on the official website of
      your browser.
      What is the purpose of cookies?
      These technologies can be used for a variety of purposes, such as to display the most relevant content
      or advertisement for the User; for the development of our products and services; as well as to
      preserving the security of our services. The precise names of cookies, pixels and other similar
      technologies may change from time to time with the development and upgrading of services.
      How cookies are generated?
      First, the client computer sends a request towards the server. The server then creates a unique ID and
      stores it in its own database, then sends back the cookie, together with all the information, to the client.
      The information cookie is then stored on the client computer.
      How cookies are used?
      When the client computer once again contacts the server, the previously generated and stored cookie
      will be attached to it. The server will compare the contents of the received and of the stored cookie.
      Thus it can easily identify e.g. a registered user.
      What type of cookies do we use?
      A variety of cookies are used, but each website uses different types of cookies. Our website usually
      uses only the following types, but new types may be added during upgrades.
      Session/Temporary cookies:
      These cookies are stored in the temporary memory as long as the user navigates the website. When the
      user closes the browser, the cookie will be deleted. These cookies do not contain any personal data,
      and are not suitable to identify the visitor.

      9

      Stored/Persistent cookies:
      These are the cookies that will be used every time the user visits the website. Based on the type of
      cookies, they can be used for the following purposes:
      Analytics:
      It tracks your movements around the site, what products you've looked at, what you’ve been doing.
      This cookie will remain on the client computer depending on its lifetime. It can be used by functions
      such as Google Analytics or Youtube. These cookies do not contain any personal data, and are not
      suitable to identify the visitor.
      Social networks:
      Allows easy access to social media networks and sharing your views and information on our products
      with others. It can be used by third-party functions such as Facebook, Twitter, Google+, Pinterest or
      YouTube. These cookies may contain personal data, and are suitable to identify the visitor.
      Media:
      These cookies are used to view videos on the website. They can be used by third-party functions such
      as Youtube. These cookies do not contain any personal data, and are not suitable to identify the visitor.
      Functional:
      It shows whether the user has already visited this site and if so, on what device. It notes the user name,
      password, language selection, location information. These cookies may contain personal data, and are
      suitable to identify the visitor.
      Advertising:
      With the help of these cookies I can send targeted information and newsletters to the users. These
      cookies may contain personal data, and are suitable to identify the visitor.
      For further information on cookies, their types and full functionalities visit www.allaboutcookies.org.
      How cookies are managed?
      In a variety of ways, but the client has the option to adapt the settings of their browser in order to
      manage cookies. Generally speaking, browser settings can be as follows:
      Accept all cookies
      Reject all cookies
      Request notification on each cookie use

      10

      As for cookie settings, it’s worth looking into the Options or Settings menu of your browser, or check
      the Help menu. The following websites provide assistance in relation to the settings of the most
      commonly used browsers.
      Internet Explorer
      Firefox
      Chrome
      Please note that this website has been generated with cookie management. If the client partially or
      completely blocks the use of cookies that may hinder the operation of the website. In that case, there
      may be functions and services that the user won’t be able to use, either partially or in their entirety.
      We use cookies even if the User has no registered account with us or if they’ve signed out of their
      account. For example, if the User has logged out of their account, we use cookies to facilitate the
      following:
      identify and disable the accounts of spammers
      restore account, in case of lost access
      provide additional security features such as log-in notifications and log-in approvals
      prevent the registration of minors with fake dates of birth
      display, select, evaluate, measure and interpret advertisements displayed on the website and elsewhere
      (including advertisements displayed by or on behalf of partner enterprises and other partners)
      compile analytical information about persons who come into contact with our services, and the
      websites of our advertisers and partners.
      In order to protect our services and our users against malicious activities we place cookies even if the
      User has no registered account but visited our website. For example, these cookies help us detect and
      prevent attacks aimed at interrupting our services, and the mass creation of fake accounts.
      If cookies are stored in the browser or on the device, we can read the actual cookie when you visit a
      website that includes a social module. The operators of social networking websites (Facebook,
      Twitter, LinkedIn, Google Plus) are responsible for cookies created by these websites of which you
      can find information on the actual social networking website.

      11

      VII. Customer correspondence (contact, sending opinions, help)
      1. If you have queries or experience problems while using our services, wish to advertise on our
      website or collaborate with us in any other way, share your opinion with us or ask for help,
      you may contact the editors of this service in the way specified on our website or through the
      contact form.
      2. Right after the settlement of a case, the Service Provider immediately deletes incoming letters,
      together with the name and email address, phone number and any other personal data provided
      voluntarily by the sender.
      VIII. Facebook
      Pursuant to Section 20(1) of Act CXII of 2011 on the right to informational self-determination and on
      the freedom of information the following shall be determined within the data transmission activities of
      the website:
      1. a) the fact of data collection,
      2. b) the group of data subjects,
      3. c) the purpose of data collection,
      4. d) the duration of data processing,
      5. e) the identity of potential data controllers entitled to have access to these data,
      6. f) description of the rights of data subjects related to data processing.
      1. The fact of data collection, the range of data processed: the registered name and public profile
      picture of the user on Facebook.com.
      2. Group of data subjects: All data subjects who have registered on Facebook.com and liked
      www.teodoraphotography.com website.
      3. Purpose of data processing: Sharing and liking the website on Facebook.com.
      4. Duration of data processing, the identity of potential data controllers entitled to have access to
      these data and description of the rights of data subjects related to data processing: Data
      subjects can find further information on data sources, data processing, as well as the mode and
      the legal basis of data transmission at http://www.facebook.com/about/privacy/.
      5. Data processing takes place on Facebook.com, therefore the duration and mode of data
      processing, as well as the potential erasure and rectification of data is governed by the rules
      and regulations of facebook.com.
      (http://www.facebook.com/legal/terms?ref=pf), (http://www.facebook.com/about/privacy/ )
      6. Legal basis of data processing: the voluntary consent of the data subject to the processing of
      their data on facebook.com.
      IX.  Data security
      1. The data controller is obliged to design and implement data processing operations in a way so
      as to ensure protection of the privacy of data subjects.
      2. The controller, or the processor acting on behalf of or instructed by the controller, shall ensure
      the security of personal data, and implement appropriate technical and organisational

      12

      measures and develop rules of procedure required to enforce Infotv. and other data and
      privacy protection rules.
      3. Data shall be protected by appropriate measures, in particular against unauthorized access,
      alteration, transmission, disclosure, erasure or destruction, unavailability due to accidental
      destruction and damage resulting from a change in the technology used.
      4. For the purpose of protecting datasets processed electronically in various registers it shall be
      ensured with an appropriate technical solution that data stored in these registers cannot be
      directly interconnected or assigned to the data subjects, unless an Act allows it.
      5. During the automated processing of personal data the data controller and the data processor
      shall ensure through further measures to
      – prevent unauthorised recording of personal data;
      – prevent the use of the automated processing system by unauthorised persons by means
      of data transmission equipment;
      – verify and determine the identity of the recipients to whom the personal data have
      been or can be transferred or provided by means of data transmission equipment;
      – verify and determine the scope of the personal data entered into the processing
      system, as well as the time of entering such data and the identity of the person who
      entered them;
      – recoverability of the processing system in the event of a breakdown; and
      – reporting of malfunctions that occurred during automated processing.

      When determining and applying data security measures, the data controller and the data processor
      shall take into consideration the level of technological development. When several possible data
      processing solutions are available, they shall choose the one that ensures a higher level of protection of
      personal data, except if that entailed disproportionate difficulties for the data controller.
      X. Entitlements of the data subject
      1. The data subject may request the Service Provider to provide information on the processing of
      their personal data, to rectify their personal data, as well as to have their personal data erased
      or blocked, except in the case of mandatory processing.
      2. Upon request by the user the data controller shall provide information about data processed by
      them or by the data processor acting on their behalf, the source of such data, the purpose, legal
      basis and duration of data processing, name, address of the data processor and their activities
      related to data processing, and, in case of transmission of the personal data of the data subject,
      the legal basis and the recipient of data transmission.
      3. For the purpose of verifying the lawfulness of data transmission, as well as to inform data
      subjects, the data controller shall keep a data transmission register containing the date of the
      transmission of personal data processed by them, the legal basis and the recipient of such data
      transmission, definition of the set of transmitted personal data, as well as other data specified
      in the legislation that provides for the data processing.
      4. Upon the data subject’s request, the Data Controller shall provide information as soon as
      possible after the submission of the request, or at the latest within 30 days in writing, in a
      clearly understandable form. Information shall be provided free of charge.
      5. Upon request by the user, Service Provider provides information about data processed by
      them, the source of these data, the purpose, legal basis and duration of data processing, name,
      address of the eventual processor and their activities related to data processing, and, in case of
      transmission of the personal data of the data subject, the legal basis and the recipient of data

      13

      processing. The Service Provider shall provide information as soon as possible after the
      submission of the request, or at the latest within 30 days in writing, in a clearly understandable
      form. The provisions of information is free.
      6. If the personal data are incorrect, and the correct personal data are available to the Data
      Controller, the personal data shall be rectified by the Service Provider.
      7. Instead of erasure, the Service Provider will block the personal data at the User’s request, or if
      available information suggests that the deletion of the data would harm the legitimate interests
      of the User. Personal data blocked in this way may only be processed as long as the purpose of
      the data processing excluding erasure exists.
      8. The Service Provider shall erase personal data if processing is unlawful; at the User’s request;
      if processed data is incomplete or inaccurate – and such condition cannot be remedied in a
      lawful way – provided that such erasure is not excluded by law; if the purpose of data
      processing no longer exists, or if the period for data storage specified by legislation expired; or
      if ordered by the Court or the National Authority for Data Protection and Freedom of
      Information.
      9. The data controller shall mark the processed data if the data subject disputes their correctness
      or accuracy, while such incorrectness or inaccuracy may not be clearly ascertained.
      10. The data subject and all other parties shall be notified on the rectification, blockage and
      erasure of data, to whom the such data had been transmitted for the purposes of processing.
      Notification may be omitted if this does not violate the legitimate interest of the data subject
      with respect to the purpose of the data management.
      11. If the data controller fails to fulfil the data subject’s request for rectification, blocking or
      erasure, the controller shall be obliged to advise the data subject in writing within 30 days
      upon the receipt of the request on the factual and legal causes of the rejection of the
      rectification, blockage or erasure request thus submitted. In the event if compliance with the
      rectification, erasure or blockage request thus submitted by the data subject is withheld by the
      data controller, so the same controller will be under obligation to advise the subject on the
      available appeal procedures and legal remedies offered by the courts or the administrative
      authority.
      XI. Legal remedies
      1. The User may object to the processing of their personal data, if
      2. a) processing or transmission of personal data is required only to fulfil a legal obligation
      applicable to the Service Provider, or to pursue the legitimate interests of the Service Provider,
      data recipient or a third party, except when data processing is required by the law;
      3. b) the purpose of use or transfer of personal data is direct marketing, opinion polling or
      scientific research;
      4. c) in another case set out by the law.
      5. The Service Provider shall examine the objection as soon as possible but no later than 15 days
      after its submission, then it shall make a decision on its soundness, and inform the data subject
      about its decision. If based on the findings of the data controller the data subject’s objection is
      justified, the data controller shall terminate all processing operations (including further data
      collection and transmission), block the data involved and notify all recipients to whom any of
      these data had previously been transferred concerning the objection and the ensuing measures,
      upon which these recipients shall also take measures regarding the enforcement of the
      objection.

      14

      6. If the User disagrees with the decision made by the Service Provider, they can challenge it in
      court within 30 days of its notification. Such court proceedings shall be conducted under
      priority.
      7. A potential infringement by the data controller may be reported to the National Authority for
      Data Protection and Freedom of Information:
      National Authority for Data Protection and Freedom of Information, 1125 Budapest, Szilágyi Erzsébet
      fasor 22/C.
      Mailing address:1530 Budapest, PO Box: 5.
      Telephone: +36-1-391-1400
      Fax: +36-1-391-1410
      Email: ugyfelszolgalat@naih.hu
      XII. Judicial enforcement
      1. The controller shall be obliged to prove that the processing complies with the provisions laid
      down in legislation. The data recipient shall be obliged to prove the legality of data
      transmission.
      2. The lawsuit shall be conducted by the tribunal. At the data subject’s own discretion, the
      lawsuit may be brought to the court of the domicile or place of residence of the data subject.
      3. Any person who otherwise does not have the capacity to be a party may be a party to the court
      action. The Authority may intervene in the action in order to facilitate the success of the data
      subject.
      4. If the court upholds the claim, it shall oblige the controller to provide information; rectify,
      block or erase the personal data; annul the decision made through automated processing; take
      into account the right of the data subject to objection; and to issue the data requested by the
      data recipient.
      5. If the court rejects the claim by the data recipient, the data controller shall be obliged to erase
      the personal data of the data subject within 3 days of the notification of the judgement. The
      data controller shall be obliged to delete personal data even if the data recipient does not go to
      court within the specified time limit.
      6. The court may order the publication of its judgement so as to disclose the identification data of
      the data controller, if required in the interests of data protection and by the protected rights of
      a large number of data subjects.
      XIII. Damages and grievance award
      The data controller shall be liable for compensating any damage which another person may suffer as a
      result of unlawful processing of the personal data of the data subject or of breaching data security
      requirements.
      1. The controller shall be liable for paying a grievance award for the violation of personality
      rights of the data subject as a result of unlawful processing of the personal data of the data
      subject or of breaching data security requirements.
      2. The data controller shall bear liability towards the data subject for the damage caused by the
      data processor, and the data controller shall pay to the data subject a grievance award in the
      event of a violation of personality rights caused by the data processor. The controller shall be
      exempted from liability for damage and from the obligation to pay the grievance award if they

      15

      prove that the damage or the violation of the data subject’s personality rights occurred as a
      consequence of an unavertable reason falling outside the scope of processing.
      3. Damages shall not be paid and a grievance award shall not be claimed if the damage was due
      to the intentional or grossly negligent conduct of the person suffering the damage, or if the
      infringement of the personality rights arose from the intentional or grossly negligent conduct
      of the data subject.
      XIV. Afterword
      While drawing up this privacy statement the following legislation was taken into consideration:
      – Act CXII of 2011 on the right of informational self-determination and the freedom of information
      (hereinafter referred to as ‘Infotv.’)
      – Act CVIII of 2001 on certain aspects of electronic commerce and information society services –
      Elkertv. – (in particular Article 13/A)
      – Act XLVII of 2008 on the prohibition of unfair commercial practices against consumers;
      – Act XLVIII of 2008 on essential conditions of and certain limitations to business advertising activity
      (in particular Article 6)
      – Act XC of 2005 on the freedom of information by electronic means
      – Act C of 2003 on electronic communications (Article 155, in particular)
      – REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL