Barion Pixel

Privacy Policy

1. Introduction

Hentes Gábor András, sole proprietor (hereinafter: Data Controller), as data controller, acknowledges the content of this legal notice as binding on him. He undertakes that all data management related to his activities complies with the requirements set out in this policy and the applicable legislation. The privacy policies that apply to the Data Controller’s data processing are available at all times at https://www.blacklabfootball.com or can be accessed by the Data Subject on the following link: https://blacklabfootball.com/wp-content/uploads/2021/02/Privacy-Policy.pdf.

The Data Controller reserves the right to change this policy at any time. Of course, his audience will be notified of any change in a timely manner. If you have any questions about this communication, please e-mail us and our colleague will answer your question.

The Data Controller is committed to the protection of the personal data of its customers and partners and considers it very important to respect its customers’ right to informational self-determination. The Data Controller manages personal data confidentially and takes all security, technical and organizational measures that guarantee the security of the data. The Data Controller describes his data processing practices below:

2. Data controller information

Name:  ANdrás Gábor Hentes, sole proprietor
Registered office: 4002 Debrecen, Nefelejcs street 18.
Tax number: 56579055-1-29
Registration number: 55238999
Statistical number: 56579055-7490-231-09
E-mail: info@blacklabfootball.com
Website: https://www.blacklabfootball.com
Telephone: +36-30/911-6343

Hosting provider:
Company name: ININET Internet Korlátolt Felelősségű Társaság
Registered office: 1063 Budapest, Szinyei Merse street 10.
Tax number: 23537646-2-42
Company registration number: Cg. 01-09-970252
Telephone: +36/20-293-9058
E-mail: info@ininet.hu
Website: https://www.ininet.hu

3. Definition of key terms in the policy

  • “Data Subject”: any natural person identified or identifiable on the basis of any information, of whom the Data Controller manages personal data.
  • “Personal data”: any information relating to an identified or identifiable natural person (“data subject”); that natural person can be identified who – directly or indirectly – is identifiable in particular based on an identifier such as name, number, location, online identifier or one or more features relating to the physical, physiological, genetic, mental, economic, cultural or social identity.
  • “Data controller”: a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; if the purposes and means of the processing are determined by  the law of the European Union or a Member State, the controller or the specific criteria for the designation of the controller may also be determined by the law of the European Union or the Member State;
  • “Data management”: any operation or set of operations on personal data or data files, whether automated or non-automated, such as the collection, recording, systematization, sorting, storage, transformation or alteration, retrieval, consultation, use, transmission, dissemination or other harmonization or interconnection, restriction, deletion or destruction;
  • “Data Processor”: any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
  • “Data processing”: the set of data processing operations carried out by a data processor acting on behalf of or at the direction of the data controller;
  • “Data Protection Incident”: a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data transmitted, stored, or managed differently;
  • “Recipient”: a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether a third party or not. Public authorities that may have access to personal data in the context of an individual investigation in accordance with the law of the European Union or the Member State shall not be considered as recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing.

4. Principles during data processing

The Data Controller performs its data handling activities based on the following principles concerning personal data management. According to these, personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
  7. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’);
  8. Both in determining the method of data processing and in the process of data processing, the Data Controller shall implement appropriate technical and organizational measures, such as pseudonymisation, for the effective implementation of the above principles, fulfillment of obligations, incorporation of legal guarantees, etc. and does so in a regulated and detailed manner. In practice, this mindset is facilitated by employee education, data protection awareness and the impact assessment, risk analysis and legitimate interests assessment used during the introduction and / or regular review of each data processing („Privacy by design”).

The Data Controller only manages personal data based on the voluntary consent of the data subject, that is necessary for the fulfillment of the service to the data subject specified in the General Terms and Conditions.

Personal data preserves this quality during data processing if its connection with the data subject can be restored. The connection with the data subject can be restored if the Data Controller has the technical conditions necessary for the restoration.

The Data Controller pays special attention to the protection of the personal data of incapacitated minors under the age of 16 and children with limited legal capacity. Their statement requires the consent of their legal representative, except for those parts of the service where the statement is intended for mass data management in everyday life and does not require special consideration.

If the personal data was collected with the consent of the data subject, the Data Controller tmay handle he recorded data, unless otherwise provided by law
(a) for the purpose of fulfilling a legal obligation incumbent on it, or
(b) for the purpose of enforcing a legitimate interest of the controller or a third party, where the exercise of that interest is proportionate to the restriction of the right to the protection of personal data, without further specific consent and after withdrawal of the data subject’s consent.

The Data Controller handles personal data only for a specific purpose, in order to exercise a right and fulfill an obligation. The Data Controller declares that at all stages of its data management fits for purpose and that the data is recorded and handled fairly. The Data Controller declares that it only handles personal data that is essential for the realization of the purpose of data management, suitable for the achievement of the purpose, only to the extent and for the time necessary for the realization of the purpose.

The Data Controller declares that he / she handles personal data only with to consent based on adequate information. The Data Controller shall duly inform the data subject before starting the data management that the data management is based on consent or is mandatory. The data subject shall be informed in a clear, comprehensible, and detailed manner of all facts relating to the handling of his data, in particular the purpose and legal basis of the processing, the person authorized to handle and process the data, the duration of the processing, wheter the personal data of the data subject are processed by the data controller with the consent of the data subject and for the purpose of fulfilling a legal obligation to the data controller or in order to enforce a legitimate interest of a third party, and who may have access to the data. The information shall also cover the data subject’s rights and remedies.

During data management, the Data Controller ensures the accuracy, completeness and up-to-dateness of the data, as well as that the data subject can be identified only for the time necessary for the purpose of data processing.

The Data Controller shall process personal data lawfully and fairly and in a manner that is transparent to the data subject. Pursuant to 2 § (2) of the Act CXII of 2011 on the right to informational self-determination and on the freedom of information, the Decree shall be applied together with the following addition specified in Section 4 (5): ‘The processing of personal data shall be deemed fair and lawful if, for the purpose of ensuring the data subject’s right to the freedom of expression, the person wishing to find out the opinion of the data subject visits him at his domicile or place of residence, provided that the data subject’s personal data are processed in compliance with this Act and contacting him is not intended for business purposes. Personal visits are not permitted on public holidays under the Labour Code.’

The Data Controller does not verify the personal data provided to him. The person who provided it (the Data Subject) is solely responsible for the accuracy of the data provided. By providing the e-mail address, the Data Subject takes responsibility for ensuring that only he / she uses the service from the e-mail address provided. Based on this responsibility, all liability in connection with logins to a given e-mail address lies solely with the Data Subject who registered the e-mail address.

5. Types of data management, scope of personal data, purpose, title and duration of data management

The data management activity of the Data Controller is based on voluntary consent or the performance of the contract concluded with the data subject. In some cases, however, the handling, storage and transmission of a given set of data is required by law, of which we will notify our audience separately.

We would like to draw the attention of those who provide data to the Data Controller that if they do not provide their own personal data, they are obliged to obtain the consent of the data subject.

The Data Protection Principles of the Data Controller are in accordance with the applicable data protection legislation, in particular the following:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  • Act CXII of 2011 on the right to informational self-determination and on the freedom of information;
  • Act CVIII of 2001 on certain issues of electronic commerce services and information society services,
  • Act C of 2003 on Electronic Communications.
5.1. Managed during the use of the website

You may use https://www.blacklabfootball.com without providing your personal information, and accordingly, using this website is not covered by the general privacy policy.

The Data Controller does not store or handle the data generated during browsing the website in any way that can be linked to the specific data subject.

5.2. Managing the cookies of https://www.blacklabfootball.com website

The operator of the https://www.blacklabfootball.com website places and reads back a small data package on the user’s computer, the so-called cookies to provide customized service, however, however, the use of cookies does not involve the handling of personal data.

Legal basis for data processing: Paragraph (3), (4) Section 13./A of the Act CVIII of 2001 on certain issues of electronic commerce services and information society services, legal provisions contained in Article 5 (3) of Directive 2002/58/EC, and the consent of the data subject we request and record upon the first login to the website based on paragraph (4) Section 155 of the Act C of 2003 on Electronic Communications.

More information about cookies is available at: https://www.blacklabfootball.com/cookie

The user can delete the cookie from the computer or disable the use of cookies in the browser. Cookies can usually be managed in the Tools / Settings menu of browsers under Privacy Settings, under the name of cookie.

5.3. Data management related to registration and creation of account

Type of personal data processedfirst name, surname, e-mail address, password of the data subject.

Purpose of data processing: By storing the data provided during registration, the Data Controller can provide a more convenient service (for example the data of the data subject does not have to be entered again when purchasing again). Registration is a condition of concluding a contract.

Scope of data subjects: Every natural person who registers and creates an account on the Data Controller’s website.

Legal basis for data processing: consent of the data subject pursuant to Article 6 (1) (a) of the Regulation.

Duration of data processing: for the duration of storing user data in the database, until the user requests deletion.

Description of the activity and process involved in data processing: To place an order, the data subject can register on the website, during which they must provide the information required for registration.

Entitled to access data, recipients of personal data: The Data Controller handles personal data in order to complete the registration.

5.4. Data management related to log in

Type of personal data processede-mail address, password of the data subject.

Purpose of data processing: By storing the data provided during registration and then logging in to the personal account, the Data Controller can provide a more convenient service (for example the data of the data subject does not have to be entered again when purchasing again). Registration is a condition of concluding a contract.

Scope of data subjects: Every natural person who registers and logs in to its personal account on the Data Controller’s website.

Legal basis for data processing: consent of the data subject pursuant to Article 6 (1) (a) of the Regulation.

Duration of data processing: for the duration of storing user data in the database, until the user requests deletion.

Description of the activity and process involved in data processing: In order to place an order, the data subject can register on the website, during which they must provide the information required for registration. After this, the data subject can log in to its account.

Entitled to access data, recipients of personal data: The Data Controller handles personal data in order to complete the registration and log in.

5.5. Data management related to ordering

Type of personal data processedfirst name, surname, e-mail address of the data subject.

Purpose of data processing: Performance of the contract in case of purchasing from the website, fulfillment of orders, communication.

Scope of data subjects: Every natural person who orders from the Data Controller’s website.

Legal basis for data processing: consent of the data subject pursuant to Article 6 (1) (a) of the Regulation.

Duration of data processing: for the duration of storing user data in the database, until the user requests deletion.

Description of the activity and process involved in data processing: In order to place an order, the data subject shall provide the data required to fulfill the order.

Entitled to access data, recipients of personal data: The Data Controller processes personal data relating to orders to complete them.

5.6. Data management related to delivery

Type of personal data processedfirst name, surname, delivery address (postal code, city, street, house number, floor, door), telephone number.

Purpose of data processing: Fulfillment of the delivery of orders in case of purchasing from the website, communication.

Scope of data subjects: Every natural person who orders from the Data Controller’s website and requests delivery.

Legal basis for data processing: consent of the data subject pursuant to Article 6 (1) (b) of the Regulation.

Duration of data processing: 5 + 2 years after the performance of the contracts.

Description of the activity and process involved in data processing: To place an order and deliver the purchased item, the data subject shall provide the data required to fulfill the order and for the delivery.

Entitled to access data, recipients of personal data: The Data Controller handles the personal data related to the order and the delivery in order to fulfill the placed orders and to deliver the ordered products. Data is also transferred to third parties, to the GLS General Logistics Systems Hungary Kft.

5.7. Data management related to billing

Type of personal data processed: first name, surname, e-mail address, billing address (postal code, city, street, house number, floor, door), telephone number.

Purpose of data processing: Performance of the contract in case of purchasing from the website, issuing an invoice, documenting payment, fulfillment of an accounting obligation,  communication.

Scope of data subjects: Every natural person who makes a purchase on the Data Controller’s website.

Legal basis for data processing: legal obligation in accordance with Article 6 (1) (c) of the Regulation, Act CXXVII of 2007 on Value Added Tax. 159 (1) and Act C of 2000 on Accounting.

Duration of data processing: the issued invoices are issued in accordance with paragraph (2) Section 169 of the Accounting Act, it must be retained for 8 years from the date of issue of the invoice. In addition to the legal requirement, our company manages personal data for + 2 years due to the limitation period and the conduct of specific tax authority investigations.

Description of the activity and process involved in data processing: The data management process is carried out in order to issue an invoice in accordance with the law and to fulfill the obligation to keep accounting documents.

Entitled to access data, recipients of personal data: The Data Controller and the data processors involved in invoicing and accounting (explained in detail in Section 6 of this policy) process the personal data related to invoicing in order to issue the invoice and book it for the Data Controller.

5.8. Data management related to complaints

Type of personal data processedUnique identification number of the complaint, name, address, telephone number, bank account number (in case of monetary compensation), place and time of the complaint, method of complaint, related documents (e.g. record, report form), photo.

Purpose of data processing: Management, assessment and registration of quality complaints related to the services offered by the Data Controller.

Scope of data subjects: In connection with the complaint, we store the data of the customer submitting the complaint and the administrator employee of the Data Controller.

Legal basis of the data management: The administration starts on the basis of consent, the protocol is prepared on the basis of a legal obligation. [Article 6 (1) (a) and (c) of the GDPR]

Duration of data processing: Regarding the report of the complaint and the related documents, based on Section 17/A (7) of Act CLV of 1997 on consumer protection, 5 + 2 years.

Description of the activity and process involved in data processing: The data management process is carried out in order to issue an invoice in accordance with the law and to fulfill the obligation to keep accounting documents.

Entitled to access data, recipients of personal data: The Data Controller handles the personal data related to the complaint in order to fulfill the statutory obligation of the record of the complaint. The consumer protection authority may also be an addressee in a possible investigation.

5.9. Data management related to asking questions and providing feedback

Type of personal data processedname and e-mail address of data subject, rating.

Purpose of data processing: The purpose of data management is to provide the data subject with appropriate information and communication.

Scope of data subjects: Every natural person who contacts the Data Controller and requests information from the Data Controller in addition to providing his or her personal data.

Legal basis for data processing: consent of the data subject pursuant to Article 6 (1) (a) of the Regulation.

Duration of data processing: during the period of provision of the service (until the data is deleted).

Transmission of personal data: During data management, personal data is transmitted to data processors with a contractual relationship with the data controller for the purpose of performing the services included in the contract, based on the instructions of the Data Controller.

Description of the activity and process involved in data management:
a. The data subject may consult the Data Controller on the Data Controller’s services and / or other related issues in the manner or in the manner provided by the Data Controller, and may write feedback on the product already received.
b. In accordance with the purpose of the data processing, the data subject voluntarily consents to the Data Controller contacting him / her during the request for information in order to clarify or answer the question.

Entitled to access data, recipients of personal data: The Data Controller handles personal data related to messaging for the purpose of responding to and contacting, as well as Google Ireland Limited as a data processor.

5.10. Newsletter actitivy

Based on Section 6 of Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity, the User may consent expressly in advance to that the Data Controller can contact them with newsletters at the contact details provided when registering for the newsletter. Furthermore, keeping in mind the provisions of this policy, the User may consent to the Data Controller’s processing of the personal data necessary for sending advertising offers, and to that the Data Controller may contact the User with his advertising offers and other deliveries at the contact details provided during registration.

A cancellation request can be sent to the contact details indicated in the section “RIGHTS AND ENFORCEMENT POSSIBILITIES OF DATA SUBJECTS” of this policy, and can also be requested by clicking on the “Unsubscribe” button at the bottom of the marketing e-mail (newsletter). In case of unsubscribing, the Data Controller will not contact the Data Subject with further newsletters or offers. The Data Subject may at any time unsubscribe from the newsletter free of charge and withdraw his or her consent to data management.

In this case, the Data Controller deletes all personal data that is necessary for sending the newsletters from its register and does not contact the User with additional newsletters.

Type of personal data processede-mail address and the system stores analytical data related to subscribing and unsubscribing, sending, delivering, opening messages and online activity of the parties involved (eg date and time of events, content viewed, computer IP address, reason for non-delivery).

Purpose of data processing: sending electronic messages (e-mails) containing newsletters to the data subject, providing information on promotions, new functions, current events, programs, full, general or personalized information of the recipient about the latest discounts, events, news of the Data Controller, notification of changes and delays in services.

Scope of data subjects: Every natural person who wishes to be regularly informed about the news, promotions, and discounts of the Data Controller, therefore, by entering their personal data, they subscribe to the newsletter service by clicking on the [I have read and accept the privacy policy] checkbox on the website.

Legal basis for data processing: consent of the data subject (Article 6 (1) (a) of the GDPR Regulation and Section 6 (5) of Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity)

Duration of data processing: the data processing lasts until the withdrawal of the consent statement, i.e. until unsubscription.

Identity of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the Data Controller’s customer service staff, respecting the above principles, and by Rocket Science Group (Mailchimp) as a data processor.

Possible consequences of non-provision of data: the data subject is not informed about the data controller’s current offers included in the newsletter.

5.11. Presence on social networks

The Data Controller is available on various social media platforms (Facebook, Instagram, Youtube). The Data Controller communicates with the data subjects via social network only – and thus the purpose of the range of data processed becomes relevant – if the data subject contacts the Data Controller via social network.

Type of personal data processed: public name, photo, e-mail address of the data subject, message sent by the data subject via a social networking site, rating by the data subject or result of another operation.

Purpose of data processing: sharing, publishing, marketing the content of the website on social network. The data subject can also be informed about the latest promotions through social network.

Scope of data subjects: Every natural person who voluntarily follows, shares, and likes the Data Controller’s pages and its content.

Legal basis for data processing: consent of the data subject (Article 6 (1) (a) of the GDPR Regulation and Grt. Section 6 (5)). Based on the terms of the social site, the data subject voluntarily consents to following and liking the contents of the Data Controller. For example, the data subject can subscribe to a feed on the home page on Facebook by clicking on the “like” link on the page, thereby contributing to the posting of the Data Controller’s news and offers on their own feed, and at the same place, can unsubscribe by clicking on the  “dislike” link, and can delete the unwanted messages from the feed.

Duration of data processing: until deletion based on the data subject’s request.

The data subject may read more on the privacy policy of the social networks on the given social site.

5.12. Data processing relating to the verification of consent

Type of personal data processed: IP address, e-mail address of the data subject, date of consent.

Purpose of data processing: During registration and ordering, the IT system stores the IT data related to the consent for later proof.

Scope of data subjects: Every natural person who registers at the Data Controller’s website, orders, and subscribes for newsletters.

Legal basis for data processing: based on a legal obligation (under Article 6 (1) (c) GDPR), this obligation is provided for in Article 7 (1) of the GDPR Regulation.

Duration of data processing: Due to legal requirements, the consent must be able to be verified later, therefore the period of data storage will be stored for the limitation period after the termination of data processing.

5.13. External links and hyperlinks

Our website may contain several connection points (links, hyperlinks) that lead to the pages of other service providers, so the visitor of the website can get to websites whose data processing is not performed by the Data Controller. The Data Controller is not responsible for the data and information protection practices of these service providers.

These links are:

Facebook button
The Website may use the social plugins of the facebook.com social network operated by Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland) (“Facebook”). Plugins are recognizable by their Facebook logos (white letter “f”, “Like”, “Like” or thumbs up on a blue background) and the term “Facebook Social Plugin”. A list and look of Facebook’s social plugins can be found at: https://developers.facebook.com/docs/plugins/.

If you use a feature of this website that includes any of the above plugins, your device will establish a direct connection with Facebook’s servers. The content of the plugin is sent directly to your device by Facebook and integrated into our online service from there. Usage profiles can be generated from the processed data. We cannot control what data Facebook obtains through the plugin, so we inform users based on our knowledge.

By installing the plugin, Facebook will be notified that you have opened the relevant website. If you are logged in to Facebook, Facebook can assign the visit to your Facebook account. If you interact with the plugin, such as clicking on the “Like” button or commenting, the relevant data from your device will be transmitted directly to Facebook and stored there. If you do not have a Facebook account, Facebook may still find out and store your IP address.

You can find out about the purpose and scope of Facebook’s data collecting, further processing and use of your data, as well as your rights and settings regarding the protection of your privacy in Facebook’s privacy policy: https://www.facebook.com/about/privacy/.

If you are a member of Facebook and do not want Facebook to collect information about you on this website and link it to your profile information stored on Facebook, you must log out of Facebook and delete cookies before using our online service. Additional settings and disabling the use of data for advertising purposes can be set in the Facebook
profile settings: https://www.facebook.com/settings?tab=ads,
from USA: http://www.aboutads.info/choices/,
from EU: http://www.youronlinechoices.com/.

The settings are platform-independent, meaning they apply to both desktops and mobile devices.

For more information about the privacy policy of Google and Facebok, please visit: http://www.google.com/privacy.html and https://www.facebook.com/about/privacy/

Instagram button
The features of the Instagram service are embedded to the website. These integrated features are provided by Instagram Inc. (1601 Willow Road, Menlo Park, CA, 94025, USA). If you are logged in to your Instagram account, you can click the Instagram button to link the content of our site to your Instagram profile. This allows Instagram to associate a visit to our site with your user account. Please be informed that as the hosting provider of the website, we do not know about the content of the transmitted data and its use by Instagram.

You can read more about the information collected by Instagram and its use in the privacy policy at: http://instagram.com/about/legal/privacy/.

YouTube button
We use the youtube.com YouTube Button Plugin, operated by YouTube LLC (901 Cherry Ave, San Bruno, CA 94066, USA), a subsidiary of Google Inc. (1600 Amphitheater Parkway, Mountain View, CA 94043, USA). The plugin is recognizable by the YouTube logo. When you visit a page on a website that has a YouTube plugin, it connects to YouTube’s servers. This will let the YouTube server know which website you have visited. If you have a YouTube account and are signed in, YouTube can directly associate your browsing behavior with your personal profile. If you sign out of your YouTube account, you can prevent this assignment. For more information about the collection and usage of information YouTube gathers, visit: https://www.youtube.com/static?template=privacy_guidelines.

Embedded YouTube videos
We embed YouTube videos. Embedded videos place cookies on a user’s computer when the website is opened. If you have deactivated the storage of cookies in the Google advertising program, you should not expect such cookies when you open YouTube clips. However, YouTube also stores user-independent usage data in other cookies. If you want to disable this, you need to make the appropriate settings in your browser.

5.14. Other data processes

We provide information on data processing not listed in this privacy policy at the time of data collection. We would like to inform our clients that the court, the prosecutor, the investigating authority, the infringement authority, the administrative authority, the National Data Protection and Freedom of Information Authority, or other bodies authorized by law may contact the data controller. The Data Controller shall issue personal data to the authorities, provided that the authority has indicated the exact purpose and scope of the data, only to the extent and to the extent strictly necessary to achieve the purpose of the request.

6. Use of data processor(s)

The Data Controller uses data processors in order to facilitate its own data management activities, as well as in order to perform the contract with the data subject and to fulfill the legal obligations, which means that we transfer the personal data recorded in this privacy policy to the data processor involved to the specific service.

The Data Controller places great emphasis on using only such data processors who provide adequate guarantees for the implementation of appropriate technical and organizational measures to ensure compliance with the requirements of data processing in the GDPR and to protect the rights of data subjects.

The data processor and any person acting under the control of the Data Controller who has access to the personal data shall handle the personal data contained in this policy only in accordance with the instructions of the Data Controller.

The Data Controller is legally responsible for the activities of the data processor. The data processor shall only be liable for damages caused by the data processing if it has not complied with the obligations specified in the GDPR, which are specifically imposed on the data processors, or if it has disregarded or acted contrary to the data controller’s lawful instructions.

The data processor does not have a meaningful decision regarding the handling of the data. The data is preserved by the data processors for the same period as the Data Controller, after which they are deleted. The Data Controller is entitled to monitor compliance with data protection and security requirements.

The data controller uses the following data processors.

  Data processor
Company name: ININET Internet Korlátolt Felelősségű Társaság
Registered office: 1063 Budapest, Szinyei Merse street 10.
Tax number: 23537646-2-42
Company registration number: Cg. 01-09-970252
Court of Registration Company Registry Court of Budapest – Capital Regional Court
Mailing address: 1063 Budapest, Szinyei Merse street 10.
Represents: Balázs Király, General Manager
E-mail: info@ininet.hu
Telephone: +36-20-293-9058
Website: https://www.ininet.hu
Name of the data processing activity: hosting service
  Data processor
Company name: Billingo Technologies Zártkörűen Működő Társaság
Registered office: 1133 Budapest, Árbóc street 6.
Tax number: 27926309-2-41
Company registration number: Cg. 01-10-140802
Court of Registration Company Registry Court of Budapest – Capital Regional Court
Mailing address: 1133 Budapest, Árbóc street 6.
Represents: Albert Sárospataki, Chief Executive Officer
E-mail: hello@billingo.hu
Telephone: +36-1-500-9491
Website: https://www.billingo.hu
Name of the data processing activity: billing program management
  Data processor
Name: Zsolt Roland Schvets
Registered office:  
Registration number:  
Tax number:  
Statistical number:  
Name of the data processing activity: design and maintenance of website (SVECC DESIGN)
  Data processor
Name: Krisztina Danku
Registered office:  
Registration number:  
Tax number:  
Statistical number:  
Name of the data processing activity: accounting
  Data processor
Company name: Google Ireland Limited
Registered office: Ireland, Dublin 4, Gordon House, Barrow Street
Registration number: 368047
Court of Registration operates under the laws of Ireland
Website: www.google.com
Name of the data processing activity: managing mailing system
  Data processor
Company name: The Rocket Science Group, LLC (Mailchimp)
Registered office: 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA
Website: https://mailchimp.com
Name of the data processing activity: managing newsletter database
  Third-party (independent) data processor
Company name: PayPal (Europe) S.à r.l. et Cie, S.C.A.
Registered office: Legal Department, 22-24 Boulevard Royal, 2449 Luxemburg, Luxemburg
Website: https://www.paypal.com
Name of activity: online payment (paypal)
  Third-party (independent) data processor
Company name: Barion Payment Zrt.
Registered office:  
Tax number:  
Company registration number:  
Court of Registration: Company Registry Court of Budapest – Capital Regional Court
Represents:  
E-mail:  
Telephone:  
Website:  
Name of activity: online payment (BARION)
  Third-party (independent) data processor
Company name: GLS General Logistics Systems Hungary Csomag-Logisztikai Korlátolt Felelősségű Társaság
Registered office: 2351 Alsónémedi, GLS Európa street 2.
Tax number: 12369410-2-44
Company registration number: Cg. 13-09-111755
Court of Registration: Company Registry Court of Budapest – Environs Regional Court
Represents: Krisztina Éva Tarnócz, Gergely Farkas, György Oreskó, Attila Csaba Balázs, executives with joint signature rights
E-mail: info@gls-hungary.com
Telephone: +36-20-890-0660
Website: https://www.gls-group.eu
Name of activity: delivery
  Third-party (independent) data processor
Company name: Magyar Posta Zártkörűen Működő Társaság
Registered office:  
Tax number:  
Company registration number:  
Court of Registration: Company Registry Court of Budapest – Capital Regional Court
Represents:  
E-mail:  
Telephone:  
Website:  
Name of activity: postal delivery
  Third-party (independent) data processor
Company name: Facebook Ireland Ltd. (Facebook and Instagram)
Registered office: 4 Grand Canal Square Grand Canal Harbour Dublin 2 Ireland
Name of activity: Delivery of specific, targeted electronic advertisements to the Data Subject based on personal data approved by the Data Subject for the purpose of advertising activities.
  Third-party (independent) data processor
Company name: YouTube LLC.
Registered office: 901 Cherry Ave., San Bruno, CA 94066, USA
Name of activity: video sharing

The Data Controller reserves the right to use an additional data processor, the identity of which shall be provided separately at the latest at the beginning of the data processing.

7. Transmission of data to third parties

“Third party”: any natural or legal person, public authority, agency or any other body which is not the same as the data subject, the controller, the processor or the persons who are authorized to process personal data under the direct control of the controller or processor.

Third-party data controllers handle the personal data we provide on their own behalf and in accordance with their own privacy policies.

  Third-party (independent) data processor
Company name: PayPal (Europe) S.à r.l. et Cie, S.C.A.
Registered office: Legal Department, 22-24 Boulevard Royal, 2449 Luxemburg, Luxemburg
Website: https://www.paypal.com  
Name of activity: online fizetés (paypal)
  Third-party (independent) data processor
Company name: GLS General Logistics Systems Hungary Csomag-Logisztikai Korlátolt Felelősségű Társaság
Registered office: 2351 Alsónémedi, GLS Európa utca 2.
Tax number: 12369410-2-44
Company registration number: Cg. 13-09-111755
Court of Registration: Budapest Környéki Törvényszék Cégbírósága
Represents: Tarnócz Krisztina Éva, Farkas Gergely, Oreskó György, Balázs Attila Csaba, együttes aláírási joggal rendelkező ügyvezetők
E-mail: info@gls-hungary.com
Telephone: +36-20-890-0660
Website: https://www.gls-group.eu
Name of activity: kézbesítés
  Third-party (independent) data processor
Company name: Facebook Ireland Ltd. (Facebook és Instagram)
Registered office: 4 Grand Canal Square Grand Canal Harbour Dublin 2 Írország
Name of activity: Az Érintett által a reklámozási tevékenység érdekében jóváhagyott személyes adatokon alapuló meghatározott, célzott elektronikus hirdetések eljuttatása az Érintett számára.
  Third-party (independent) data processor
Company name: YouTube LLC.
Registered office: 901 Cherry Ave., San Bruno, CA 94066, Egyesült Államok
Name of activity: videómegosztás

8. Data storage

The data controller stores the personal data of the data subject on the server operated by ININET Kft.

9. Data security measures

The Data Controller and its data processors shall take appropriate technical and organizational measures, taking into account the state of the art and the costs of implementation, as well as the nature, scope, circumstances and purposes of the data processing and the varying probability and severity of the risk to the rights and freedoms of natural persons in order to guarantee a level of data security commensurate with the level of risk.

The Data Controller selects and operates the IT tools used to manage personal data in such a way that the managed data:

  • accessible to those entitled to it (availability);
  • its authenticity and authentication are ensured (authenticity of data management);
  • its invariability can be verified (data integrity);
  • be protected against unauthorized access (data confidentiality).

The Data Controller shall protect the data by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage or inaccessibility due to changes in the technology used.

To protect the electronically managed data files in its various registers, the Data Controller shall ensure, with an appropriate technical solution, that the stored data, unless permitted by law, cannot be directly linked and assigned to the data subject.

Regarding the all-time state of technological development, the Data Controller shall ensure the protection of the security of data management with technical, organizational and organizational measures that provide an appropriate level of protection against the risks related to data management.

The Data Controller preserves the following during data management:

  • confidentiality: protects information so that only those who are entitled access it;
  • integrity: protects the accuracy and completeness of the information and the method of processing;
  • availability: ensures that, when the authorized user needs it, he/she can access the information and the tools needed.

The IT system and network of both the Data Controller and its data management partners are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, computer intrusions and denial-of-service attacks. The operator ensures security through server-level and application-level protection procedures. We inform users that electronic messages transmitted over the Internet, regardless of protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that lead to unfair activity, contract disputes, or the disclosure or modification of information. To protect against such threats, the Data Controller will take all precautionary measures expected of him. The Data Controller monitors systems to record any security incidents and provide evidence of any security incidents. System monitoring also makes it possible to check the effectiveness of the precautions taken.

The Data Controller shall keep a record of any data protection incidents, indicating the facts related to the data protection incident, its effects and the measures taken to remedy it. The Data Controller shall notify the National Data Protection and Freedom of Information Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság) of any data protection incident without delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is not likely to jeopardize the rights and freedoms of individuals. viewed. If the notification is not made within 72 hours, the reasons for the delay must be provided.

10. Rights and enforcement possibilities of data subjects

The data subject may request information on the management of his/her personal data, and may request the correction of his/her personal data, – with the exception of mandatory data management – deletion, revocation, may exercise the right to data portability and to objection in the manner indicated at the time of data collection or by contacting the Data Controller at the above contact details.

10.1. Right to information

The Data Controller shall take appropriate measures to provide the data subject with all information concerning the processing of personal data referred to in Articles 13 and 14 of the GDPR and Articles 15-22 and Article 34 shall be provided in a concise, transparent, comprehensible, and easily accessible form, in a clear and comprehensible manner.

10.2. The right to access

The data subject has the right to receive feedback from the Data Controller as to whether the processing of his / her personal data is in progress and, if such data processing is in progress, he / she has the right to access the personal data and the following information:

  • the purposes of data management;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom or with whom the personal data have been or will be communicated, including in particular recipients in third countries or international organizations;
  • the intended duration of the storage of personal data;
  • the right to rectify, erase or restrict data processing and to protest;
  • the right to lodge a complaint with the supervisory authority;
  • information on data sources;
  • the fact of automated decision-making, including profiling, and comprehensible information on the logic used and the significance of such data management and the expected consequences for the data subject.

The Data Controller shall provide the information within a maximum of one month from the submission of the request.

10.3. Right to correction

The data subject may request the correction of inaccurate personal data processed by the Data Controller and the completion of incomplete data.

10.4. Right to delete

The data subject shall have the right, at the request of the Data Controller, to delete personal data concerning him or her without undue delay if one of the following reasons exists:

  • personal data are no longer required for the purpose for which they were collected or otherwise processed;
  • the data subject withdraws his or her consent on which the processing is based and there is no other legal basis for the processing;
  • the data subject objects to the processing and there is no overriding legitimate reason for the processing;
  • personal data have been processed unlawfully;
  • personal data must be deleted in order to fulfill a legal obligation under Union or Member State law applicable to the controller;
  • personal data were collected in connection with the provision of information society services.

Deletion of data cannot be initiated if data management is required:

  • for the purpose of exercising the right to freedom of expression and information;
  • for the purpose of fulfilling an obligation under Union or Member State law applicable to the controller to process personal data or performing a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • in the field of public health, or for archival, scientific and historical research or statistical purposes, in the public interest;
  • or to bring, assert or defend legal claims.
10.5. Right to limit processing

At the request of the data subject, the Data Controller shall restrict the data processing if one of the following conditions is met:

  • the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period which allows the accuracy of the personal data to be verified;
  • the processing is unlawful, and the data subject opposes the deletion of the data and instead requests that their use be restricted;
  • the controller no longer needs the personal data for the purpose of data processing, but the data subject requests them in order to make, enforce or protect legal claims; obsession
  • the data subject has objected to the processing; in that case, the restriction shall apply for as long as it is established whether the legitimate reasons of the controller take precedence over the legitimate reasons of the data subject.

Where processing is restricted, personal data may be processed, with the exception of storage, only with the consent of the data subject or for the purpose of bringing, enforcing or protecting legal claims or protecting the rights of another natural or legal person or in the important public interest of the Union or a Member State.

10.6. Right to data portability

The data subject has the right to receive the personal data concerning him / her made available to the Data Controller in a structured, widely used, machine – readable format and to transmit this data to another data controller.

10.7. Right to object

The data subject shall have the right to object at any time, for reasons related to his situation, to the processing of his personal data in the public interest or in the exercise of public authority or to the processing of data subjects or third parties, including profiling based on those provisions. is. In the event of a protest, the Data Controller may not further process the personal data, unless it is justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the data subject or which are related to the submission, enforcement or protection of legal claims.

10.8. Automated decision making in individual cases, including profiling

The data subject has the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal or similar effect on him or her. The Data Controller does not perform automated decision making based on automated data management or profiling.

10.9. Right of withdrawal

The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the consent-based data processing prior to withdrawal. The data subject must be informed before consent is given. Withdrawal of consent should be as simple as giving it.

10.10. Right to apply to the courts

In case of violation of his/her rights, the data subject may apply to the court against the Data Controller, i.e. he/she may initiate a lawsuit in the court competent according to his/her place of residence (residence) (you can see the list of courts by clicking on the following link: http://birosag.hu/torvenyszekek). The court is acting out of turn in the case.

10.11. Data protection authority procedure

Complaints can be lodged with the National Data Protection and Freedom of Information Authority:

Name: National Data Protection and Freedom of Information Authority
Registered office: 1125 Budapest, Szilágyi Erzsébet avenue 22 / C.
Mailing address: 1530 Budapest, Pf .: 5.
Telephone: 0613911400
Fax: 0613911410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

10.12. Informing the data subject about the data protection incident

If the data protection incident is likely to pose a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the data protection incident without undue delay.

The information provided to the data subject shall clearly and intelligibly describe the nature of the data protection incident and the name and contact details of the data protection officer or other contact person who may provide further information; the possible consequences of the data protection incident must be described; the measures taken or planned by the Data Controller to remedy the data protection incident must be described, including, where appropriate, measures to mitigate any adverse consequences arising from the data protection incident.

The data subject does not need to be informed if any of the following conditions are met:

  • the Data Controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular those measures, such as the use of encryption, which make it incomprehensible to persons not authorized to access personal data;
  • the Data Controller has taken further measures following the data protection incident to ensure that the high risk to the data subject’s rights and freedoms is unlikely to happen in the future;
  • the information would require a disproportionate effort. In such cases, the data subject shall be informed through publicly available information or a similar measure shall be taken to ensure that the data subject is informed in an equally effective manner.

If the Data Controller has not yet notified the data subject of the data protection incident, the supervisory authority may, after considering whether the data protection incident is likely to involve a high risk, order the data subject to be informed.

10.13. Compensation and damages

Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the data protection regulation is entitled to compensation from the Data Controller or the data processor for the damage suffered. The data processor is liable for damages caused by data processing only if it has not complied with the obligations specified in the law, which are specifically imposed on the data processors, or if it has disregarded or acted contrary to the data controller’s lawful instructions.

If several controllers or processors or both controllers and processors are involved in the same processing and are liable for damages caused by the processing, each controller or processor shall be jointly and severally liable for the total damage.

The Data Controller or the data processor is released from liability if it proves that it is not liable in any way for the event that caused the damage.

10.14. Rules of procedure
  • The Data Controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.
  • That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
  • If the Data Controller fails to take action on the data subject’s request, it shall inform the data subject without delay, but no later than one month after receipt of the request, of the reasons for non-action and of the data subject’s right to complaint to a supervisory authority and may exercise its right of remedy.
  • The Data Controller provides the requested information free of charge. If the data subject’s request is manifestly unfounded or – due to its particularly repetitive nature – excessive, the controller may charge a reasonable fee or refuse to act on the request, taking into account the administrative costs of providing the requested information or taking the requested action.
  • The Data Controller shall inform all recipients to whom he or she has communicated personal data of any rectification, erasure, or restriction on the processing of personal data, unless this proves impossible or requires a disproportionate effort. Upon request, the Data Controller shall inform the data subject of these recipients.
  • The Data Controller shall provide the data subject with a copy of the personal data subject to data processing. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request electronically, the information shall be provided in electronic format, unless the data subject requests otherwise.

11. Review in the event of mandatory data processing

If the duration or necessity of mandatory data processing is not specified by law, local government decree or a mandatory legal act of the European Union, the data controller shall review at least every three years from the start of data management whether the management of personal data processed by him or by the data processor acting on his behalf is necessary for the purpose of data management.

The circumstances and results of this review shall be documented by the controller, retained for ten years after the review, and made available to the Authority upon request by the National Data Protection and Freedom of Information Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság) (hereinafter: Authority).

12. Modification of privacy polic

The Data Controller reserves the right to modify this privacy policy in a manner that does not affect the purpose and legal basis of the data management. By using the website after the change takes effect, you accept the amended privacy policy.

If the Data Controller wishes to perform further data processing in connection with the collected data for a purpose other than the purpose of their collection, it shall inform you of the purpose of the data processing and the following information prior to the further data processing:

  • the duration of the storage of personal data or, if this is not possible, the criteria for determining the duration;
  • the right to request the Data Controller to access, rectify, delete, or restrict the processing of personal data concerning you, and to object to the handling of personal data in the case of data processing based on a legitimate interest, and to request guaranteeing the right to data portability in the case of data processing based on consent or contractual relationship
  • in the case of consent-based data management, that you can withdraw your consent at any time,
  • the right to lodge a complaint with the supervisory authority;
  • whether the provision of personal data is based on a legal or contractual obligation or a precondition for concluding a contract, and whether you are obliged to provide personal data, and the possible consequences of not providing the data;
  • the fact of automated decision-making (if such a procedure is used), including profiling, and at least in these cases, understandable information about the logic used and the significance of such data processing and the expected consequences for you.

The data processing can only start after that, if the legal basis of the data processing is consent, in addition to the information, you shall also consent to the data management.