DATA CONTROLLER'S DATA
Brand name: Flybuilt
Enterprise: Flybuilt Inc.
Headquarters: 6677 N. Washington Blvd. #57 SARASOTA, FL 34236 USA
Tax number: 372156099
Registration document identifier: P24000055223
Phone number: +36 30 424 5394
E-mail address: [email protected]

PURPOSE OF THE PRIVACY NOTICE
The controller acknowledges that it is bound by the contents of this legal notice.
The purpose of this privacy notice is to inform the controller's customers and partners about the processing of their personal data. The data controller shall process personal data only in accordance with the provisions of applicable law and in strict compliance with the provisions of data management and data protection regulations, taking into account the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy and limited storage.
The data controller shall take all technical and organisational measures to ensure that personal data that come to its knowledge are processed in a secure manner as required by Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: General Data Protection Regulation).
The controller reserves the right to change this information at any time. It will of course inform its audience of any changes in due time.

SCOPE OF THE PRIVACY NOTICE
The personal scope of this privacy statement covers the controller and the natural persons whose data are included in the processing covered by this privacy statement, as well as persons whose rights or legitimate interests are affected by the processing.
The scope of this notice covers all processing of data that occurs in the course of the controller's activities on its website. The controller shall provide information to data subjects on personal data processing in the course of its other activities in a separate privacy notice.
This notice shall enter into force on the date of approval and shall remain in force indefinitely until further notice.

DEFINITIONS OF TERMS
Spersonal data: any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
Special data: all data in special categories of personal data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons.
Data management: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction or destruction.
Data Controller: a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Joint controllers: where the purposes and means of processing are jointly determined by two or more controllers, they are considered to be joint controllers.
Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Addressee: the natural or legal person, public authority, agency or any other body with whom or to which the personal data are disclosed, whether or not a third party.
Contact: any natural person identified or otherwise identifiable, directly or indirectly, on the basis of specified personal data. In particular, a person is identifiable if he or she can be identified, directly or indirectly, by name, an identifier or one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
Consent of the data subject: a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she gives his or her consent to the processing of personal data concerning him or her.
Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

PROCESSING OF PERSONAL DATA
Personal data are processed by the controller only in the following cases:

• where the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes,
• processing is necessary for the performance of a contract to which the data subject is a party,
• processing is necessary for compliance with a legal obligation to which the controller is subject,
• processing is necessary for the protection of the vital interests of the data subject or of another natural person,
• processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party.

The controller examines the lawfulness of data processing at all stages of its activities, and only processes data for which it can justify the purpose and legal basis. In the event that the conditions of a legal basis cease to apply, the processing may only be resumed if the controller can demonstrate an adequate alternative legal basis.
The Data Controller shall keep a record of the processing described above. The register shall also include the time limits for the deletion of personal data.
By reading and acknowledging this privacy notice, data subjects accept that the controller transfers their personal data to the processors and joint controllers listed below.

DATA MANAGEMENT RECORDS

1. Name of the processing of personal data:
When filling in the appointment booking form on the website, in case of interest or questions, personal data (name, e-mail address, telephone number of self-employed persons, taxpayers, individuals; name, e-mail address, telephone number of contact persons acting on behalf of legal entities and unincorporated organisations) must be provided. Personal data that may be provided by telephone or via call centre, e-mail, Facebook, Instagram, TikTok or LinkedIn in case of enquiries or questions (in particular, names, e-mail addresses and telephone numbers of sole traders, taxable individuals; names, e-mail addresses and telephone numbers of contact persons acting on behalf of legal persons and entities without legal personality).

Purpose of data processing: Contacting the interested party and answering their questions.
Legal basis for processing: Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
Time limit for deletion of personal data: The data controller shall delete the personal data of the interested party upon withdrawal of consent or immediately after contact and response, but no later than 30 days after withdrawal of consent or contact and response.

2. Name of the processing of personal data:
Personal data provided for the purpose of ordering services, including the conclusion of contracts (name, address, telephone number, e-mail address, tax number of sole traders, taxable individuals; name, address, telephone number, e-mail address of contact persons acting on behalf of and on behalf of legal persons and unincorporated entities).
Purpose of the processing: Maintaining contacts, negotiating to fulfil contractual obligations and concluding contracts between the parties.
Legal basis for processing: Performance of a contract (Article 6(1)(b) of the General Data Protection Regulation) and then of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation) pursuant to Article 169 of Act C of 2000.
Time limit for deletion of personal data: Within 30 days of the legal obligation to keep the data (8 years).

3. Name of the processing of personal data:
Personal data obtained by the data controller from telephone and call centre conversations, through the Google Meet interface, through the software used and during face-to-face consultations and workshops (other personal data in addition to the data requested and provided in the appointment booking form).
Purpose of the processing: Reconciliation to fulfil the contractual obligation.
Legal basis for processing: performance of a contract (Article 6(1)(b) of the General Data Protection Regulation) or the data subject's consent (Article 6(1)(a) of the General Data Protection Regulation).
Time limit for deletion of personal data: Within 30 days after the contractual obligation has been fulfilled or immediately after the withdrawal of consent, but no later than 30 days.

4. Name of the processing of personal data:
The data subject may connect other applications to the software used: Facebook, Instagram, Whatsapp, Google my business, call center service The data controller may obtain personal data about the data subject and his/her customers if the data subject requests its support or assistance.
Purpose of the processing: Reconciliation to fulfil the contractual obligation.
Legal basis for processing: Performance of a contract (Article 6(1)(b) of the General Data Protection Regulation) or the data subject's consent (Article 6(1)(a) of the General Data Protection Regulation).
Time limit for deletion of personal data: Within 30 days after the contractual obligation has been fulfilled or immediately after the withdrawal of consent, but no later than 30 days.

5. Name of the processing of personal data:
Personal data on the invoice issued (name, address, tax number of self-employed persons, taxable individuals)
Purpose of the processing: Issuing the invoice.
Legal basis for processing: Fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation) pursuant to Article 169 of Act C of 2000.
Time limit for deletion of personal data: Within 30 days of the legal obligation to keep the data (8 years).

6. Name of the processing of personal data:
Data that can be linked to an online payment transaction (names of cardholders/account holders - self-employed persons, taxable individuals).
Purpose of the processing: Tracking the payment transaction. During the payment process, the data is transmitted to the online payment card service provider via an automated system. The card details are entered in Stripe's secure system. The data controller does not process or store account and card data. You can track your data controller transaction with your account holding bank.
Legal basis for processing: Fulfillment of a legal obligation (Article 6 (1) (c) of the General Data Protection Regulation) pursuant to Article 169 of Act C of 2000.
Time limit for deletion of personal data: Within 30 days of the legal obligation to keep the data (8 years).

7. Name of the processing of personal data:
Image and sound
Purpose of the processing: In order to fulfil the contract, a video and audio recording of the advice is or may be made. The data subject may be interviewed and used by the data controller for promotional and marketing purposes.
Legal basis for processing: Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
Time limit for deletion of personal data: The data controller shall send the image and audio recordings of the counselling session to the data subject immediately after the counselling session and delete them. The interview shall be deleted without delay after the withdrawal of consent, but no later than 30 days after the withdrawal of consent.

8. Name of the processing of personal data:
Personal data provided by subscribers to the newsletter (names and e-mail addresses of contact persons acting on behalf of and on behalf of natural persons, sole proprietors, taxable individuals, legal persons and unincorporated organisations)
Purpose of the processing: Sending newsletters, content marketing, promotional offers, coupons, event invitations.
Legal basis for processing: Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
Time limit for deletion of personal data: The data controller shall delete the personal data of the interested party without undue delay upon withdrawal of consent, but no later than 30 days after the withdrawal of consent.

9. Name of the processing of personal data:
Personal data provided by participants in the prize draw (typically the name, e-mail address of self-employed persons, taxable individuals; the name, e-mail address of contact persons acting on behalf of and on behalf of legal entities and unincorporated organisations, public profile on social media, in the case of a prize draw, the name, address, e-mail address and telephone number of contact persons of self-employed persons, taxable individuals, legal entities and unincorporated organisations) as set out in the rules.
Purpose of the processing: Promote service, website, social media platforms, give winner an advantage, deliver prize.
Legal basis for processing: Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
Time limit for deletion of personal data: Until the date set out in the prize rules, typically the end of the prize draw or, in the case of the winner, the delivery of the prize.

10. Name of the processing of personal data:
Personal data collected in the course of complaint handling.
Purpose of the processing: Identify and address the complaint.
Legal basis for processing: Compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation)
Time limit for deletion of personal data: Within 30 days of the legal obligation to keep the data (3 years).

11. Name of the processing of personal data:
Personal data of service providers, suppliers, subcontractors (in the case of self-employed persons, taxable individuals).
Purpose of the processing: Performing contractual obligations, contacting and maintaining contacts, concluding the contract.
Legal basis for processing: Performance of a contract (Article 6(1)(b) of the General Data Protection Regulation) and then of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation), pursuant to Article 169 of Act C of 2000.
Time limit for deletion of personal data: Within 30 days of the legal obligation to keep the data (8 years).

12. Description of the processing of personal data:
Personal data of contact persons acting on behalf of and on behalf of service providers, suppliers, subcontractors.
Purpose of the processing: Performing contractual obligations, contacting and maintaining contacts.
Legal basis for processing: Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
Time limit for deletion of personal data: In case of withdrawal of consent, without delay and at the latest within 30 days. If the contact person's personal data are included in the contract, within 30 days after the expiry of the legal retention period (8 years).

13. Name of the processing of personal data: Personal data recorded during the collection of data from cookies processed by the website.
Purpose of the processing: Improving the user experience, improving the website.
Legal basis for processing: Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
Time limit for deletion of personal data: Without undue delay after the withdrawal of consent, but within 30 days at the latest.

14. Name of the processing of personal data:
Personal data that the data controller becomes aware of through the use of social networking sites - Facebook, Instagram, LinkedIn, Youtube, TikTok: public profile data of the data subject.
Purpose of the processing: Promotion of services.
Legal basis for processing: Consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
Time limit for deletion of personal data: Without undue delay after the withdrawal of consent, but within 30 days at the latest.

PROCESSORS, JOINT CONTROLLERS (RECIPIENTS) CONNECTED TO THE CONTROLLER
Where the processing is carried out on behalf of the controller, the controller may only use processors that offer adequate guarantees of compliance with the requirements of the General Data Protection Regulation or implement appropriate technical and organisational measures to ensure the protection of the rights of data subjects.
The Data Controller hereby declares that in the course of its work, it will only deal with data processors that have adequate guarantees of compliance with the General Data Protection Regulation and that they implement appropriate technical and organisational measures to ensure the protection of the rights of data subjects. The relevant declarations of the data processors are available to you.
By reading and acknowledging this privacy notice, data subjects accept that the controller transfers their personal data to the processors and joint controllers listed below.

BUSINESS SUPPORT SOFTWARE PROVIDER
Corporate HQ
400 North Saint Paul St. Suite 920 Dallas, Texas 75201

PROVIDERS OF COMMUNICATION CHANNELS THAT CAN BE CONNECTED TO THE BUSINESS SUPPORT SOFTWARE
Facebook, Instagram, Whatsapp:
Meta Platforms Ireland Ltd.
4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland

Google my business:
Google Inc.
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

THE SERVICE PROVIDER ISSUING THE INVOICES
K-BOSS Ltd.
1031 Budapest, Záhony utca 7.

PUBLISHER
Proactive Business Zrt.
8200 Veszprém, Óváros tér 24. I. floor 2. a.

ACCOUNT-HOLDING BANK, PAYMENT SERVICE PROVIDER
Wise
1133 Budapest, Promenade Gardens, Váci út,

ONLINE CREDIT CARD PAYMENT SERVICE PROVIDER
Stripe, Inc.
Headquarters, 185 Berry Street, Suite 550, San Fransisco, CA 94107

SERVICE PROVIDER FOR RECEIVING AND SENDING EMAILS
Google Inc.
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

NEWSLETTER SERVICE PROVIDER
Mailgun Technologies Inc.
112E Pecan St #1135, San Antonio, TX 78205

CALL CENTRE SERVICE PROVIDER
Twilio Ireland Limited
25-28 North Wall Quay, Dublin 1, Ireland

PROVIDER OF ONLINE COMMUNICATION, ADVISORY PLATFORM
Google Inc.
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

SOCIAL MEDIA COMMUNICATION SERVICE PROVIDER

Facebook, Instagram:
Meta Platforms Ireland Ltd.
4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland

LinkedIn:
LinkedIn Corporation
1000 West Maude Avenue Sunnyvale, CA 94085USA

TikTok:
TikTok Technology Ltd.
10 Earlsfort Terrace, Dublin, D02 T380, Ireland

Youtube:
Google Inc.
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

HOSTING SERVICE PROVIDER
HighLevel Inc. ATTN
400 North Saint Paul St. Suite 920 Dallas, Texas 75201

HOSTING SERVICE PROVIDER
DEVBOX Ltd.
7054 Tengelic, Rákóczi Ferenc u. 9.

CYBERSECURITY SERVICE PROVIDER
Cloudflare, Inc.
USA, San Francisco, 101 Townsend St. CA 94107
The controller also transfers personal data of its customers to the National Tax and Customs Administration.
The contracted data processing and data management partners will process the personal data of partners only on the basis of instructions given by the data controller (except where required by law) and under an obligation of confidentiality.

PROCESSING OF DATA RELATING TO ENQUIRERS AND QUESTIONERS:
The data controller may receive questions and enquiries via the appointment booking form, telephone, call centre, social media platforms or e-mail. The purpose of data processing is to contact you and answer your question. The legal basis for the processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The controller shall delete the personal data of the interested party upon withdrawal of consent or immediately after the contact and response, but no later than 30 days after the withdrawal of consent or within 30 days after the contact and response.

PROCESSING OF DATA RELATING TO CUSTOMERS:

Order:
When ordering, the name, address, telephone number, e-mail address and tax number of the customer must be provided. The purpose of the data processing is to maintain contact, to agree on the fulfilment of contractual obligations and to conclude a contract between the parties. The legal basis for the processing of personal data is the performance of a contract (Article 6(1)(b) of the General Data Protection Regulation) and the performance of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation) pursuant to Article 169 of Act C of 2000. The data will be deleted within 30 days of the expiry of the legal retention period (8 years).

Contact and coordination:
During the contact and consultation, the controller may also obtain other information that constitutes personal data. The purpose of the processing is reconciliation in order to fulfil a contractual obligation. The legal basis for the processing is the performance of the contract (Article 6(1)(b) of the General Data Protection Regulation) or the data subject's consent (Article 6(1)(a) of the General Data Protection Regulation). The data will be deleted within 30 days of the performance of the contractual obligation or immediately after the withdrawal of consent, but no later than 30 days after the withdrawal of consent.

Advice:
In the course of providing advice, the data controller may also obtain other information that constitutes personal data, and may make image and sound recordings in the course of its activities. The purpose of the processing is the performance of a contractual obligation. The legal basis for the processing is the performance of the contract (Article 6(1)(b) of the General Data Protection Regulation) or the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The data shall be erased within 30 days of the performance of the contractual obligation or immediately after the withdrawal of consent, but no later than 30 days after the withdrawal of consent.

Billing:
The invoice issued by the data controller shall indicate the name, address and, in the case of sole proprietorships or taxable individuals, their tax number. The legal basis for the processing is the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation) pursuant to Article 169 of Act C of 2000. The data will be deleted within 30 days of the expiry of the legal retention period (8 years).

Payment method:
The service fee can be paid online by credit card. In the context of online payment by credit card, the data controller may know the name of the cardholder/account holder. The legal basis for the processing is the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation) pursuant to Article 169 of Act C of 2000. The data will be deleted within 30 days of the expiry of the legal retention period (8 years).

Complaints handling:
The Data Controller obtains or may obtain personal data in the course of handling complaints. The purpose of the processing is to identify and handle the complaint. The legal basis for the processing is the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).

PROCESSING OF DATA IN THE COURSE OF MARKETING ACTIVITIES
For marketing purposes, the Data Controller may take and publish images and audio recordings - interviews -, send newsletters and advertise prize draws. The legal basis for the processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The interview will be deleted immediately after the withdrawal of consent, but no later than 30 days after the withdrawal of consent. The data controller shall delete the personal data of the interested party upon withdrawal of consent to the sending of the newsletter without undue delay and at the latest within 30 days of the withdrawal of consent. In the case of a prize draw, the data will be deleted until the date set out in the prize rules, typically until the end of the prize draw, or in the case of the winner, until the prize is delivered or delivered.

PROCESSING OF DATA RELATING TO SERVICE PROVIDERS, SUPPLIERS, SUBCONTRACTORS:
The data controller is also in contact with service providers, suppliers and subcontractors. In order to contact and maintain contact with partners and to fulfil contractual obligations, personal data are also processed in these cases (personal data of contact persons and taxable individuals and sole traders). The legal basis for the processing of personal data is the performance of a contract (Article 6(1)(b) GDPR), the performance of a legal obligation (Article 6(1)(c) GDPR), and in the case of contact persons, their consent (Article 6(1)(a) GDPR).
The personal data contained in the contract and the invoice will be stored by the data controller for 8 years, in compliance with the retention obligation set out in Article 169 of the Accounting Act. In the case of contact persons, the data controller shall store the data without delay in the event of withdrawal of consent, but within 30 days at the latest.

CONTROLLER'S WEBSITE
The data controller presents its services to interested parties on its website.
The data controller uses cookies in the operation of its website. The legal basis for the processing of personal data obtained from them is the consent of the visitor (Article 6(1)(a) of the General Data Protection Regulation).
The website uses the following cookies in its operation:
Facebook Pixel

THE MANAGEMENT OF COOKIES:
Cookies are files that store information in the web browser of the data subject. A cookie is a means of exchanging information between the web server and the user's browser. The information sent by cookies makes it easier for web browsers to recognise them, so that users receive relevant and personalised content. Cookies make browsing more convenient. Cookies also help website operators to compile anonymous statistics on the habits of visitors to their sites. Most cookies do not contain personal information and do not identify users. The data stored is necessary for a more convenient browsing experience. Websites may use the following types of cookies. Persistent cookies, which, depending on your web browser settings, may remain on your device for a longer period or until you delete them. Third-party cookies placed on the data subject by a third party (e.g. Google Analitycs). These are placed on your browser when the website you visit uses services provided by the third party.
Cookies can also be grouped as follows:

A) Essential session cookies: their use is essential for navigating the website and for the functionality of the website. Without their acceptance, the website or parts of it may not function or may be displayed incorrectly.

B) Analytical or performance cookies: these help the data controller to distinguish website visitors and collect data on how visitors behave on the website. They do not collect any personally identifiable information, as the data is aggregated and stored anonymously.

C) Functional cookies: these cookies are used to improve the user experience. They detect and store, for example, what device the data subject used to access the website, or the information they have previously provided and requested to be stored. These cookies do not track the data subject's activity on other websites. However, the information they collect may include personal identification data that you have shared.

D) Targeted or advertising cookies: these allow the website to provide information that is most relevant to the interests of the data subject. These cookies are used to provide the best information to the website. This website records the IP address, the time of the visit, the page visited, the country of the visitor, the browser version number and the type of operating system for analytical and security reasons. This is necessary for legitimate interests, to provide an adequate level of service and for analytical purposes.

The Data Controller uses cookies in accordance with the provisions of the Eker tv., the Info tv. and the General Data Protection Regulation.
For websites, including the website operated by the data controller, that operate within the European Union, the use of cookies and their storage on the user's computer or other device requires the consent of the user. Cookies can be deleted or disabled in the browser programs used. Browsers allow cookies by default. This can be disabled in the browser settings, and existing cookies can be deleted. You can also set the browser to notify the user when a cookie is sent to the device.
It is important to stress, however, that disabling or restricting these files may degrade the browsing experience and may also result in a malfunction of the website functionality. Options are usually found in the "Options" or "Preferences" menu of the browser. Each web search engine is different, so in order to configure the appropriate settings, the data controller will ask you to use the "Help" or "Help" menu of your search engine or click on the relevant link below:

Internet Explorer:
https://support.microsoft.com/hu-hu/help/17442/windows-internetexplorer-delete-manage-cookies

Firefox:
https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox
Chrome:
https://support.google.com/chrome/answer/95647?hl=en
Safari:
https://support.apple.com/kb/PH5042?locale=en_US
Mozilla:
https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torlese-szamito

DATA PROCESSING ON THE COMMUNITY SITE
The data controller also operates Facebook, Instagram, LinkedIn, TikTok and Youtube pages, where personal data is also processed. The controller uses social networking sites to present the services it provides and to promote its activities.
https://www.facebook.com/lvlupyourbusiness
https://www.youtube.com/@ZamboLevente
https://www.linkedin.com/in/zambolevente/
https://www.tiktok.com/@zambo.levente
https://www.instagram.com/zambo.levente/
The controller also provides comprehensive personal support through social media platforms. If the data subject asks a question via social media, the data controller will endeavour to answer it as soon as possible. The Data Controller will use the data obtained through social media only to answer your question and not for any other promotional purposes.
The purpose of using social media platforms is to advertise and provide information on social media. Social media platforms may also use the data for their own purposes, including profiling and targeting the data subject with advertising.
To be able to contact the controller via social networking sites, the data subject must be logged in. To do so, the social networking site may also request, store and process personal data. The controller has no control over the type, scope and processing of these data and does not receive personal data from the social networking site operator. For more information on this, please visit the social networking sites.
The personal data of the followers on the social networking site are processed by the data controller on the basis of their consent (Article 6 (1) (a) of the General Data Protection Regulation), which is deemed to be given by the fact that the person concerned likes, follows or comments on the site, its groups and posts.

PANASZKEZÉS
The purpose of data processing in the course of complaint handling in relation to the activities of the data controller is to enable the communication of the complaint, to identify the data subject and his/her complaint, to record the data required by law to be recorded, to investigate the complaint and to maintain contact in connection with its resolution.
In case of a complaint, the processing of the complaint and thus of personal data is mandatory under Act CLV of 1997 on Consumer Protection. The legal basis for processing personal data is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).
The data controller will keep the record of the complaint and a copy of the response for 3 years, and will also process the personal data on this basis for this period.

DATA SECURITY MEASURES:
The Data Controller shall design and implement the processing operations in such a way as to ensure the protection of the privacy of data subjects in the application of the General Data Protection Regulation and other legislation applicable to data processing. The Controller shall ensure the security of the data and shall take the technical and organisational measures and establish the rules of procedure necessary to enforce the General Data Protection Regulation and other data protection and privacy rules.
The data controller undertakes to ensure the security of the data, to take technical and organisational measures and to maintain procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorised use or unauthorised alteration. It also undertakes to require any third party to whom it transfers or discloses the data to comply with the requirements of data security.
The controller shall ensure that the data processed cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons. The data processed may only be accessed by the data controller and its data processor(s) and shall not be disclosed to third parties not entitled to access the data.
The data controller takes great care to ensure the security of its customers' personal data. It shall comply fully with the legal provisions and shall require all its partners to do the same. Personal data protection includes physical data protection as well as IT protection.
The controller stores the personal data provided by the data subject primarily on the servers of the data processor(s) specified in this privacy statement, equipped with the usual protection systems, and partly on its own IT equipment, in the case of paper data carriers, at its headquarters, in an appropriately locked manner.
The data subjects acknowledge and accept that, if they provide their personal data, the data protection cannot be fully guaranteed on the Internet and in the computer system. In the event of unauthorised access or disclosure, despite the efforts of the controller, it is necessary to proceed as described in this notice.

THE RIGHTS OF DATA SUBJECTS
The data subject's data protection rights and remedies and their limitations are set out in detail in the General Data Protection Regulation (in particular Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79 and 82 of the General Data Protection Regulation). The data subject may at any time request information about his/her data, request the rectification, erasure or restriction of the processing of his/her data, or object to the processing based on legitimate interests.
Below is a summary of the most important provisions.
In particular, the controller draws the attention of the data subject to the following: the data subject has the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data based on the legitimate interests of the controller. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data relating to him or her for such purposes. Where a data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.

RIGHT TO INFORMATION:
Where the controller is processing personal data relating to the data subject, the controller shall provide the data subject with information, even without a request from the data subject, on the main features of the processing, such as the purposes, legal basis and duration of the processing, the identity and contact details of the controller and of his or her representative, the contact details of the Data Protection Officer and the recipients of the personal data, in the case of processing based on legitimate interests, the legitimate interests of the controller and/or third parties and the data subject's rights and remedies with regard to the processing (including the right to lodge a complaint with a supervisory authority) and, where the data subject is not the source of the data, the source of the personal data and the categories of personal data concerned, if the data subject does not already have this information. The controller will provide this information by making this notice available to you.

RIGHT OF ACCESS:
The data subject has the right to receive feedback from the controller as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and certain information relating to the processing, including the purposes of the processing, the categories of personal data concerned, the recipients of the personal data, the (envisaged) duration of the processing, the rights and remedies of the data subject (including the right to lodge a complaint with a supervisory authority) and, where the data are collected from a non data subject, information on their source. At the request of the data subject, the controller shall provide the data subject with a copy of the personal data which are the subject of the processing. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise. The right to request a copy should not adversely affect the rights and freedoms of others.

THE RIGHT TO RECTIFICATION:
The data subject shall have the right to obtain from the controller, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.

THE RIGHT TO ERASURE:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall be obliged to erase personal data concerning him or her without undue delay where certain conditions are met. Among other things, the controller must erase personal data at the request of the data subject where the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; where the data subject withdraws consent on the basis of which the processing was carried out and there is no other legal basis for the processing; or where the personal data have been unlawfully processed; or where the data subject objects to the processing and there is no overriding legitimate ground for the processing; or where the personal data must be erased in order to comply with a legal obligation of the controller under applicable Union or Member State law.
The above shall not apply where the processing is necessary: a) for the exercise of the right to freedom of expression and information; b) for compliance with an obligation under Union or Member State law to which the controller is subject to which requires the processing of personal data; c) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes where the right of erasure would be likely to render impossible or seriously impair such processing; d) for the establishment, exercise or defence of legal claims.

THE RIGHT TO RESTRICTION OF PROCESSING:
The data subject shall have the right to obtain, at his or her request, restriction of processing by the controller if one of the following conditions is met:
A) the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the controller to verify the accuracy of the personal data;
B) the data processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
C) the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
D) the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the controller override those of the data subject. Where processing is subject to a restriction on the basis of the above, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State. Where the restriction on processing is lifted at the request of the data subject, the controller shall inform the data subject in advance.

THE RIGHT TO PROTEST:
The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on the legitimate interests of the controller. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes. Where a data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.

DATA BREACHES
A personal data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In the event of a data breach, the level of data breach must be at a serious risk level, i.e. the breach must be of a degree that personal data:

• destruction,
• with the loss of,
•  by changing,
•  by unauthorised disclosure or
•  involves unauthorised access to.

An incident is considered to occur if any one of the above occurs, but this does not exclude that more than one of the above may occur at the same time. This includes not only intentional malicious conduct but also negligent injuries. An incident therefore occurs when it is caused by an accidental or unlawful act.

Examples of data breaches include:
the unlawful transmission of personal data on a document, portable device, storage medium or computer system (e.g. by mail),

• unauthorised access to a computer system or application that processes personal data,
• damage to or loss of part or all of a database containing personal data,
•  part or all of an IT system rendered unusable by a virus or other malicious software, etc.

A personal data breach may cause physical, material or non-material damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft, if not addressed in an appropriate and timely manner, or misuse of identity, financial loss, unauthorised impersonation, damage to reputation, damage to the confidentiality of personal data protected by professional secrecy, or other significant economic or social disadvantages suffered by the natural persons concerned.
In the event of a potential data breach (unless the data breach is unlikely to pose a risk to the rights and freedoms of natural persons), the controller shall immediately notify the National Authority for Data Protection and Freedom of Information. As soon as the controller becomes aware of the incident, it shall notify it without undue delay and, if possible, no later than 72 hours after becoming aware of the personal data breach. If the notification cannot be made within 72 hours, the notification shall state the reason for the delay and provide the required information in detail without further undue delay.
The National Authority for Data Protection and Freedom of Information operates a dedicated system on its website for the notification of data breaches, through which notifications can be made electronically.
The data controller shall keep a record of the data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it. The controller shall keep records of the data relating to the incidents, including the causes, the events and the personal data involved. In addition, the record should also include the effects and consequences of the incidents and the measures taken to remedy them, and the conclusions of the controller (for example, why it thinks the incident is not reportable, or if the notification is delayed, the reason for the delay).
An incident that is unlikely to pose a risk to the rights and freedoms of natural persons does not need to be notified to the supervisory authority.
If the data protection incident is likely to pose a high risk to the rights and freedoms of the data controller's customers or partners, the data controller shall immediately inform the partner concerned. The information provided to the data subject shall clearly and plainly describe the nature of the personal data breach and shall include the most relevant information and measures.

The data subject need not be informed as described above if any of the following conditions are met:
the controller has implemented appropriate technical and organisational protection measures and those measures have been applied in relation to the data affected by the personal data breach, in particular measures to render the data unintelligible to persons who are not authorised to access the personal data;
the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly disclosed information or a similar measure should be taken to ensure that the data subjects are informed in an equally effective manner.

KEY LEGISLATION ON DATA MANAGEMENT
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation);
Act V of 2013 - on the Civil Code (Civil Code);
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Info. tv.);
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Act on Electronic Commerce);
Act C of 2000 on Accounting (Accounting Act);
Act CLV of 1997 - on Consumer Protection (Fgytv.).

RIGHT TO APPLY TO THE COURTS
The data subject may take the controller to court if his or her rights are infringed. The court shall rule on the case out of turn.

DATA PROTECTION AUTHORITY PROCEDURE
You can lodge a complaint with the National Authority for Data Protection and Freedom of Information:
Name: National Authority for Data Protection and Freedom of Information
Seat: 1055 Budapest, Falk Miksa u. 9-11.
Mailing address: 1363 Budapest, Pf. 9.
Telephone: 0613911400
Fax: 0613911410
E-mail: [email protected]
Website: http://www.naih.hu

OTHER PROVISIONS
The data controller shall provide information on data processing not listed in this notice at the time of recording the data. In such cases, the provisions of the applicable legislation shall prevail.
The data controller hereby informs its customers and partners that the court, the prosecutor, the investigating authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, the Hungarian National Bank, or other bodies authorized by law may contact the data controller to provide information, data, or documents. The controller shall disclose to the authorities - if the authority has indicated the precise purpose and scope of the data - personal data only to the extent and to the extent strictly necessary for the purpose of the request.
The website of the Data Protection Authority contains further information on the data protection rights referred to in this privacy notice.
Szeged, 1 November 2024.