Privacy Statement
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as ‘GDPR’)
provides that the controller shall take appropriate measures to provide any information and any
communication relating to processing of personal data to the data subject in a concise, transparent,
intelligible and easily accessible form, using clear and plain language, and that the controller shall
facilitate the exercise of data subject rights.
Right to prior information of the data subject is also foreseen by Act CXII of 2011 on the right to
informational self-determination and on the freedom of information (hereinafter referred to as
‘Infotv.’).
By providing the information below we fulfil these legal obligations.
This statement shall be published on the company's website or shall be sent to the data subject at their
request. Personal data shall only be collected and processed in accordance with the law.
Data storage shall be as secure as possible.
Personal data shall be transmitted to third parties only upon consent.
Should you need information on your personal data stored by us, you may send us a written request to
hello@teodoraphotography.com
You may request your personal data to be deleted at hello@teodoraphotography.com.
Name of the Data Controller
Name: Teodóra Simon, self-employed (hereinafter referred to as: Service Provider or Data Controller
Contact person: Teodóra Simon
Registered address: Madách street 17. Vonyarcvashegy, Hungary, 8314
Tax number: 66615811-1-40
Community tax number: HU66615811
Registration number: 36679888
Email: hello@teodoraphotography.com
Website: www.teodoraphotography.com
‘Processor’ means a natural or legal person, public authority, agency or other body which processes
personal data on behalf of the controller (GDPR, Article 4(8)). No prior consent is needed from the
data subject for the use of a processor, however the data subject shall be informed. Accordingly, the
following information is hereby provided:
2
The IT provider of the Data Controller
The Data Controller relies on an external service provider to maintain and manage her website. This
external service provider provides IT services (hosting, operation of the web-store interface), in the
framework of which it processes personal data entered on the website, for the duration of our contract
with them. Operation carried out by the IT provider: storing personal data on the server.
Name of the Processor:
Company name: Net-tech Consulting Liability Company
Tax number: 13414300-2-43
Community tax number: HU13414300
Email: ufsz@domainadminisztracio.hu
Seat/Head office: Kisfaludy street 16. 6/18., Budapest, Hungary, 1191
Privacy statement (in Hungarian): https://www.domainadminisztracio.hu/Adatvedelmi-Szabalyzat
Names of other potential processors when using the website www.katamorocz.com
WordPress.com Automattic Inc. 60 29th Street #343 San Francisco, CA 94110 USA,
telephone: 1-877-273-3049 www.wordpress.com GDPR: https://automattic.com/privacy/
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
www.googleanalytics.com GDPR:
https://analytics.google.com/analytics/web/provision/#/provision
Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA, telephone:+1 650-543-
4800. www.facebook.com GDPR: http://www.facebook.com/legal/terms?ref=pf),
http://www.facebook.com/about/privacy/
Instagram: www.instagram.com GDPR: https://help.instagram.com/519522125107875
The Service Provider as Data Controller hereby informs visitors of her
website www.teodoraphotography.com about personal data processed in connection with the operation
of the website and its services, the identity of data controller(s) and their details, guiding principles
and practices for the processing of personal data, transmission of data, organizational and technical
measures taken to protect personal data, as well as the way and possibilities for data subjects to
exercise their rights.
Section 20(1) of Act CXII of 2011 on the right to informational self-determination and on the freedom
of information provides that the data subject (hereinafter: user) shall be informed prior to the start of
the processing of data that this processing is either consent-based or mandatory.
The data subject shall receive information, prior to the start of processing, on all relevant facts
connected to the processing, in particular the purpose and legal basis of data processing, the person
entitled to data processing and data control, as well as the duration of data processing.
Under Section 6(1) of Infotv. the data subject shall be informed that personal data may be processed
even if it is impossible to obtain the consent of the data subject or if it caused disproportionate costs,
and the processing of personal data is necessary to
fulfil a legal obligation applicable to the data controller, or
3
enforce a legitimate interest of the data controller or a third party, and the enforcement of this
interest is proportionate to the restriction of the right to the protection of personal data.
The information shall include the rights of the data subject related to data processing and legal
remedies available.
If it is impossible to directly inform the data subject or if it entailed disproportionate costs (such as on
the website, in this case), information may be provided also by publishing the following information:
1. a) the fact of data collection,
2. b) the group of data subjects,
3. c) the purpose of data collection,
4. d) the duration of data processing,
5. e) the identity of potential data controllers entitled to have access to these data,
6. f) description of the rights of data subjects related to data processing and legal remedies
available, and
7. g) if the data protection registration of data processing has a location, the registration number
of data processing.
This privacy statement regulates the data processing of the following
website: www.teodoraphotography.com
The amendments to this statement will enter into force by being published at the above address.
Interpretative provisions
1. data subject/user: any specified natural person identified or identifiable directly or indirectly
by personal data;
2. personal data: any information relating to a data subject, in particular the name and
identification number of the data subject, as well as one or more factors specific to their
physical, physiological, mental, economic, cultural or social identity, and conclusions relating
to that data subject that can be drawn from the data in question;
3. sensitive data:
4. a) personal data revealing racial or ethnic origin, political opinion or party affiliation, religion
or belief, trade union membership, sexual life,
5. b) personal data revealing health status or addictions, as well as criminal personal data;
6. consent: any freely given, specific, informed and unambiguous indication of the data subject's
wishes, by which he, by a statement or a clear affirmative action, signifies agreement to the
processing of personal data relating to them;
7. objection: statement made by the data subject objecting the processing of their personal data
and requesting the termination of data processing, or the deletion of data processed;
8. data controller: a natural or legal person, or an organisation having no legal personality which,
alone or jointly with others, determines the purposes of the processing of personal data; makes
and implements decisions relating to the processing of data (including the tools used), or
entrusts a data processor to implement such decisions for them;
9. processing: any operation or set of operations that is performed on data, regardless of the
procedure applied; in particular collecting, recording, registering, organising, storing,
modifying, using, retrieving, transferring, disclosing, synchronising or connecting, blocking,
erasing and destroying the data, as well as preventing their further use; taking photos and
4
making audio or visual recordings, as well as registering physical characteristics suitable for
personal identification (such as fingerprints or palm prints, DNA samples and iris scans);
10. data transfer: providing access to the data for a designated third party;
11. disclosure: making the data accessible to anyone;
12. data erasure: making the data unrecognisable in such a way that its restoration is no longer
possible;
13. data identification: assigning identifiers to data with the purpose of distinguishing them;
14. data blocking: assigning an identifier to the data with the purpose of limiting their further
processing permanently or for a fix term;
15. data destruction: the complete physical destruction of the data medium that contains the data;
16. data control: performing technical tasks in connection with data processing activities,
regardless of the methods and tools used for executing the operations, or the location where
they are performed, provided that such technical tasks are performed on data;
17. processor: a natural or legal person, or an organisation having no legal personality which
processes personal data under an agreement concluded with the controller, including contracts
as provided by the relevant legislation;
18. data source: the organ performing public duties, which generated the data of public interest
that is to be published through electronic means, or during the operations of which such data
was generated;
19. data publisher: the organ performing public duties which, if the data source itself does not
publish the data, uploads the data sent to it by the data source to a website;
20. dataset: all data processed in a single registry;
21. third party: a natural or legal person, or an organisation having no legal personality, other than
the data subject, controller, processor and the persons who, under the direct authority of the
controller or processor, carry out operations aimed at processing personal data.
I. Legal basis of data processing
1. Personal data may be processed if
the data subject has given their consent, or
it is prescribed in an Act or, based on the authorisation of an Act, within the limits set forth
therein, in a local government decree for purposes in the public interest.
2. Personal data may be processed also if it is impossible to obtain the consent of the data subject
or it would cause disproportionate costs, and processing of personal data is necessary to
3. a) fulfil a legal obligation applicable to the data controller, or
4. b) to enforce a legitimate interest of the data controller or a third party, and the enforcement of
this interest is proportionate to the restriction of the right to the protection of personal data.
5. If the data subject is unable to give consent due to incapacity or any other unavertable reason,
then the personal data of the data subject may be processed during the existence of
circumstances beyond their control that prevent them to give consent, to the extent that is
necessary to protect an interest which is essential for the data subject's or another person's vital
interests, including physical integrity or life.
6. The legal statement of a minor over 16 years of age containing their consent shall be valid
without the consent or subsequent approval of their legal representative.
7. If the purpose of data processing based on consent is the performance of a contract concluded
with the data controller in writing, such contract shall contain all the information that the data
5
subject should be aware of during the processing of personal data, such as, in particular, the
personal data to be processed, the duration of processing, the purpose of use, the fact and the
recipients of data transmission, and the fact of using a data processor. The contract shall
contain in an unambiguous manner that by signing the contract, the data subject gives their
consent to the processing of their personal data pursuant to the terms and conditions of the
contract.
8. If the recording of personal data takes place upon consent by the data subject, unless otherwise
provided for by the law, the data controller shall process the recorded data to
fulfil a legal obligation applicable to the data controller, or
enforce a legitimate interest of the data controller or a third party, if the enforcement of this
interest is proportionate to the restriction of the right to the protection of personal data.
Article 13/A (1) of Act CVIII of 2001 on certain aspects of electronic commerce and
information society services:
‘The service provider may – for the purpose of providing the service – process personal data
indispensable for providing the service for technical reasons. Should other conditions be
identical, the service provider shall select and operate the means applied in the course of
providing information society service at all times, so that personal data be processed only if it
is absolutely indispensable for providing the service or achieving other objectives stipulated in
this Act, and only to the required extent and duration.’
II. Purpose limitation of data processing
1. Personal data shall be processed only for clearly specified purposes, in order to exercise
certain rights and fulfil obligations. The purpose of processing shall be met in all stages of
processing; data shall be collected and processed fairly and lawfully.
2. Only personal data that is essential and suitable for achieving the purpose of processing may
be processed. Personal data may be processed only to the extent and for the period of time
necessary to achieve its purpose.
3. The visitor of the website is entitled to be informed of personal data breaches if they are likely
to present a high risk to their rights and freedoms. A personal data breach occurs when
personal data is lost, destroyed or accessed by unauthorised persons. Personal data breaches
shall be reported to the data protection authority within 72 hours. If the data processor is
informed of such data protection breach, they are obliged to report this to the owners of the
webstore (data controllers).
III. Other principles of data processing
In the course of processing, data shall retain their personal character as long as their connection with
the data subject can be restored. The connection with the data subject shall, in particular, be considered
restorable if the controller is in possession of the technical means necessary for the restoration.
The accuracy and completeness, and, if deemed necessary with respect to the purpose of the
processing, the up-to-date status of the data shall be ensured throughout the processing; the
identification of the data subject shall be possible for no longer than necessary for the purpose of the
processing.
6
IV. Functional data processing
Pursuant to Section 20(1) of Act CXII of 2011 on the right to informational self-determination and on
the freedom of information the following shall be determined within the operation of the functionality
of the website:
1. a) the fact of data collection,
2. b) the group of data subjects,
3. c) the purpose of data collection,
4. d) the duration of data processing,
5. e) the identity of potential data controllers entitled to have access to these data,
6. f) description of the rights of data subjects related to data processing.
1. The fact of data collection, set of data processed: last name and first name, email address,
phone number, secondary phone number
2. Group of data subjects: All users sending a message via the website shall be considered as
data subjects.
3. The purpose of data collection: The Service Provider shall process the personal data of Users
in order to ensure fully fledged use of the website and to contact Users.
4. Duration of data processing, deadline for the erasure of personal data: Immediately after the
execution of the order. Except in the case of accounting documents as Section 169(2) of Act C
of 2000 on accounting provides that these data shall be retained for 8 years.
The accounting documents underlying the accounting records directly or indirectly (including ledger
accounts, analytical records and registers) shall be retained for minimum eight years, shall be legible
and retrievable by means of the code of reference indicated in the accounting records.
5. The identity of potential data controllers entitled to have access to these data: Personal data
can be processed by the data controller, in compliance with the above principles.
6. Description of the rights of data subjects related to data processing: Erasure or modification of
personal data may be requested by the data subject in the following ways:
– by ordinary mail sent to Madách street 17. Vonyarcvashegy, Hungary, 8314
– by email sent to hello@teodoraphotography.com
Legal basis of data processing: the User's consent, Section 5(1) of Infotv., as well as Article 13/A(3) of
Act CVIII of 2001 on certain aspects of electronic commerce and information society services
(hereinafter referred to as ‘Elker tv.’):
The service provider may – for the purpose of providing the service – process personal data
indispensable for providing the service for technical reasons. Should other conditions be identical, the
service provider shall select and operate the means applied in the course of providing information
society service at all times, so that personal data be processed only if it is absolutely indispensable for
providing the service or achieving other objectives stipulated in this Act, and only to the required
extent and duration.
7
V. Principles relating to functional data processing (Elker tv. Article 13/A)
1. For the purpose of billing the charges arising under the contract for the information society
service, the service provider may process data related to the use of such service, such as
identification data of a natural person, address, as well as the data regarding the time, duration
and place of using the service.
2. The service provider may – for the purpose of providing the service – process personal data
indispensable for providing the service for technical reasons. Should other conditions be
identical, the service provider shall select and operate the means applied in the course of
providing information society service at all times, so that personal data be processed only if it
is absolutely indispensable for providing the service or achieving other objectives stipulated in
Elker tv., and only to the required extent and duration.
3. The service provider may process data related to the use of the service for any other purposes
– thus, in particular, for the purposes of enhancing the efficiency of the service, forwarding of
electronic advertisements or other direct communications addressed to the recipient of the
service, or market surveys – only with the prior specification of the purpose of data processing
and subject to the consent of the recipient of the service.
4. Recipient of the services shall be allowed, at all times, prior to and during the course of using
the information society service to prohibit the data processing.
5. Data processed shall be deleted if the contract is not concluded, is terminated and after the
billing. Data processed shall be deleted if the purpose of data processing has ceased or upon
the instruction of the recipient of the service to this effect. Unless provided otherwise by the
law, deletion of the data shall take place without delay.
6. The service provider shall ensure that the recipient of the service of the information society
service may, at any time prior to and in the course of using the service, get acquainted with the
types of data processed by the service provider and the objective of processing such data,
including the processing of data directly not associated with the recipient of the service.
VI. Managing cookies
Managing cookies
The current cookie policy contains the terms applicable to the use of the website operated by
www.teodoraphotography.com as service provider (‘Service Provider’).When designing this website
the rules applicable to the further use of cookies were observed. As regards this use, we observed the
following rules and use cookies accordingly:
Act C of 2003 on Electronic Communications
Act CVIII of 2001 on certain issues of electronic commerce services and information society services
Act CXII of 2011 on the right of informational self-determination and the freedom of information
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector
(Directive on privacy and electronic communications)
Please read the document carefully and use my services only if you agree with all the terms herein and
accept them as binding to you as a User. Please note that this cookie policy applies only to cookie
8
management on this specific Website. If you click on a link on this website that directs you to another
website, please find and read the cookie policy of that particular website too.
What is a cookie?
Cookies are little text files or pieces of information which are saved by your browser from our website
and stored on your computer. Next time you visit our website these cookies help the server computer
that stores the materials of our website to recognize that you have already visited our website.
The default setting of the majority of browsers is to accept cookies. If you prefer, you can change your
settings so that your browser refuses cookies or alerts you that cookies have been sent to your
computer. Our website uses such cookies in order to ensure certain functions or for reasons of
convenience. The cookies we use won’t load, slow down or cause harm to your computer.
The website also uses third-party cookies. Cookies can be deleted or disabled in your browser.
Cookies can also be disabled. You will find information about such settings on the official website of
your browser.
What is the purpose of cookies?
These technologies can be used for a variety of purposes, such as to display the most relevant content
or advertisement for the User; for the development of our products and services; as well as to
preserving the security of our services. The precise names of cookies, pixels and other similar
technologies may change from time to time with the development and upgrading of services.
How cookies are generated?
First, the client computer sends a request towards the server. The server then creates a unique ID and
stores it in its own database, then sends back the cookie, together with all the information, to the client.
The information cookie is then stored on the client computer.
How cookies are used?
When the client computer once again contacts the server, the previously generated and stored cookie
will be attached to it. The server will compare the contents of the received and of the stored cookie.
Thus it can easily identify e.g. a registered user.
What type of cookies do we use?
A variety of cookies are used, but each website uses different types of cookies. Our website usually
uses only the following types, but new types may be added during upgrades.
Session/Temporary cookies:
These cookies are stored in the temporary memory as long as the user navigates the website. When the
user closes the browser, the cookie will be deleted. These cookies do not contain any personal data,
and are not suitable to identify the visitor.
9
Stored/Persistent cookies:
These are the cookies that will be used every time the user visits the website. Based on the type of
cookies, they can be used for the following purposes:
Analytics:
It tracks your movements around the site, what products you've looked at, what you’ve been doing.
This cookie will remain on the client computer depending on its lifetime. It can be used by functions
such as Google Analytics or Youtube. These cookies do not contain any personal data, and are not
suitable to identify the visitor.
Social networks:
Allows easy access to social media networks and sharing your views and information on our products
with others. It can be used by third-party functions such as Facebook, Twitter, Google+, Pinterest or
YouTube. These cookies may contain personal data, and are suitable to identify the visitor.
Media:
These cookies are used to view videos on the website. They can be used by third-party functions such
as Youtube. These cookies do not contain any personal data, and are not suitable to identify the visitor.
Functional:
It shows whether the user has already visited this site and if so, on what device. It notes the user name,
password, language selection, location information. These cookies may contain personal data, and are
suitable to identify the visitor.
Advertising:
With the help of these cookies I can send targeted information and newsletters to the users. These
cookies may contain personal data, and are suitable to identify the visitor.
For further information on cookies, their types and full functionalities visit www.allaboutcookies.org.
How cookies are managed?
In a variety of ways, but the client has the option to adapt the settings of their browser in order to
manage cookies. Generally speaking, browser settings can be as follows:
Accept all cookies
Reject all cookies
Request notification on each cookie use
10
As for cookie settings, it’s worth looking into the Options or Settings menu of your browser, or check
the Help menu. The following websites provide assistance in relation to the settings of the most
commonly used browsers.
Internet Explorer
Firefox
Chrome
Please note that this website has been generated with cookie management. If the client partially or
completely blocks the use of cookies that may hinder the operation of the website. In that case, there
may be functions and services that the user won’t be able to use, either partially or in their entirety.
We use cookies even if the User has no registered account with us or if they’ve signed out of their
account. For example, if the User has logged out of their account, we use cookies to facilitate the
following:
identify and disable the accounts of spammers
restore account, in case of lost access
provide additional security features such as log-in notifications and log-in approvals
prevent the registration of minors with fake dates of birth
display, select, evaluate, measure and interpret advertisements displayed on the website and elsewhere
(including advertisements displayed by or on behalf of partner enterprises and other partners)
compile analytical information about persons who come into contact with our services, and the
websites of our advertisers and partners.
In order to protect our services and our users against malicious activities we place cookies even if the
User has no registered account but visited our website. For example, these cookies help us detect and
prevent attacks aimed at interrupting our services, and the mass creation of fake accounts.
If cookies are stored in the browser or on the device, we can read the actual cookie when you visit a
website that includes a social module. The operators of social networking websites (Facebook,
Twitter, LinkedIn, Google Plus) are responsible for cookies created by these websites of which you
can find information on the actual social networking website.
11
VII. Customer correspondence (contact, sending opinions, help)
1. If you have queries or experience problems while using our services, wish to advertise on our
website or collaborate with us in any other way, share your opinion with us or ask for help,
you may contact the editors of this service in the way specified on our website or through the
contact form.
2. Right after the settlement of a case, the Service Provider immediately deletes incoming letters,
together with the name and email address, phone number and any other personal data provided
voluntarily by the sender.
VIII. Facebook
Pursuant to Section 20(1) of Act CXII of 2011 on the right to informational self-determination and on
the freedom of information the following shall be determined within the data transmission activities of
the website:
1. a) the fact of data collection,
2. b) the group of data subjects,
3. c) the purpose of data collection,
4. d) the duration of data processing,
5. e) the identity of potential data controllers entitled to have access to these data,
6. f) description of the rights of data subjects related to data processing.
1. The fact of data collection, the range of data processed: the registered name and public profile
picture of the user on Facebook.com.
2. Group of data subjects: All data subjects who have registered on Facebook.com and liked
www.teodoraphotography.com website.
3. Purpose of data processing: Sharing and liking the website on Facebook.com.
4. Duration of data processing, the identity of potential data controllers entitled to have access to
these data and description of the rights of data subjects related to data processing: Data
subjects can find further information on data sources, data processing, as well as the mode and
the legal basis of data transmission at http://www.facebook.com/about/privacy/.
5. Data processing takes place on Facebook.com, therefore the duration and mode of data
processing, as well as the potential erasure and rectification of data is governed by the rules
and regulations of facebook.com.
(http://www.facebook.com/legal/terms?ref=pf), (http://www.facebook.com/about/privacy/ )
6. Legal basis of data processing: the voluntary consent of the data subject to the processing of
their data on facebook.com.
IX. Data security
1. The data controller is obliged to design and implement data processing operations in a way so
as to ensure protection of the privacy of data subjects.
2. The controller, or the processor acting on behalf of or instructed by the controller, shall ensure
the security of personal data, and implement appropriate technical and organisational
12
measures and develop rules of procedure required to enforce Infotv. and other data and
privacy protection rules.
3. Data shall be protected by appropriate measures, in particular against unauthorized access,
alteration, transmission, disclosure, erasure or destruction, unavailability due to accidental
destruction and damage resulting from a change in the technology used.
4. For the purpose of protecting datasets processed electronically in various registers it shall be
ensured with an appropriate technical solution that data stored in these registers cannot be
directly interconnected or assigned to the data subjects, unless an Act allows it.
5. During the automated processing of personal data the data controller and the data processor
shall ensure through further measures to
– prevent unauthorised recording of personal data;
– prevent the use of the automated processing system by unauthorised persons by means
of data transmission equipment;
– verify and determine the identity of the recipients to whom the personal data have
been or can be transferred or provided by means of data transmission equipment;
– verify and determine the scope of the personal data entered into the processing
system, as well as the time of entering such data and the identity of the person who
entered them;
– recoverability of the processing system in the event of a breakdown; and
– reporting of malfunctions that occurred during automated processing.
When determining and applying data security measures, the data controller and the data processor
shall take into consideration the level of technological development. When several possible data
processing solutions are available, they shall choose the one that ensures a higher level of protection of
personal data, except if that entailed disproportionate difficulties for the data controller.
X. Entitlements of the data subject
1. The data subject may request the Service Provider to provide information on the processing of
their personal data, to rectify their personal data, as well as to have their personal data erased
or blocked, except in the case of mandatory processing.
2. Upon request by the user the data controller shall provide information about data processed by
them or by the data processor acting on their behalf, the source of such data, the purpose, legal
basis and duration of data processing, name, address of the data processor and their activities
related to data processing, and, in case of transmission of the personal data of the data subject,
the legal basis and the recipient of data transmission.
3. For the purpose of verifying the lawfulness of data transmission, as well as to inform data
subjects, the data controller shall keep a data transmission register containing the date of the
transmission of personal data processed by them, the legal basis and the recipient of such data
transmission, definition of the set of transmitted personal data, as well as other data specified
in the legislation that provides for the data processing.
4. Upon the data subject’s request, the Data Controller shall provide information as soon as
possible after the submission of the request, or at the latest within 30 days in writing, in a
clearly understandable form. Information shall be provided free of charge.
5. Upon request by the user, Service Provider provides information about data processed by
them, the source of these data, the purpose, legal basis and duration of data processing, name,
address of the eventual processor and their activities related to data processing, and, in case of
transmission of the personal data of the data subject, the legal basis and the recipient of data
13
processing. The Service Provider shall provide information as soon as possible after the
submission of the request, or at the latest within 30 days in writing, in a clearly understandable
form. The provisions of information is free.
6. If the personal data are incorrect, and the correct personal data are available to the Data
Controller, the personal data shall be rectified by the Service Provider.
7. Instead of erasure, the Service Provider will block the personal data at the User’s request, or if
available information suggests that the deletion of the data would harm the legitimate interests
of the User. Personal data blocked in this way may only be processed as long as the purpose of
the data processing excluding erasure exists.
8. The Service Provider shall erase personal data if processing is unlawful; at the User’s request;
if processed data is incomplete or inaccurate – and such condition cannot be remedied in a
lawful way – provided that such erasure is not excluded by law; if the purpose of data
processing no longer exists, or if the period for data storage specified by legislation expired; or
if ordered by the Court or the National Authority for Data Protection and Freedom of
Information.
9. The data controller shall mark the processed data if the data subject disputes their correctness
or accuracy, while such incorrectness or inaccuracy may not be clearly ascertained.
10. The data subject and all other parties shall be notified on the rectification, blockage and
erasure of data, to whom the such data had been transmitted for the purposes of processing.
Notification may be omitted if this does not violate the legitimate interest of the data subject
with respect to the purpose of the data management.
11. If the data controller fails to fulfil the data subject’s request for rectification, blocking or
erasure, the controller shall be obliged to advise the data subject in writing within 30 days
upon the receipt of the request on the factual and legal causes of the rejection of the
rectification, blockage or erasure request thus submitted. In the event if compliance with the
rectification, erasure or blockage request thus submitted by the data subject is withheld by the
data controller, so the same controller will be under obligation to advise the subject on the
available appeal procedures and legal remedies offered by the courts or the administrative
authority.
XI. Legal remedies
1. The User may object to the processing of their personal data, if
2. a) processing or transmission of personal data is required only to fulfil a legal obligation
applicable to the Service Provider, or to pursue the legitimate interests of the Service Provider,
data recipient or a third party, except when data processing is required by the law;
3. b) the purpose of use or transfer of personal data is direct marketing, opinion polling or
scientific research;
4. c) in another case set out by the law.
5. The Service Provider shall examine the objection as soon as possible but no later than 15 days
after its submission, then it shall make a decision on its soundness, and inform the data subject
about its decision. If based on the findings of the data controller the data subject’s objection is
justified, the data controller shall terminate all processing operations (including further data
collection and transmission), block the data involved and notify all recipients to whom any of
these data had previously been transferred concerning the objection and the ensuing measures,
upon which these recipients shall also take measures regarding the enforcement of the
objection.
14
6. If the User disagrees with the decision made by the Service Provider, they can challenge it in
court within 30 days of its notification. Such court proceedings shall be conducted under
priority.
7. A potential infringement by the data controller may be reported to the National Authority for
Data Protection and Freedom of Information:
National Authority for Data Protection and Freedom of Information, 1125 Budapest, Szilágyi Erzsébet
fasor 22/C.
Mailing address:1530 Budapest, PO Box: 5.
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu
XII. Judicial enforcement
1. The controller shall be obliged to prove that the processing complies with the provisions laid
down in legislation. The data recipient shall be obliged to prove the legality of data
transmission.
2. The lawsuit shall be conducted by the tribunal. At the data subject’s own discretion, the
lawsuit may be brought to the court of the domicile or place of residence of the data subject.
3. Any person who otherwise does not have the capacity to be a party may be a party to the court
action. The Authority may intervene in the action in order to facilitate the success of the data
subject.
4. If the court upholds the claim, it shall oblige the controller to provide information; rectify,
block or erase the personal data; annul the decision made through automated processing; take
into account the right of the data subject to objection; and to issue the data requested by the
data recipient.
5. If the court rejects the claim by the data recipient, the data controller shall be obliged to erase
the personal data of the data subject within 3 days of the notification of the judgement. The
data controller shall be obliged to delete personal data even if the data recipient does not go to
court within the specified time limit.
6. The court may order the publication of its judgement so as to disclose the identification data of
the data controller, if required in the interests of data protection and by the protected rights of
a large number of data subjects.
XIII. Damages and grievance award
The data controller shall be liable for compensating any damage which another person may suffer as a
result of unlawful processing of the personal data of the data subject or of breaching data security
requirements.
1. The controller shall be liable for paying a grievance award for the violation of personality
rights of the data subject as a result of unlawful processing of the personal data of the data
subject or of breaching data security requirements.
2. The data controller shall bear liability towards the data subject for the damage caused by the
data processor, and the data controller shall pay to the data subject a grievance award in the
event of a violation of personality rights caused by the data processor. The controller shall be
exempted from liability for damage and from the obligation to pay the grievance award if they
15
prove that the damage or the violation of the data subject’s personality rights occurred as a
consequence of an unavertable reason falling outside the scope of processing.
3. Damages shall not be paid and a grievance award shall not be claimed if the damage was due
to the intentional or grossly negligent conduct of the person suffering the damage, or if the
infringement of the personality rights arose from the intentional or grossly negligent conduct
of the data subject.
XIV. Afterword
While drawing up this privacy statement the following legislation was taken into consideration:
– Act CXII of 2011 on the right of informational self-determination and the freedom of information
(hereinafter referred to as ‘Infotv.’)
– Act CVIII of 2001 on certain aspects of electronic commerce and information society services –
Elkertv. – (in particular Article 13/A)
– Act XLVII of 2008 on the prohibition of unfair commercial practices against consumers;
– Act XLVIII of 2008 on essential conditions of and certain limitations to business advertising activity
(in particular Article 6)
– Act XC of 2005 on the freedom of information by electronic means
– Act C of 2003 on electronic communications (Article 155, in particular)
– REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL