The Art Bridge Ltd. Privacy Policy, 2018

Table of Contents

INTRODUCTION

CHAPTER I – IDENTIFICATION OF THE DATA CONTROLLER

CHAPTER II – IDENTIFICATION OF DATA PROCESSORS

Our company's IT service provider: Our company's accounting service provider: Postal services, delivery, parcel shipping:

CHAPTER III – DATA PROCESSING RELATED TO EMPLOYMENT RELATIONSHIPS

Labor, personnel records Data processing related to health examinations Handling data of job applicants, applications, resumes Data processing related to monitoring email account usage Data processing related to checking computers, laptops, tablets Data processing related to monitoring workplace internet usage Data processing related to checking company mobile phone usage Data processing related to the use of GPS navigation system Data processing related to workplace entry and exit Data processing related to workplace surveillance cameras

CHAPTER IV – DATA PROCESSING RELATED TO CONTRACTS

Handling data of contracting partners – customer and supplier registry Contact information of legal entity clients, customers, and representatives of suppliers Recording telephone conversations at customer service Visitor data processing on the Company's website Information about the use of cookies Registration on the Company's website Data processing related to newsletter service Community guidelines / Data processing on the Company's Facebook page Data processing in the Company's online store Data processing related to organizing gift lotteries Data processing for direct marketing purposes

CHAPTER V – DATA PROCESSING BASED ON LEGAL OBLIGATIONS

Data processing for the purpose of fulfilling tax and accounting obligations Payer data processing Data processing for the purpose of fulfilling obligations against money laundering

CHAPTER VI – SUMMARY OF INFORMATION ABOUT THE RIGHTS OF THE DATA SUBJECT

CHAPTER VII – DETAILED INFORMATION ABOUT THE RIGHTS OF THE DATA SUBJECT

CHAPTER VIII – SUBMISSION OF DATA SUBJECT REQUEST, ACTIONS OF THE DATA CONTROLLER

---

INTRODUCTION

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter "the Regulation") provides for the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46, that the Data Controller takes appropriate measures to provide the data subject with all information concerning the processing of personal data in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner, and that the Data Controller facilitates the exercise of the data subject's rights.

The prior information obligation of the data subject on the right to information self-determination and freedom of information is set out in Act CXII of 2011. also required by law.

We comply with this legal obligation by reading the information below.

The information shall be published on the company's website or sent to the person concerned upon request.

CHAPTER I. NAME OF DATA CONTROLLER 

The publisher of this information, as well as the Data Controller: 

• Company name: The Art Bridge Kft. 
• Head office: 2089 Telki Nyúl u. 8. 
• Company registration number: 13-09-230273 Tax number: 26198020-1-13
• Representative: Eszter Zborai, managing director Phone number: +36 20 253 8945 
• E-mail address: info@artbridge.hu 
• Website: www.artbridge.hu 

(hereinafter: the Company)

II. CHAPTER NAME OF DATA PROCESSORS 

Data processor: any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; (Article 4 (8) of the Regulation) The use of a data processor does not require the prior consent of the data subject, but requires his or her information. Accordingly, we provide the following information: 

Our company's IT service provider 

Our company uses a data processor to maintain and manage its website, which provides IT services (hosting services) and, within the framework of our contract with it, handles the personal data provided on the website. Along with the operations it performs, the personal data is stored on the server. 

Data Processor Identification: Mészáros Lajos, 55035916

• Company Name: Mészáros Lajos, 55035916
• Company Registration Number:
• Tax ID: 56397349-1-43
• Representative: Mészáros Lajos
• Phone Number: +36202649100
• Fax:
• Email: meszaros.lajos.gyorgy@gmail.com
• Website: www.artbridge.hu; www.artbridge.shop
• Maintainer: Mészáros Lajos, 55035916
• Company Name:
• Headquarters:
• Registration Number:
• Tax ID: 56397349-1-43
• Representative: Mészáros Lajos
• Tel: +36202649100
• Our company's accounting service provider

Data Processor: T+T Adó Kft.

• Company Name: T+T Adó Kft.
• Headquarters: 1142 Budapest, Erzsébet királyné útja 62.
• Company Registration Number:
• Tax ID: 12779091-2-42
• Representative: Bagó Terézia
• Phone Number: +36 30 383 9439
• Postal Services, Delivery, Parcel Shipping

Data Processors: Packeta Hungary Kft.

• Company Name: Packeta Hungary Kft.
• Headquarters: 1044 Budapest, Ezred utca 2B2/11 building
• Company Registration Number: 01 09 202186
• Tax ID: 25140550241
• Representative:
• Phone Number: +36-1-400-880
• Email: invoice@packeta.hu
• Website: www.packeta.hu

CHAPTER III

DATA PROCESSING RELATED TO EMPLOYMENT RELATIONSHIPS

1. Labor, Personnel Records:
   • Only data necessary for establishing, maintaining, and terminating employment, as well as providing social welfare benefits and not violating the employee's rights, can be requested and recorded.
   • The Company processes the following data based on the legitimate interests of the employer: name, birth name, date of birth, mother's name, address, citizenship, tax identification number, social security number, phone number, email address, ID card number, residence permit number, bank account number, online identifier (if applicable), start and end dates of employment, job position, educational and professional qualifications, CV, photo, etc.
2. Handling Data of Job Applicants, Applications, Resumes:
   • Personal data: name, date of birth, place of birth, mother's name, address, qualification details, photo, phone number, email address, employer's notes on the applicant.
   • Purpose: Evaluation of applications, contract with the selected candidate. The applicant must be informed if not selected.
   • Legal basis: Consent of the applicant.
   • Data storage duration: Until the evaluation of the application. Personal data of unsuccessful applicants must be deleted, including those who withdrew their application.
   • The employer can retain the applications only with the explicit, voluntary, and informed consent of the applicants, obtained after the recruitment process is completed.

CHAPTER IV

DATA PROCESSING RELATED TO CONTRACTS

Handling Data of Contracting Parties – Customers, Suppliers Register

1. The Company processes the personal data of individuals who have contracted with it as customers or suppliers, based on the legal basis of contract performance, for the purposes of contract conclusion, execution, termination, and offering contractual benefits. The processed data includes the natural person's name, birth name, date of birth, mother's name, address, tax identification number, tax ID, entrepreneur and agricultural entrepreneur certificate numbers, ID card number, residence address, headquarters, contact address, phone number, email address, website address, bank account number, customer number (client number, order number), online identifier (customer and supplier lists, loyalty program lists). This data processing is considered lawful even if carried out before the contract is concluded, as part of steps taken at the request of the data subject. The recipients of personal data include employees responsible for customer service, accounting, tax-related tasks, and data processors. The duration of personal data processing is 5 years after the termination of the contract.
2. The data subject must be informed before the start of data processing that it is based on the legal basis of contract performance, and this information can also be provided in the contract.
3. The data subject must be informed about the transfer of their personal data to data processors.

Contact Information for Legal Entity Clients, Customers, and Natural Person Representatives of Suppliers

1. The processed personal data includes the natural person's name, address, phone number, email address, and online identifier.
2. The purpose of processing is to fulfill contracts with the Company's legal entity partners, maintain business relationships, and is based on the consent of the data subject.
3. The recipients of personal data are employees responsible for customer service tasks.
4. The duration of personal data storage is up to 5 years after the existence of the business relationship or the representation of the data subject.

Visitor Data Processing on the Company's Website

1. Cookies:
2. • Cookies are short data files placed on the user's computer by the visited website to facilitate and enhance the user's experience. Two main types exist: temporary cookies (used for a single session, e.g., during secure online banking) and persistent cookies (e.g., language settings, remain until deleted). According to the European Commission's guidelines, cookies (except those essential for the service) can only be placed with the user's consent.
   • For non-consent-required cookies, information should be provided during the first visit, either briefly summarizing the essence of the information or linking to the complete disclosure.
3. Information on Cookie Usage:
   • The Company uses cookies on its website, adhering to general internet practices. Cookies store user settings, enhance website usability, and collect information about users and their devices. Users can manage cookie settings in their browsers, and the most popular browsers' settings links are provided.
4. Types of Cookies:
   • Essential Session Cookies: Necessary for browsing the website and using its functions during a session. Automatically deleted after the session ends.
     • Data Processed: IP address, browser type, device operating system characteristics, visit timestamp, visited page, function, or service.
     • Legal Basis: Electronic Commerce and Information Services Act (2001. CVIII. law) 13/A. § (3).
     • Purpose: Ensure proper website operation.
   • Consent-Required Cookies:
     • Usage-Facilitating Cookies:
       • Legal Basis: User's consent.
       • Purpose: Enhance service efficiency, improve user experience, and make website usage more comfortable.
       • Storage Duration: 6 months.
     • Performance-Ensuring Cookies (e.g., Google Analytics, Google AdWords):
       • References: Google Analytics Cookie Usage, Google AdWords Cookie Usage
       • Legal Basis: User's consent.
       • Purpose: Increase service efficiency, improve user experience, make website usage more comfortable.
       • Storage Duration: 6 months.
5. General Information:
   • Cookies are not inherently capable of identifying the user.
   • Company's website uses:
     • Essential session cookies.
     • Consent-required cookies:
       • Usage-facilitating cookies (with user consent): Purpose – increase service efficiency, enhance user experience; Storage duration – 6 months.
       • Performance-ensuring cookies (with user consent): Google Analytics, Google AdWords; Storage duration – 6 months.

Disclaimer:

• The Company operates a Facebook page for promoting its products and services.
• No questions on the Facebook page are considered officially submitted complaints.
• The Company does not process personal data posted by visitors on the Facebook page.
• Visitors are subject to Facebook's Privacy and Service Terms.
• In case of illegal or offensive content, the Company may exclude the individual without prior notice or delete their comments.
• The Company is not responsible for content violating regulations or disruptions in Facebook's operation.

CHAPTER V

DATA PROCESSING BASED ON LEGAL OBLIGATIONS

Data Processing for Fulfillment of Tax and Accounting Obligations

(1) The Company processes the data of natural persons who enter into a business relationship with it as customers or suppliers based on the legal obligation of fulfilling tax and accounting obligations (bookkeeping, taxation). The processed data include, especially based on Act CXXVII of 2017 on Value Added Tax: tax number, name, address, tax status; based on Act C of 2000 on Accounting: name, address, identification of the person or organization ordering the economic transaction, signature of the authorizer, and the signature of the auditor, depending on the organization; based on Act CXVII of 1995 on Personal Income Tax: entrepreneur identification number, self-employed identification number, tax identification number.

(2) The storage period for personal data is 8 years after the termination of the legal relationship that justifies the data processing.

(3) Recipients of personal data: Company's employees and data processors responsible for tax, accounting, payroll, and social security tasks.

Payment Data Processing

(2) The Company processes the personal data of individuals (employees, family members, other benefit recipients) with whom it has a payer relationship for the purpose of fulfilling legal tax and contribution obligations (determination of taxes, payroll, social security administration) based on legal obligation.

(3) The storage period for personal data is 8 years after the termination of the legal relationship that justifies the data processing.

(3) Recipients of personal data: Company's employees and data processors responsible for tax, payroll, and social security (payer) tasks.

Data Processing for Compliance with Anti-Money Laundering Obligations

(1) The Company processes the data of its clients, their representatives, and ultimate beneficial owners for the purpose of preventing and combating money laundering and terrorism financing, as defined in Act LIII of 2017 (Pmt.): a) natural person a) surname and forename, b) birth surname and forename, c) nationality, d) place and date of birth, e) mother's maiden name, f) address or residence if different, g) type and number of identity document; number of official ID certifying residence, copy of presented documents.

(2) Recipients of personal data: Company's employees responsible for customer service tasks, Company's manager, and the person designated by the Company according to Pmt.

(3) The storage period for personal data: 8 years from the termination of the business relationship or the completion of the transaction. (Pmt. 56.§(2))

CHAPTER VI

SUMMARY INFORMATION ABOUT THE RIGHTS OF THE DATA SUBJECT

In this chapter, we briefly summarize the rights of the data subject for clarity and transparency. Detailed information on exercising these rights is provided in the following chapter.

1. Right to Pre-Information:
   • The data subject has the right to receive information about the facts and details related to data processing before it begins.
2. Right of Access:
   • The data subject has the right to know if their personal data is being processed and, if so, to access the data and related information.
3. Right to Rectification:
   • The data subject can request the correction of inaccurate personal data without undue delay.
4. Right to Erasure ("Right to be Forgotten"):
   • The data subject has the right to request the deletion of their personal data under certain conditions.
5. Right to Restriction of Processing:
   • The data subject can request the limitation of data processing under certain conditions.
6. Notification Obligation regarding Rectification or Erasure of Personal Data:
   • The data controller must inform recipients of any rectification, erasure, or processing restriction of personal data, upon the data subject's request.
7. Right to Data Portability:
   • Under certain conditions, the data subject can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another data controller.
8. Right to Object:
   • The data subject can object to the processing of personal data based on specific legal grounds.
9. Automated Individual Decision-Making, including Profiling:
   • The data subject has the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them.
10. Limitations:
    • Legislative measures may restrict the rights and obligations established in Articles 12–22 and Article 34 of the Regulation.
11. Right to be Informed of a Personal Data Breach:
    • The data controller must promptly inform the data subject if a personal data breach is likely to result in a high risk to the rights and freedoms of individuals.
12. Right to Lodge a Complaint with a Supervisory Authority:
    • The data subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates the Regulation.
13. Right to an Effective Judicial Remedy against a Supervisory Authority:
    • Every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority.
14. Right to an Effective Judicial Remedy against the Data Controller or Processor:
    • Every data subject has the right to an effective judicial remedy if they consider that their rights under the Regulation have been infringed as a result of non-compliance with its provisions by the data controller or processor.              

Chapter VII

DETAILED INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

Right to Prior Information

The data subject is entitled to receive information about the facts and details related to data processing before the commencement of data processing.

A) Information to be Provided if Personal Data is Collected from the Data Subject

If personal data is collected from the data subject, the data controller shall provide the following information at the time of obtaining personal data:

a) The identity and contact details of the data controller and, if applicable, the data controller's representative; b) Contact details of the data protection officer, if applicable;

c) The purpose of the intended processing of personal data and the legal basis for the processing;

d) In the case of processing based on Article 6(1)(f) (legitimate interests), the legitimate interests pursued by the data controller or a third party;

e) Where applicable, the recipients or categories of recipients of the personal data;

f) Where applicable, whether the data controller intends to transfer personal data to a third country or international organization, including the existence or absence of a Commission adequacy decision, or in the case of a data transfer mentioned in Article 46, 47, or the second subparagraph of Article 49(1) of the Regulation, the indication of the appropriate and suitable safeguards, as well as the means to obtain a copy of them or where they are available. In addition to the information mentioned in point 1, the data controller shall, at the time of obtaining personal data, provide the data subject with the following additional information to ensure fair and transparent data processing:

a) The duration of the storage of personal data or, if not possible, the criteria used to determine that period;

b) The right of the data subject to request access to, correction, deletion, or restriction of processing of their personal data, and the right to object to such processing, as well as the right to data portability;

c) The right to withdraw consent at any time, where the processing is based on Article 6(1)(a) (consent) or Article 9(2)(a) (consent), without affecting the lawfulness of processing based on consent before its withdrawal;

d) The right to lodge a complaint with a supervisory authority;

e) Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as the possible consequences of failure to provide such data, and whether the data subject is obliged to provide the personal data, and the possible consequences of not providing such data;

f) The fact of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. If the data controller intends to carry out further processing of personal data for a purpose other than the one for which the personal data were collected, the data controller shall inform the data subject of that different purpose and any relevant additional information referred to in point 2 before further processing. Points 1 to 3 shall not apply where and insofar as the data subject already has the information.

(Article 13 of the Regulation)

B) Information to be Provided if Personal Data are not Obtained from the Data Subject

If personal data are not obtained from the data subject, the data controller shall provide the following information to the data subject:

a) The identity and contact details of the data controller and, if applicable, the data controller's representative;

b) Contact details of the data protection officer, if applicable;

c) The purpose of the intended processing of personal data and the legal basis for the processing;

d) The categories of personal data concerned;

e) The recipients or categories of recipients of the personal data, if any;

f) Where applicable, whether the data controller intends to transfer personal data to a third country or international organization, including the existence or absence of a Commission adequacy decision, or in the case of a data transfer mentioned in Article 46, 47, or the second subparagraph of Article 49(1) of the Regulation, the indication of the appropriate and suitable safeguards, as well as the means to obtain a copy of them or where they are available. In addition to the information mentioned in point 1, the data controller shall provide the data subject with the following additional information necessary to ensure fair and transparent data processing:

a) The duration of the storage of personal data or, if not possible, the criteria used to determine that period;

b) If the processing is based on Article 6(1)(f) (legitimate interest), the legitimate interests pursued by the data controller or a third party;

c) The right of the data subject to request access to, correction, deletion, or restriction of processing of their personal data, and the right to object to such processing, as well as the right to data portability;

d) The right to withdraw consent at any time, where the processing is based on Article 6(1)(a) (consent) or Article 9(2)(a) (consent), without affecting the lawfulness of processing based on consent before its withdrawal;

e) The right to lodge a complaint with a supervisory authority;

f) The source of the personal data and, if applicable, whether the data comes from publicly accessible sources;

g) The fact of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. The data controller shall provide the information referred to in points 1 and 2:

a) Taking into account the specific circumstances of the processing of personal data, within a reasonable period from the time of obtaining personal data, but no later than one month;

b) If personal data are used for communication with the data subject, at the latest at the time of the first contact with the data subject; or

c) If disclosure to another recipient is expected, at the latest when the personal data are first disclosed. If the data controller intends to carry out further processing of personal data for a purpose other than the one for which the personal data were collected, the data controller shall inform the data subject of that different purpose and any relevant additional information referred to in point 2 before further processing. Points 1 to 5 shall not apply where and insofar as:

a) The data subject already has the information;

b) The provision of such information proves impossible or would involve a disproportionate effort, especially for processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, taking into account the conditions and guarantees set forth in Article 89 of the Regulation, or if the obligation referred to in point 1 would likely render impossible or seriously impair the achievement of the objectives of such processing; In such cases, the data controller shall take appropriate measures, including the public disclosure of information, to protect the rights, freedoms, and legitimate interests of the data subject;

c) The processing is required by Union or Member State law to which the data controller is subject, and which provides for suitable measures to safeguard the data subject's legitimate interests; or

d) The personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory duty of secrecy.

Right to erasure ("right to be forgotten"):

The data subject is entitled to request the Controller to erase without undue delay personal data concerning him or her, and the Controller is obliged to erase without undue delay the personal data concerning the data subject if one of the following reasons applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a) and there is no other legal ground for the processing;

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d) the personal data have been unlawfully processed;

e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

If the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

a) for exercising the right of freedom of expression and information;

b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) as well as Article 9(3);

d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) for the establishment, exercise or defense of legal claims.

(Article 17 of the Regulation)

Right to restriction of processing:

The data subject has the right to obtain from the Controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or

d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

(Article 18 of the Regulation)

Right to data portability:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

b) the processing is carried out by automated means.

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Article 20 of the Regulation

Right to object

The data subject has the right to object at any time to the processing of personal data based on Article 6(1)(e) (the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority) or (f) (the processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party) of the Regulation, including profiling based on those provisions. In this case, the data controller shall not process the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. If the processing of personal data is carried out for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling related to such direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes. The right referred to in points 1 and 2 shall be explicitly brought to the attention of the data subject at the latest at the time of the first communication with the data subject and shall be presented clearly and separately from any other information. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications. Where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the Regulation, the data subject shall have the right to object to the processing of personal data concerning them on grounds relating to their particular situation, except where the processing is necessary for the performance of a task carried out for reasons of public interest.

(Article 21 of the Regulation)

Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Point 1 shall not apply if the decision:

a) is necessary for the entering into or performance of a contract between the data subject and the data controller; b) is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or c) is based on the data subject's explicit consent. In the cases referred to in points a) and c), the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view, and to contest the decision. Decisions referred to in point 2 shall not be based on special categories of personal data referred to in Article 9(1) unless point a) or g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

(Article 22 of the Regulation)

Limitations

Union or Member State law to which the data controller or processor is subject may restrict, by legislative measures, the scope of the obligations and rights provided for in Articles 12 to 22, as well as Article 34, where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

a) national security; b) defense; c) public security; d) the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary, and taxation matters, public health and social security; f) the protection of the independence of the judiciary and judicial proceedings; g) the prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions; h) a monitoring, inspection, or regulatory activity connected, even occasionally, to the exercise of official authority in the cases referred to in points a) to e) and g); i) the protection of the data subject or the rights and freedoms of others; j) the enforcement of civil claims. k) Where the measures referred to in point 1 relate to processing for the purposes referred to in Article 89(1) for scientific or historical research purposes or statistical purposes, the controller shall, at the time of the request, provide information on the envisaged period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; l) the purposes of the processing or categories of processing; m) the categories of personal data; n) the scope of the restrictions introduced; o) the safeguards to prevent abuse or unlawful access or transfer; p) the specification of the controller or categories of controllers; q) the storage period and the applicable safeguards, taking into account the nature, scope, and purposes of the processing or categories of processing; r) the risks to the rights and freedoms of data subjects; and s) the right of data subjects to be informed about the restriction, unless this may be detrimental to the purpose of the restriction.

(Article 23 of the Regulation)

Information to the data subject about the data breach

Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall, without undue delay, notify the data subject of the personal data breach. The notification referred to in point 1 shall at least:

a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; c) describe the likely consequences of the personal data breach; d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The data subject shall not be informed if:

a) the data controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; b) the data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in point 1 is no longer likely to materialize; c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the data controller has not notified the data subject of the personal data breach, the supervisory authority, after considering the likelihood that the personal data breach will result in a high risk, may require the data controller to inform the data subject or may decide that one or more conditions referred to in point 3 are met.

Article 34

Right to lodge a complaint with the supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78.

Article 77

Right to an effective judicial remedy against a supervisory authority

Without prejudice to any other administrative or non-judicial remedy, every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them. Without prejudice to any other administrative or non-judicial remedy, every data subject shall have the right to an effective judicial remedy where the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint under Article 77.

Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established. Where proceedings are brought against a decision of the supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

Article 78

Right to an effective judicial remedy against a controller or processor

Without prejudice to any other administrative or non-judicial remedy, every data subject shall have the right to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

Proceedings against the controller or processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority acting in the exercise of its public powers.

Article 79

Presentation of the request of the data subject, actions by the controller

The controller shall inform the data subject of the actions taken in response to their request without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the data subject has submitted the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The information and any action taken under Articles 13 and 14 and Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. Where the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

Chapter VIII

PRESENTATION OF THE DATA SUBJECT'S REQUEST, ACTIONS BY THE DATA CONTROLLER

The Data Controller shall promptly, and in any case within one month from the receipt of the request, inform the data subject about the measures taken in response to their request for the exercise of their rights. If necessary, taking into account the complexity of the request and the number of requests, this period may be extended by an additional two months. The Data Controller shall inform the data subject of the extension within one month of receiving the request, indicating the reasons for the delay. If the data subject has submitted the request electronically, the information shall, if possible, be provided electronically unless the data subject requests otherwise. If the Data Controller does not take measures in response to the data subject's request, the data subject shall be informed without delay and no later than one month from the receipt of the request about the reasons for the lack of action and the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise their right to judicial remedy. The Data Controller shall provide information and actions free of charge in accordance with Articles 13 and 14 and Articles 15 to 22 and 34. If the data subject's request is clearly unfounded or, especially due to its repetitive nature, excessive, the Data Controller, taking into account the costs of providing the information or communication or taking the action requested:

a) may charge a fee of HUF 6,350, or

b) may refuse to take action on the request.

The burden of proving the clearly unfounded or excessive nature of the request lies with the Data Controller. If the Data Controller has reasonable doubts about the identity of the natural person submitting the request, additional information necessary to confirm the identity of the data subject may be requested.