Data Processing Policy





Introduction
Siluro Kft. (H-8600 Siófok, Mogyoró utca 1.; VAT number: 14891757-2-14; company registration number: 14-09-309557) (hereinafter referred to as: ‘Service Provider’, ‘Data Controller’) subjects itself to the following Policy.
In accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we provide and make available the following Policy.
This Data Processing Policy applies to the data processing performed on the following website:
http://www.kajakpeca.hu
The Data Processing Policy is available on the following page:
http://www.kajakpeca.hu/hu/content/adatvedelem
This Data Processing Policy becomes effective when published on the above page.

Data controller and its contact details:

Name: Siluro Kft.
Registered office: H-8600 Siófok, Mogyoró utca 1.
E-mail: info@kajakpeca.hu
Phone: +36 (30) 515-9393

Definitions

‘personal data’: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘controller’: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘processor’: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘recipient’: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

‘consent of the data subject’: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘personal data breach’: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.


Principles relating to processing of personal data

Personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Data processing activity

Data processing related to the operation of the Webstore

The fact of data collection, the scope of processed data and the purpose of data processing:

 
Personal data    Purpose of data processing       
Password    Serves for the secure entry into the user account.       
Family and first name    Necessary for contacting, purchases and the issue of correct invoices.       
E-mail address    Communication.       
Phone number    Communication, more efficient consultation of issues relating to invoicing or delivery.       
Invoicing name and address    Issue of correct invoices, conclusion of the contract, specification of its content, related amendments, monitoring of its performance, as well as the invoicing of fees arising under the contract and the enforcement of related claims.       
Delivery name and address    Enable home delivery.       
Date of purchase/registration    Performance of technical operation.       
IP address upon purchase/registration    Performance of technical operation.    

The e-mail address does not necessarily contain any personal data.

Scope of data subjects: All data subjects who are registered/purchase on the website.

Period of the data processing, time limit for the erasure of data: Upon the deletion of registration, without delay. Data controller shall inform the data subject of the erasure of any personal data provided by the data subject as prescribed by Article 19 of the GDPR, by electronic means. If the data subject’s request for erasure also concerns his/her e-mail address, then the data controller shall also erase the e-mail address following the provision of information. An exception is made with regard to the accounting documents, since Section 169(2) of Act C of 2000 on Accounting prescribes the retention of such data for a period of 8 years.

The accounting documents underlying the accounting records directly or indirectly (including ledger accounts, analytical records and registers) shall be retained for minimum eight years, shall be legible and retrievable by means of the code of reference indicated in the accounting records.

Possible data controllers entitled to get to know the data, recipients of the personal data: The personal data may be processed by the sales and marketing employees of the data controller, by observing the above principles.

Description of the rights of data subjects regarding data processing:

The data subject may request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, and
may object to processing of such personal data, and
the data subject shall have the right to data portability and to withdraw his/her consent at any time.

The data subject may request access to personal data, the rectification, modification or the restriction of processing thereof, as well as data portability or may object to data processing by using the following means:
by postal mail to the address H-8600 Siófok, Mogyoró utca 1.,
by e-mail sent to the e-mail address info@kajakpeca.hu,
by phone at the phone number +36 (30) 515-9393.

Legal basis of data processing:

Article 6(1)(b) of the GDPR,

Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter referred to as: ’E-commerce Act’):

The service provider may – for the purpose of providing the service – process personal data indispensable for providing the service for technical reasons.  Should other conditions be identical, the service provider shall select and operate the means applied in the course of providing information society service at all times, so that personal data be processed only if it is absolutely indispensable for providing the service or achieving other objectives stipulated in this Act, and only to the required extent and duration.

In the case of issuing invoices in accordance with accounting laws, Article 6(1)(c) of the GDPR.

In the case of enforcing claims arising the contract, the limitation period of such claims is 5 years as specified by Section 6:21 of Act V of 2013 on the Civil Code.

Section 6:22 [Statute of limitations]
(1) Unless otherwise provided for in this Act, claims shall lapse after five years.
(2) The limitation period commences upon the due date of the claim.
(3) An agreement for modifying the limitation period shall be made in writing.
(4) Any agreement excluding prescription shall be null and void.

We hereby inform you that

data processing is required for the performance of the contract.
you must provide us with your personal data so we can execute your order.
the lack of data supply has a consequence that we are unable to process your order.

Data processors engaged

Delivery

Activity conducted by the data processor: Delivery of products, transport

Name and contact details of the data processor:

Fürgefutár.hu Kft.
Registered office: H-1077 Budapest, Wesselényi utca 28. 2. emelet
Phone: +36 (1) 900-9669
E-mail: ugyfelszolgalat@furgefutar.hu
Website: https://furgefutar.hu/

MPL Magyar Posta Logisztika Kft.
Registered office: H-1138 Budapest, Dunavirág utca 2-6.
Phone: +36 (1) 333-7777
E-mail: ugyfelszolgalat@posta.hu
GTCC: https://www.posta.hu/ugyfelszolgalat/aszf
Data Processing Policy: https://www.posta.hu/adatkezelesi_tajekoztato

The fact of data processing, the scope of processed data: Delivery name, delivery address, phone number, e-mail address.

Scope of data subjects: All data subjects who request home delivery.

Purpose of data processing: Home delivery of the products ordered.

Period of the data processing, time limit for the erasure of data: Lasts until the completion of home delivery.

Legal basis of data processing: Article 6(1)(b) of the GDPR.

Hosting provider

Activity conducted by the data processor: Hosting service

Name and contact details of the data processor:

bEcommerce.hu Kft.
Registered office: H-1204 Budapest, Alsó határút 109.
Site: H-8411 Veszprém Öregrét utca 4.
Mailing address: 8411 Veszprém Öregrét utca 4.
E-mail: hello@becommerce.hu

The fact of data processing, the scope of processed data: Any personal data provided by the data subject.

Scope of data subjects: All data subjects who use the website.

Purpose of data processing: Ensuring the availability and the proper operation of the website.

Period of the data processing, time limit for the erasure of data: Data processing lasts until the termination of the agreement entered between the data controller and the hosting provider, or until the request of the data subject for the erasure of his/her data is submitted to the hosting provider.

Legal basis of data processing: Article 6(1)(c)(f) of the GDPR and Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.














Recipients to whom personal data are disclosed (transfer of personal data):
Online payment

Activity conducted by the Recipient: Online payment

Name and contact details of the Recipient:

OTP Mobil Szolgáltató Kft.
Registered office: H-1093 Budapest, Közraktár u. 30-32.
E-mail: ugyfelszolgalat@simple.hu
Phone: +36 1/20/30/70 3-666-611

The fact of data processing, the scope of processed data: Invoicing data, name, e-mail address

Scope of data subjects: All data subjects who select the online payment option on the website.

Purpose of data processing: Execution of online payments, confirmation transactions and fraud-monitoring conducted for the protection of users

Period of the data processing, time limit for the erasure of data: Lasts until the online payment is executed.

Legal basis of data processing: Article 6(1)(b) of the GDPR. Data processing is necessary for the performance of online payments requested by the data subject.

Rights of the data subjects:

You shall have the right to learn about the circumstances of data processing.
You shall have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and to access to any information relating to data processing.
You shall have the right to receive the personal data concerning you in a structured, commonly used, machine-readable format.
You shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you.







Use of cookies

Typical cookies used in webstores are the so-called ’password-protected session cookies’, ’shopping cart cookies’ and ’security cookies’, which require no prior consent from the data subject.

The fact of data processing, the scope of processed data: Unique ID number, dates, times

Scope of data subjects: All data subjects who visit the website.

Purpose of data processing: Identification of users, keeping record of the ’shopping cart’, tracking of visitors to the website.

Period of the data processing, time limit for the erasure of data:

 
Cookie type    Legal basis of data processing    Period of data processing    Scope of processed data       
Session cookies
    Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (E-commerce Act)    Until the given visitor session is closed    connect.sid
       
Other cookies    Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (E-commerce Act)    480 hours        

Possible data controllers entitled to get to know the data: No personal data are processed by the controller with the use of cookies.

Description of the rights of data subjects regarding data processing: The data subjects may delete the cookies in the Tools/Settings menu of the browsers, typically in the ’Privacy settings’ section.

Legal basis of data processing: No consent is required from the data subject if the cookies are used solely for the transmission of communications via the electronic communication network, or in case the use of cookies is essential for the service provider to render a service relating to the information society expressly requested by the subscriber or user.

Use of Google Analytics

This website uses the Google Analytics application, which is the web analytics service of Google Inc. (’Google’). The Google Analytics operates with so-called ’cookies’ and text files that are saved to your computer, thus facilitating the analysis of the use of the website visited by the User.

The information generated by the cookies related to the website used by the User are usually sent to and stored on one of Google’s servers located in the U.S. By the website activation of IP anonymisation, Google precedingly shortens the User’s IP address within the EU Member States or other states that are parties to the Agreement on the European Economic Area.

The full IP addresses are sent to and shortened on Google’s US server only in exceptional cases. On commission by the operator of this website, Google will use the thus obtained information to assess how the User used the website, to prepare reports for the operator of the website regarding the activity on the website, as well as to perform further services related to the use of the website and the internet.

Within the framework of the Google Analytics, Google does not match the IP address transmitted by the User’s browser with any other data of Google. You may prevent the storing of cookies by using the applicable settings in your browser. However, we call your attention that in this case it may occur that not all functions of this website will be fully operational. Moreover, the User may prevent Google to collect and process the User’s data concerning his/her website use, collected by the cookies (including the IP address), if he/she downloads and installs the browser plugin available at: https://tools.google.com/dlpage/gaoptout?hl=hu



















Newsletter, direct marketing activity

Pursuant to Section 6 of Act XLVIII of 2008 on the Essential Conditions and Certain Limitations of Business Advertising Activity, the User may give his/her prior and explicit consent to be contacted by the Service Provider with its advertising offers and other consignments at the contact details provided upon registration.

Furthermore, by observing the provisions of this Policy, the Customer may give consent to the processing of his/her personal data necessary for the Service Provider to send such advertising offers.

The Service Provider shall not send any unsolicited advertising messages, and User may unsubscribe from the sending of advertising offers free of charge, without any restriction and justification. In this case the Service Provider shall erase all personal data of the User (necessary for the sending of advertising messages) from its records, and may not contact the User with any further offers. The User may unsubscribe from the advertisements by clicking on the link in the e-mail message.

The scope of data collection, the scope of processed data and the purpose of data processing:

 
Personal data    Purpose of data processing       
Name, e-mail address.    Identification, enabling subscription for the newsletter.        
Date of subscription    Performance of technical operation.       
IP address upon subscription    Performance of technical operation.    

Scope of data subjects: All data subjects who subscribe for the newsletter.

Purpose of data processing: sending of electronic messages (e-mail, SMS, push message) with advertising content to the data subject, provision of up-to-date information about products, promotions, new functions etc.

Period of the data processing, time limit for the erasure of data: data are processed until the statement of consent is withdrawn, i.e. the cancellation of subscription.

Possible data controllers entitled to get to know the data, recipients of the personal data: The personal data may be processed by the sales and marketing employees of the data controller, by observing the above principles.

Description of the rights of data subjects regarding data processing:

The data subject may request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, and
may object to processing of such personal data, and
the data subject shall have the right to data portability and to withdraw his/her consent at any time.

The data subject may request access to personal data, the rectification, modification or the restriction of processing thereof, as well as data portability or may object to data processing by using the following means:
by postal mail to the address H-8600 Siófok, Mogyoró utca 1.,
by e-mail sent to the e-mail address info@kajakpeca.hu,
by phone at the phone number +36 (30) 515-9393.

The data subject may unsubscribe from the newsletter free of charge, at any time.

Legal basis of data processing: the data subject’s consent, Article 6(1)(a)(f) of the GDPR and Section 6(5) of Act XLVIII of 2008 on the Essential Conditions and Certain Limitations of Business Advertising Activity:
Advertisers, advertising service providers and publishers of advertisements shall maintain records on the personal data of persons who provided the statement of consent to the extent specified therein. The data kept in these records – relating to the person to whom the advertisement is addressed – may be processed only for the purpose provided in the statement of consent, until withdrawn, and may be disclosed to third persons only with the prior consent of the data subject.

We hereby inform you that

the data processing is based on your consent.
you must provide us with your personal data if you wish to receive our newsletters.
the lack of data supply has a consequence that we are unable to process your order.



Handling of complaints

The fact of data collection, the scope of processed data, and the purpose of data processing:

 
Personal data    Purpose of data processing       
Family and first name    Identification, communication.       
E-mail address.    Communication.       
Phone number    Communication.       
Invoicing name and address    Identification, handling of quality complaints, questions and problems arising in connection with the products.    

Scope of data subjects: All data subjects who purchase in the webstore on the website and make quality complaints.

Period of the data processing, time limit for the erasure of data: The copies of the protocol, transcript and the reply thereto shall be retained for 5 years in accordance with Section 17/A(7) of Act of CLV of 1997 on Customer Protection.

Possible data controllers entitled to get to know the data, recipients of the personal data: The personal data may be processed by the sales and marketing employees of the data controller, by observing the above principles.

Description of the rights of data subjects regarding data processing:

The data subject may request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, and
may object to processing of such personal data, and
the data subject shall have the right to data portability and to withdraw his/her consent at any time.

The data subject may request access to personal data, the rectification, modification or the restriction of processing thereof, as well as data portability or may object to data processing by using the following means:
by postal mail to the address H-8600 Siófok, Mogyoró utca 1.,
by e-mail sent to the e-mail address info@kajakpeca.hu,
by phone at the phone number +36 (30) 515-9393.

Legal basis of data processing: Article 6(1)(c) of the GDPR and Section 17/A(7) of Act CLV of 1997 on Customer Protection.

We hereby inform you that

the supply of personal data is based on a contractual obligation.
the processing of personal data is a condition of the conclusion of the contract.
you must provide us with your personal data so we can manage your complaint.
the lack of data supply has a consequence that we are unable to manage the complaint we received from you.


Social networking sites

The fact of data processing, the scope of processed data: the name of the person who registered at social networking sites such as Facebook/Google+/Twitter/Pinterest/YouTube/Instagram etc., and his/her public profile picture.

Scope of data subjects: All data subjects who registered at social networking sites such as Facebook/Google+/Twitter/Pinterest/YouTube/Instagram etc., and also liked the given website.

Purpose of data collection: Sharing, liking and popularising of the website itself or the specific content elements, promotions or products thereof on the social networking sites.

Period of the data processing, time limit for the erasure of data, Possible data controllers entitled to get to know the data and the description of the rights of data subjects regarding data processing: The data subject may obtain information on the given social networking site about the sources, processing of the data, as well as about the way and legal basis of transfer thereof on the social networking site concerned. Data processing is conducted on the social networking sites, thus the period and manner of data processing and the possibilities to modify or erase data are governed by the policies of the specific social networking site.

Legal basis of data processing: the voluntary consent of the data subject to the processing of his/her personal data, provided on the social networking site.







Customer relationships and other data processing

If the data subject has any questions during the use of our data processing services or he/she has any problems in this regard, then he/she may contact the data controller by any means (phone, e-mail, social networking sites etc.) indicated on the website.

The e-mails, messages and the data given by phone, on Facebook etc. – along with the name, e-mail address and any other voluntarily provided personal data of the contacting person – will be erased by the data controller within no more than 2 years from the date when they were supplied.

We provide information about other data processing not listed herein upon the recording of data.

In the case of exceptional requests from authorities or those received from other bodies authorised by law, the Service Provider shall provide information, disclose or supply data, as well as shall make available documents as requested.

In such cases – if the contacting authority or body appointed the exact purpose and scope of data concerned – Service Provider shall disclose any personal data in an amount and to an extent which is essential to achieve the purpose of the given request.

Rights of the data subjects

Right of access

You shall have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information specified in the Regulation.

Right to rectification

You shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure

You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay under certain conditions.






Right to be forgotten

Where the data controller has made the personal data public and is obliged to erase the personal data, the data controller – taking account of available technology and the costs of implementation – shall take all reasonable steps (including technical measures) to inform the controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, copy or replication of, those personal data.

Right to restriction of processing

You shall have the right to obtain from the controller restriction of processing where one of the following applies:
You contest the accuracy of personal data, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data, and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims;
you have objected to processing; in this case the restriction applies for a period until it is verified whether the legitimate grounds of the controller override your legitimate grounds.

Right to data portability

You shall have the right to receive the personal data concerning you which you have provided to a controller in a structured, commonly used and machine-readable format, and shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (...)

Right to object

You shall have the right to object – on grounds relating to your particular situation, at any time – to processing of personal data concerning you based on (…), including profiling based on those provisions.

Objection to direct marketing

Where personal data are processed for the purposes of direct marketing, you should have the right to object to such processing – including profiling – to the extent that it is related to such direct marketing, at any time. If you object to processing personal data concerning you for purposes of direct marketing, then the personal data may be no longer processed for any such purposes.


Automated individual decision-making, including profiling

You shall have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.
The last paragraph shall not apply if the decision:
is necessary for entering into, or performance of, a contract between you and a data controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
is based on your explicit consent.

Time limits of the measures

The data controller shall inform you about the measures taken based on the above requests without undue delay, but no later than within 1 month from the receipt of such request.

If necessary, this time limit may be extended by 2 months. The data controller shall inform you of the extension of time limit – along with the reasons of the delay – within 1 month from the receipt of the request.

If the data controller fails to take any measures in response to your request, the data controller shall inform you of the reasons of failing to take any measures without delay, but no later than one month from the receipt of the request, and this information must include your eligibility to submit a claim to a supervisory authority and to exercise your right to judicial remedy.

Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

the pseudonymisation and encryption of personal data;

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Communication of a personal data breach of the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach, and shall describe: the name and contact details of the data protection officer or other contact point where more information can be obtained; the likely consequences of the personal data breach; the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the data subject shall not be required if any of the following conditions is met:
the controller has implemented appropriate technical and organisational measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
it would involve disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the controller has not already communicated the personal data breach to the data subject, the supervisory authority – having considered the likelihood of the personal data breach resulting in high risk – may require it to do so.

Notification of a personal data breach to the supervisory authority

In the case of a personal data breach, the controller shall without undue delay – and, where feasible – no later than 72 hours from having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 of the GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.





Possibility to submit complaints

The complaints against any infringement by the controller may be submitted to the Hungarian National Authority for Data Protection and Freedom of Information:

Hungarian National Authority for Data Protection and Freedom of Information
H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, P.O. Box 5
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu

Final provisions

During the preparation of this Policy the following laws and regulations were observed:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Act CXII of 2011 on Informational Self-Determination and Freedom of Information
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (in particular Section 13/A)
Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers
Act XLVIII of 2008 on the Essential Conditions and Certain Limitations of Business Advertising Activity (in particular Section 6)
Act XC of 2005 on the Freedom of Information by Electronic Means
Act C of 2003 on Electronic Communications (in particular Section 155)
Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising
Recommendation of the Hungarian National Authority for Data Protection and Freedom of Information on the Data Protection Requirements of Preliminary Information