Privacy policy

rivacy Policy

(Effective from: 1 August 2024)

GreenStone Consulting Kft. (hereinafter referred to as: "Service Provider" or "Data Controller") shall act in accordance with this Data Processing Policy (hereinafter: "Policy") in the course of its data processing activities in relation to the personal data processed in relation to the user (hereinafter referred to as the "Data Subject") who visits and uses the https://sentovivo.eu/ website (hereinafter referred to as the "Website") and purchases the product available on the Website (hereinafter referred to as: "Data Subject").

1. General provisions:

1.1 The Data Controller

  • name: GreenStone Consulting Ltd.

  • Registered office: 1025 Budapest, Zöldkő utca 26-64. H. ép. Door 4

  • Company registration number: 01-09-421671

  • Tax number: 32391789-2-41

  • Contact details:


1.2 The hosting provider

  • name: Rackforest Zrt.

  • registered office: 1132 Budapest, Victor Hugo utca 11. 5th floor, B05001. door

  • Contact: info@rackforest.hu

  • Website: https://rackforest.com/kapcsolat/

1.3 Purpose of the Policy

The purpose of the Policy is to ensure the protection of the personal data of the natural persons concerned, the respect of the privacy of the data subjects and their right to informational self-determination regarding their personal data, and to ensure the security of the data against accidental or intentional destruction, alteration, damage, disclosure or unauthorized persons by complying with the following rules on the processing of personal data access to the EU.

The purpose of the Policy is also to inform the data subjects about the facts, rights and obligations related to the method of data processing and data processing by the Service Provider before the start of data processing. To this end, the Service Provider shall make this Policy continuously available to the data subjects on the Website (see Section 1.1).

By acknowledging the provisions of this Policy and by giving the consent before the purchase, the data subject accepts the data processing of the Service Provider in accordance with these Rules and consents to the Service Provider processing the data subject's specified personal data in accordance with the terms of this Policy.

1.4 Scope of the Policy

The material scope of the Policy covers all personal data managed by the Service Provider / processed by the data processor, regardless of the place, time and form of processing.

The personal scope of the Policy extends to the data subject, the Service Provider, as well as any external data processor involved in data processing by the Service Provider in the course of the data processing activity of the Service Provider, as well as to all contractual partners and employees of the Service Provider.

1.5 Legal background of the Rules

  • General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 94/46/EC

  • Information Act: Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information

1.6 Table summarizing data processing

Purpose of data processing

Scope of processed data

Legal basis for data processing

Duration of data processing

Processing

data processing related to the purchase of the product on the Website and the provision of services

(placing and processing the order)

Email address

telephone number

surname

first name

the processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to the conclusion of the contract

[Article 6(1)(b) of the GDPR]

5 years (up to the limitation period under civil law)

iLogistic Logistics Ltd.

data processing related to the purchase of the product on the Website and the provision of services

(online payment)

bank card details (card number, expiry date, security code, name on the card)

Until the online payment is made

Stripe Inc.

Stripe Payments Europe Limited

data processing related to the purchase of the product on the Website and the provision of services

(freight transport)

Delivery address (country/region; postal code; city; address; building, floor, door)

5 years (up to the limitation period under civil law)

iLogistic Logistics Ltd.

GLS General Logistics Systems Hungary Kft.

or

Magyar Posta Zrt.

or

FoxPost Zrt.

depending on the supplier selected by the buyer

Maintaining contact with the data subject in the course of service provision

surname

first name

telephone number

Email address

5 years (up to the limitation period under civil law)

iLogistic Logistics Ltd.

Stripe Inc.

Stripe Payments Europe Limited

Fulfilment of the obligation to provide documentation (issuing invoices)

surname

first name

Billing address

(country/region; postal code; city; address; building, floor, door)

the data processing is necessary for the fulfilment of a legal obligation to which the Service Provider is subject;

[Article 6(1)(c) of the GDPR]

for 8 (years) from the date of issue of the receipt (invoice)

[Section 169 of Act C of 2000 on Accounting]

KBOSS.hu Ltd. (számlázz.hu)

sending newsletters,

Direct Marketing

surname

first name

Email address

Consent of the data subject

[Article 6(1)(a) of the GDPR]

until the goal is achieved, but no more than until the withdrawal of consent

Adamic Digital Ltd.

Managing warranty claims

(Protocol, Receipt Issue)

surname

first name

address

a statement that the buyer consents to the processing of the data included in the report in accordance with the law

Date of performance of the contract

Time of reporting the error

the right that the buyer wishes to enforce

the manner in which the warranty claim is settled, or the reason for rejecting the claim or the right to be enforced on the basis of the claim

Data required to identify the product

Date of receipt of the product

the data processing is necessary for the fulfilment of a legal obligation to which the Service Provider is subject;

[Article 6(1)(c) of the GDPR;

Decree No. 19/2014 (IV.29.) Sections 4 (1) and 6 (1) of the Ministry of National Economy]

3 years

[Fgytv. 17/A.§ (7) bek.]

iLogistic Logistics Ltd.

Handling other consumer complaints

surname

first name

telephone number

Email address

Content of the complaint

Complaint:

consent of the data subject [Article 6(1)(a) of the GDPR]

Complaint handling:

the data processing is necessary for the fulfilment of a legal obligation to which the Service Provider is subject;

[Article 6(1)(c) of the GDPR; Act CLV of 1997 on Consumer Protection ("Consumer Protection Act")

3 years

[Fgytv. 17/A.§ (7) bek.]

iLogistic Logistics Ltd.

Justification of the data subject's consent

Date of consent

IP address of the data subject

the data processing is necessary for the fulfilment of a legal obligation to which the Service Provider is subject;

[Article 6(1)(c) of the GDPR; Article 7(1)]

5 years (up to the limitation period under civil law)

iLogistic Logistics Ltd.

to monitor the use of the Website by the data subject in order to improve the quality of the Website

Name of the data subject

Your email address

Telephone number

IP address

the processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to the conclusion of the contract

[Article 6(1)(b) of the GDPR]

2 years

Shopify Ltd.

1.6 Principles of data processing

In the course of its data processing activities, the Service Provider ensures that the Hungarian and European Union legal requirements for the processing of personal data are enforced at all times, namely:

  • the processing of personal data is lawful and fair and transparent to the data subject (principles of lawfulness, fairness and transparency);

  • the collection and processing of personal data may only take place for a clear and legitimate purpose (principle of purpose limitation);

  • the data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing (principle of data minimisation);

  • the personal data must be accurate, up-to-date if necessary, and inaccurate data must be erased or clarified without delay (principle of accuracy);

  • the storage of personal data may only take place for the period necessary to achieve the purpose of the processing (principle of limited storage);

  • the Service Provider ensures the appropriate level of security of personal data by applying appropriate technical and organizational measures, protection against unauthorized or unlawful processing, accidental loss, destruction or damage to data (principles of integrity and confidentiality);

  • the Service Provider shall maintain a data management system at all times with the help of which it is able to verify that its data processing activities comply with the above principles (principle of accountability).

1.7 Legal basis for data processing

In the course of its data processing activities, the Service Provider processes only such personal data for the lawful processing of which it has (i) the prior consent of the data subject or (ii) legal authorisation.

The data subject has the right to withdraw his or her consent at any time, however, this does not affect the lawfulness of the processing based on consent before its withdrawal. The Service Provider may continue data processing even after the withdrawal of the consent, if it is authorised to do so by law, in particular if it is necessary for the fulfilment of its contractual or other legal obligations or for the purpose of enforcing the Service Provider's legitimate interest.

Data processing is carried out on the basis of a statutory authorisation, in particular if:

  • the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of steps taken at the request of the data subject prior to the conclusion of the contract [Article 6(1)(b) of the GDPR];

  • the processing is necessary for the fulfilment of a legal obligation to which the Service Provider is subject (e.g. obligation to provide documentation or to pay taxes) [Article 6(1)(c) of the GDPR];

  • the processing is necessary for the purposes of the legitimate interests pursued by the Service Provider – or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular if the data subject is a child [Article 6(1)(f) of the GDPR].

1.8 Sources of data collection

The Service Provider obtains the data managed by it directly from the data subject.

1.9 Purpose of data processing

The Service Provider processes the personal data of the data subject in order to provide the Service Provider's services, to improve the quality of the services, to fulfil the Service Provider's contractual obligations, and within the framework of its legal obligations, for the purposes specified in the table set out in Section 1.6.

2. Categories of data subjects and personal data:

2.1 Data processing related to data subjects purchasing products on the Website

The data processing activities of the Service Provider in relation to the data subjects are limited to the data specified in detail in the table set out in Section 1.6 and are subject to the purposes specified therein.

The Service Provider collects only such data of the data subject that are relevant for the provision of services to the data subject and for maintaining contact with the data subject in this context. If the data subject provides additional data about himself or herself, the data processing also covers these data, and the legal basis for the processing of such data is the explicit consent of the data subject in accordance with the law.

The Service Provider is not able to verify the veracity and accuracy of the data provided by the data subject on the Website, the person providing the data (the data subject) is solely responsible for these.

In the case of the data subject's separate consent in accordance with the law, the Service Provider may use the personal data specified (name, e-mail address) for subsequent marketing activities (direct marketing, newsletter) in addition to the specific provision of services. The data subject may withdraw the consent at any time without justification or restriction on the Website or by sending an e-mail to the Service Provider (Section 1.1).

The Service Provider is entitled to share the personal data of the data subject with the data processors specified in Section 3.2.

2.2 Data processing related to the users of the Website

The users of the Website, most often those interested in the services of the Service Provider, also provide data while browsing the Website. The data processing activity of the Service Provider in relation to the users of the Website is limited to the IP address of the data subject, and in the case of the use of cookies, to the data necessary for the tracking of internet user habits/behaviour. The purpose of such data processing is to monitor the internet habits/behaviour of visitors to the Website in order to expand the economic and business activities of the Service Provider, and to protect against cyber attacks from time to time. The legal basis of data processing is the legitimate interest of the Service Provider.

2.3 Use of Cookies/Cookies

The Service Provider's website also uses so-called cookies. Cookies are small data packets, text files that are placed in the visitor's browser or device during a visit to a particular website or application. Cookies allow the website to recognize the visitor on the next visit, and thus provide security and convenience functions and improve the user experience while browsing the site. It is almost impossible to link the data set recorded by the cookies to the person of the user, however, the Service Provider considers it important to provide information about the fact that cookies also provide certain data about the visitors of the Website, in order to ensure the functionality of the Website and to measure visitor data. There are several types of cookies.

Essential session (session-id) cookies

They are essential for navigating the Website, for the operation of key functions of the Website and for accessing protected content. These cookies do not collect information that could be used for marketing purposes or that remembers what other websites the visitor has visited. After closing the Website, these cookies are automatically deleted and the session is closed. If the visitor does not accept these cookies, the Website or parts of it may not be displayed or may be displayed incorrectly, making it impossible to use the Website or fill in forms. These cookies can be used lawfully even without the consent of the data subject based on the legitimate interest of the Service Provider.

Cookies for statistical purposes

These cookies are related to the performance, development and improvement of the user experience of the website, and allow the website operator to collect data on how users use the website. The information they collect relates to which part of the page the visitor clicked on, how many websites or pages they visited, how long each session was viewed, what error messages were received, etc. We also distinguished between persistent and session cookies among cookies for statistical purposes, depending on how long they are stored in the visitor's browser or device. Cookies for statistical purposes are placed on the user's devices while browsing a given website, and their use requires the consent of the data subject.

Advertising cookies

The purpose of these cookies is to display advertisements on websites that are relevant to the given visitor. These cookies collect information such as which page the visitor viewed, which part of the website they clicked on, how many websites they visited, in order to display content that is of interest to the visitor. The placement of advertising cookies also requires the consent of the data subject.

Social media sütik

The purpose of these cookies is to provide the visitor with the social media services used on the websites, for example, when the visitor shares content from a website on Facebook or other social media service interfaces, or when the content stored by the social media provider is displayed on the site through plug-ins (add-ons) provided by the social media provider. Social media service providers may collect data through cookies about how the visitor uses the services provided by the social media service provider, what content is shared, all in order to display content of interest to the visitor, so the consent of the data subject is also required for their operation.

Other third-party third-party cookies

In addition to the above, the operators of other services that do not have a contractual relationship with the operator of the website may also place cookies on the website, completely independent of the operator of the website, in order to ensure their own operation. Such cookies are cookies that belong to a domain other than the domain of the website visited by the user, regardless of whether this organization is an independent data controller or not.

Google Analytics is a so-called third-party cookie developed by Google, Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) and used worldwide, which registers the activity of users on the website anonymously, i.e. without identifying or identifying the individual user. With the help of Google Analytics, the Service Provider may receive visitor information and statements that may help to further develop the Service Provider's website and services. Such data may include the number of visitors to the website; information about where the visitor came from, from what other website, and in what way; which pages of the website were viewed, in what order, etc.

The user can block/disable cookies on their own computer, but in this case they must take into account that many functions of the visited website, or even the entire website, will not be available or usable until the use of cookies is re-enabled.

2.4 Data processing related to sending letters/e-mails

If the data subject sends a letter to the Service Provider on the Service Provider's Website or in any other way, this also means the data subject's voluntary consent to the Service Provider processing the personal data provided in the message/letter with regard to the subject of the request, for the time necessary for the fulfillment/management of the contents of the request, and to contact the Service Provider at the contact details provided.

3. Data transfer abroad, data processing, scope of those who get to know the data:

3.1 The Service Provider forwards the personal data specified in Table 1.6 to the data processors specified in Section 3.3 (i)-(iii) as a third party with a registered office abroad, for the purposes specified therein. The data processors process the personal data received in accordance with their own privacy policies, which can be accessed via the links referred to in Section 3.3.

3.2 In order to carry out certain tasks related to data processing operations, the Service Provider shall only involve data processors in the data processing activities – in accordance with the terms and conditions of a separate individual data processing agreement concluded with each partner – which provide adequate guarantees for their expertise, reliability and resources at their disposal to ensure the implementation of technical and organisational measures ensuring the fulfilment of the data security and other requirements of the GDPR properly implemented.

3.3 Data processors employed by the Service Provider:

(i) Stripe Inc.

székhely: 94080 California, South San Francisco, 354 Oyster Point Boulevard, USA
Website: https://stripe.com/en-hu/privacy

(ii) Stripe Payments Europe Limited

székhely: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
Website: https://stripe.com/en-hu/privacy

(iii) Shopify International Ltd.

címe: Attn: Data Protection Office c/o Intertrust Ireland 2nd Floor 1-2 Victoria Buildings Haddington Road Dublin 4, D04 XN32 Ireland
Website (Privacy Policy): https://www.shopify.com/legal/privacy

(iv) Logistic Logistics Ltd.

address (headquarters): 2051 Biatorbágy, Verebély László utca 2.
Company registration number: 13-09-185133
Tax number: 13737467-2-13
e-mail: sales@ilogistic.hu
Website: www.ilogistic.hu

(v) Adamic Digital Ltd.

address (headquarters): 2636 Tésa, Petőfi utca 16.
Company registration number: 13-09-144010
Tax number: 23127584213
e-mail: renata.pastyik@adamic.hu
Website: https://adamic.hu/

(vi) GLS General Logistics Systems Hungary Kft.

Registered office: 2351 Alsónémedi, GLS Európa utca 2.
Company registration number: 13-09-111755
Tax number: 12369410-2-44
Availability: https://gls-group.com/HU/hu/kontakt/elerhetoseg/
Website (Privacy Policy): https://gls-group.com/HU/hu/adatkezelesi-tajekoztato/

(vii) Magyar Posta Zrt.

Registered office: 1138 Budapest, Dunavirág utca 2-6.
Company registration number: 01-10-042463
Tax number: 10901232-4-44
Availability: https://www.posta.hu/ugyfelszolgalat
Website (Privacy Policy): https://www.posta.hu/adatkezelesi_tajekoztato

(viii) FoxPost Zrt.

registered office: 3300 Eger, Maklári út 119.
Company registration number: 10-10-020309
Tax number: 25034644-2-10
Availability: https://foxpost.hu/kapcsolat
Website (Privacy Policy): https://foxpost.hu/altalanos-szerzodesi-feltetelek

(ix) KBOSS.hu Ltd. (számlázz.hu)

Registered office: 1031 Budapest, Záhony utca 7.
Company registration number: 01-09-303201
Tax number: 13421739-2-41
Availability: https://foxpost.hu/kapcsolat
Website (Privacy Policy): https://www.szamlazz.hu/adatvedelem/

The data processors carry out the data processing activities entrusted to them on behalf of the Service Provider as data controller. After the completion of the data management service, the data processor deletes or returns all personal data to the data controller based on the decision of the data controller, unless otherwise provided by law.

4. Transfer of data to third countries, automated decision-making and profiling:

4.1 The Service Provider transfers personal data to Stripe Inc., a third-country data processor, in accordance with the table in section 1.6, in order to execute the online payment.

4.2 In the case of the data processing specified above, neither automated decision-making nor profiling takes place.

5. Technical and organizational measures to ensure the security of data processing:

5.1 Pursuant to Article 32 (1) of the GDPR, the Service Provider as data controller and the data processors used are obliged to implement appropriate technical and organisational measures in order to guarantee a level of data security appropriate to the extent of the risks of data processing. In doing so, the Data Controller shall pay special attention to the risks arising from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the personal data processed, stored or transmitted.

5.2 The Data Controller declares that it has taken appropriate security measures to protect the personal data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, as well as inaccessibility due to changes in the technology used.

    1. The Data Controller shall take the following technical/organisational measures:

5.3.1 The data controller shall ensure the IT environment used for the processing of personal data during the provision of the service in such a way that:

  • connect the personal data provided by the data subject only and exclusively with the data and in the manner specified in this policy,

  • ensures that only those employees of the data controller have access to personal data who are absolutely necessary for the performance of their duties arising from their professional obligations.

5.3.2 Within the scope of its tasks related to IT protection, the Data Controller shall take care of, in particular:

  • measures to protect against unauthorised access, including the protection of software and hardware devices, as well as physical protection (access protection, network protection);

  • the protection of data files against viruses (virus protection);

  • the physical protection of data files and the devices carrying them, including protection against fire damage, water damage, lightning strikes and other elemental damage, as well as the restorability of damage caused by such events (archiving, fire protection).

5.3.3 In order to ensure the security of personal data stored on the computer or on the network, the Data Controller applies the following measures:

  • all computers used in the course of data processing are owned by the data controller or have the same rights as ownership;

  • access to the computer and the data available on it may only be done with a valid, identifiable right (the name of the person entitled to it and a unique password); passwords that provide access are changed regularly;

  • the data stored on the data controller's network server machine (server) may only be accessed with valid and appropriate permissions; all data can only be accessed by the persons designated for its processing, and at the same time, by using the available IT tools, it prevents any unauthorized persons from accessing the server or network;

  • the files containing the data will be irretrievably deleted after the fulfilment of the purposes of data processing, or if the deadline for data processing has expired or their legal basis has ceased to exist;

  • The data controller ensures the continuous and effective virus protection of the network.

6. Procedure in the event of a personal data breach:

If, despite the above data processing practices, a data protection incident should occur among the data processed by the Service Provider, and if the incident is likely to entail a high risk to the rights and freedoms of the data subjects, the Service Provider shall report the incident to the supervisory authority without undue delay after becoming aware of it, but no later than within 72 hours. At the same time, the Service Provider shall inform the affected parties about the incident, indicating the probable consequences of the incident and the measures taken or planned to remedy or mitigate the situation.

The Service Provider is not obliged to report a data protection incident that is likely not to involve a high risk to the supervisory authority. It is also not necessary to inform the data subject if (i) the Service Provider has applied a measure by which the data affected by the incident is incomprehensible to unauthorized persons; or (ii) as a result of which the high risk is likely to no longer materialise after the data breach, or (iii) where disclosure would be disproportionate. In the latter case, the Service Provider shall provide appropriate information to the data subjects in a public manner.

The Service Provider shall keep a record of the incidents in order to check the measures related to the incident and to inform the data subject.

7. Rights and enforcement options of the data subject:

7.1 Right to transparent information

The data subject is entitled to receive appropriate information from the Service Provider regarding the processing of his or her personal data. The Service Provider shall always provide such information in a concise, transparent, understandable and easily accessible form, in clear and comprehensible wording and in writing, including electronic communication.

7.2 Right of access

The data subject shall have the right to receive feedback from the Service Provider on whether the processing of his/her personal data is in progress and, if such data processing is in progress, he/she shall be entitled to access to such data and to receive information on the content of the data processing in accordance with Article 15 of the GDPR: in particular, the purpose of the data processing, the category of personal data concerned, the recipients to whom the data have been or will be disclosed, the planned duration of data storage, the rights of the data subject in relation to data processing, the right to file a complaint with the authorities, the source of data collection, the circumstances and effects of the occurrence of any data protection incident that may have arisen, and the measures taken to deal with them.

7.3 Right to rectification

The data subject shall have the right to have the Service Provider rectify any inaccurate personal data concerning him or her without undue delay, or to complete the incomplete data.

7.4 Right to erasure

The data subject shall have the right to have the Service Provider delete the personal data concerning him or her without undue delay, and the Service Provider shall comply with the request for deletion if:

  • the personal data is no longer necessary for the purposes for which it was collected or processed;

  • the data subject withdraws his/her consent constituting the basis of data processing and there is no other legal basis for data processing;

  • the data subject objects to the data processing and there is no overriding legitimate reason for the data processing;

  • the personal data have been unlawfully processed;

  • the personal data must be erased in order to comply with a legal obligation imposed on the controller by EU or Hungarian law;

  • Personal data was collected in connection with the provision of information society services to children.

The data subject may not request the deletion of the data, or the Service Provider is not obliged to delete the data, if the data processing is necessary for reasons set out in Article 17 (3) of the GDPR, in particular if (i) it is necessary for the fulfilment of an obligation under EU or Hungarian law requiring the processing of personal data applicable to the data controller, or (ii) for the establishment, exercise or defence of legal claims.

7.5 Right to restriction of processing

In the event of restriction, the data may only be processed with the consent of the data subject, with the exception of storage, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of other natural persons, or for reasons of important public interest. The data subject may request the restriction of data processing in particular if:

  • the data subject disputes the accuracy of the personal data, in which case the restriction applies to the period during which the Service Provider can verify the accuracy of the data;

  • the processing is unlawful, but

    • the data subject does not request the deletion of the data, but instead requests the restriction of the use of the data, or

    • based on the available information, there are reasonable grounds to believe that the deletion of the data would harm the legitimate interests of the data subject; in this case, the restriction shall apply for the period for which there is a legitimate interest justifying the non-erasure;

  • the Service Provider no longer needs the personal data for the purpose of data processing, but the data subject requires them for the establishment, exercise or defence of legal claims;

  • the data subject has objected to the data processing, in which case the restriction applies to the period during which the Service Provider determines whether the legitimate reasons of the Service Provider take precedence over the legitimate reasons of the data subject.

7.6 Right to data portability

If the legal basis of the data processing is (i) the consent of the data subject or (ii) on the basis of a contract to which one of the parties is the data subject, the data subject may request to receive the processed data concerning him or her and is entitled to transmit them to another data controller. In such a case, the data controller is obliged to transfer the personal data in a structured, widely used, machine-readable format to the data subject or to the data controller designated by the data subject.

7.7 Right to object

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of his or her personal data necessary for the purposes of the legitimate interests of the controller or a third party, including profiling. In the event of such an objection, the Service Provider may only continue to process the data if it proves that (i) the data processing is justified by compelling legitimate grounds that override the interests, rights and freedoms of the data subject, or (ii) that are related to the establishment, exercise or defence of legal claims.

If the data processing is carried out for the purpose of direct marketing, the personal data may no longer be processed for this purpose in the event of the data subject's objection.

7.8 Right to object to automated decision-making

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which would produce legal effects concerning him or her or similarly significantly affect him/her. The data subject is not entitled to this right if (i) the decision is necessary for the conclusion or performance of the contract between the data subject and the Service Provider, (ii) it is permitted by a provision of EU or Hungarian law, or (iii) the decision is based on the express consent of the data subject. In cases (i) and (iii), the Service Provider is obliged to take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human (manual) intervention from the data controller, to express his or her position and to object to the decision.

7.9 Right to withdraw consent

The data subject has the right to withdraw his/her previous voluntary consent at any time, however, the withdrawal of the consent does not affect the lawfulness of the data processing prior to the withdrawal.

7.10 Initiation of the Provider's actions

The Service Provider is obliged to facilitate the exercise of the rights of the data subject in relation to the enforcement of rights, within the framework of which it shall do everything in its power to terminate or remedy any infringements. If the Service Provider has reasonable doubts about the identity of the data subject, it may request the provision of additional information necessary to confirm the identity of the data subject.

The Service Provider shall inform the data subject without undue delay, but in any case within 25 days of the receipt of the request, about the assessment of the request and the measures taken in response to the request. If necessary, e.g. due to the complexity or large number of requests, this deadline may be extended by a further two months. Upon request submitted electronically, the Service Provider shall provide the information electronically, if possible, in the absence of any other request of the data subject.

If the Service Provider does not consider it justified to take action, it shall inform the data subject thereof without delay, but no later than within 25 days from the date of the data subject's request, stating the reasons for the failure to take action, as well as information that the data subject may file a complaint with the competent supervisory authority and exercise his or her right to judicial remedy.

In the course of enforcing rights, the Service Provider fulfils its obligation to provide information and measures free of charge. If the request of the data subject is clearly unfounded or excessive, especially due to its repetitive nature, the Service Provider may charge a reasonable fee or refuse to take action on the basis of the request.

7.11 Right to initiate investigation by the data protection authority and to take administrative action

In order to enforce his or her rights, the data subject may contact the data protection authority

a) may initiate an investigation in order to examine the lawfulness of the action of the Service Provider as data controller, if the Service Provider restricts the enforcement of the rights of the data subject or rejects the request for the enforcement of these rights, and

b) may request the conduct of its data protection authority procedure if, in the course of the processing of its personal data, the Service Provider or the data processor commissioned or acting on the basis of the Service Provider violates the provisions on the processing of personal data specified by law or in a binding legal act of the European Union.

Data of the data protection authority:

National Authority for Data Protection and Freedom of Information (NAIH)
address: 1055 Budapest, Falk Miksa u. 9-11.
postal address: 1363 Budapest, Pf.: 9.
tel.: +36 (30) 683-5969
+36 (30) 549-6838
+36 (1) 391 1400
E-mail: ugyfelszolgalat@naih.hu
Website: www.naih.hu


7.12 Right of recourse to the courts

In the event of a violation of the rights of the data subject, the data controller may turn to the court against the measure of the data controller, within the prevailing legal framework. The court of law has jurisdiction over the lawsuit. The court competent according to the seat of the Service Provider is the Metropolitan Court, but the data subject is also entitled to initiate the lawsuit before the court competent according to his or her place of residence or residence.

The Service Provider is obliged to prove in the lawsuit that the objected data processing complies with the provisions of the law.

If the Service Provider causes damage to the data subject by unlawfully processing the data of the data subject or by violating the requirements of data security, it is obliged to compensate for it and, in the case of a violation of personal rights, to pay compensation for grievances.

8. Definition of the Policy and the most important concepts of data management

  • data subject: any specific natural person identified or identifiable – directly or indirectly – on the basis of personal data;

  • personal data: data that can be linked to the data subject and the conclusions that can be drawn from the data concerning the data subject;

  • consent of the data subject: a freely given, specific, well-informed and unambiguous declaration of the data subject's will, by which the data subject indicates by a statement or an unambiguous affirmative act that he/she gives his/her consent to the processing of personal data concerning him/her;

  • objection: a statement by which the data subject objects to the processing of his or her personal data and requests the termination of data processing or the deletion of the processed data;

  • data controller: the person who or which, independently or jointly with others, determines the purpose of data processing, makes and implements decisions concerning data processing (including the means used) or has the data processor carry them out;

  • "processor" means the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

  • data processing: any operation or set of operations performed on data, regardless of the procedure used, in particular collection, recording, organisation, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, blocking, erasure and destruction, as well as the prevention of further use of data, the taking of photographs, audio or video recordings, and the identification of a person recording physical characteristics;

  • data processing: the performance of technical tasks related to data processing operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;

  • data transfer: making data available to a specific third party;

  • disclosure: making the data available to anyone;

  • data deletion: making the data unrecognizable in such a way that it can no longer be recovered;

  • data blocking: the provision of an identification mark to the further processing of data for the purpose of restricting its further processing permanently or for a specified period of time;

  • data destruction: the complete physical destruction of the data carrier containing the data;

  • personal data breach: unlawful processing or processing of personal data, in particular unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage.


GreenStone Consulting Kft.