Privacy policy
Table of contents of the privacy policy 📖
1. Purpose and scope of the Privacy Notice
The purpose of this Privacy Policy is to set out the data protection and data management principles applied by Infinite AD Limited Liability Company (registered office: 1157 Budapest, Zsókavár u. 2, 7th floor 26, company registration number: 01-09-412791, tax number: 32222632-2-42) (hereinafter referred to as the "Data Controller" or the "Company") and the data protection and data management policy established by the Data Controller, which the Data Controller acknowledges as binding.
The purpose of this Privacy Notice is also to provide all natural persons concerned with the processing of their personal data with information enabling them to ascertain how their data is processed by the Data Controller and to ensure that their fundamental freedoms and their rights to the processing, protection and privacy of their personal data are respected by the Data Controller at all times when processing their personal data, regardless of their nationality or place of residence.
This Notice applies to all processing of data, regardless of the form in which it is presented, carried out by the Data Controller on the website available at the URL https://infinite.ad/ (hereinafter referred to as the Website).
2. Information about the data controller
For the processing activities listed in this notice, the Data Controller is the controller of personal data. The Data Controller informs data subjects that no Data Protection Officer has been appointed by the Data Controller.
If the data subject has any questions or comments about the processing of his or her data, he or she can contact the Data Controller using the following contact details.
Name: Infinite AD Limited Liability Corporation
Registered office and mailing address: 1157 Budapest, Zsókavár u. 2., 7. floor 26.
Phone number: +36-30/552-0870
E-mail address: hello@infinite.ad
3. Definitions used in the Privacy Notice
Below is a brief explanation of the terms used in this leaflet:
Personal Data: any information relating to a natural person who is identified, directly or indirectly, or who can be identified on the basis of one or more factors or attributes which identifies or identifies that natural person.
Data processing: any operation performed on personal data, regardless of the means by which it is carried out; accordingly, data processing includes, but is not limited to, collection, recording, organisation, structuring, storage, adaptation, alteration, consultation, consultation, retrieval, use, disclosure, transmission, dissemination, making available by other means, alignment, combination, restriction, erasure, destruction.
Controller: Infinite AD Ltd., which determines the purposes and means of the processing of personal data.
Processing: the performance of technical tasks on personal data related to processing operations, regardless of the method and means used and the place of application.
Processor: a natural or legal person who processes personal data on behalf of and on behalf of the controller.
Consent: a voluntary, specific, informed indication of the data subject's wishes by which he or she unambiguously signifies his or her agreement to the processing of his or her personal data.
GDPR: General Data Protection Regulation 2016/679 of the European Parliament and of the Council, which contains binding rules on the processing of personal data and on the exercise of data subjects' rights in relation to the processing of their personal data.
Restriction of processing: marking of personal data stored in order to restrict their processing in the future.
Recipient: a natural or legal person, public authority or other body with whom or to which personal data are disclosed.
Anonymisation: operations which, once carried out, no longer make it possible to identify the specific individual to whom the personal data relate, i.e. the data lose their personal character and no longer allow the identification of any natural person identifiable, and the link between the data subject and the data can no longer be established.
Pseudonymisation: operations which, once carried out, it is no longer possible to determine to which specific person the personal data relate in the absence of additional information, if the additional information is kept separately and it is technically ensured that the personal data cannot be linked to identifiable natural persons.
Supervisory Authority: an independent authority established to protect the rights and freedoms of natural persons with regard to the processing of personal data and to facilitate the free flow of personal data within the EU; in Hungary, the National Authority for Data Protection and Freedom of Information.
Data breach: a breach of data security that results in the accidental or unlawful destruction, loss, alteration, disclosure to unauthorised persons or access by unauthorised persons of personal data transmitted, stored or otherwise processed.
Cookie: also known as a "cookie", a so-called anonymous visitor identifier, which is placed and read by the Data Controller on the computer, smart device or browser of the data subject when the user is visiting the website available at the URL https://infinite.ad/. A cookie is a unique piece of data that can be used to save the settings used on the website and to track how the visitor has accessed the website and what actions he or she has performed there.
Website: the online platform available at the URL https://infinite.ad/, which data subjects visit in order to view or register for the services offered by the Data Controller.
Consumer: a natural person acting outside the scope of his or her profession, self-employment or business activity.
4. Method and principles of data processing
In order to achieve the data management purposes set out in this notice, the Data Controller processes personal data which are provided directly by the data subjects or to which the data subjects give access or authorise access.
The Data Controller shall pay particular attention to ensuring that the personal data it processes are not accessible to unauthorised persons and that those who are authorised by the Data Controller to process personal data may process personal data only to the extent and for the duration strictly necessary for the performance of their tasks or activities.
The data subject's data are also processed by data processors, as described in point 10 of this notice, in accordance with the binding provisions of the relevant contracts, for a limited scope. In point 11. of this notice, the Data Controller also provides detailed information on when personal data may be accessed by third parties, beyond the scope of the processing, including in particular when the Data Controller is approached by official bodies fulfilling their legal obligation to provide personal data.
Personal data shall be processed by the Controller only in accordance with the applicable legal requirements, in order to achieve the specific processing purposes defined prior to the start of the processing and in accordance with those purposes.
The Data Controller shall process all personal data coming to its knowledge lawfully and fairly and in such a way that the processing is transparent to the data subjects throughout the period of processing. The Data Controller shall collect and process personal data only for the lawful purposes clearly set out in this Notice and shall take particular care not to process any personal data in a way incompatible with the purposes set out in this Notice.
The Data Controller considers it important to stress that the processing it carries out is not aimed at tracking data subjects, nor at monitoring and/or profiling their activities and behaviour.
When determining the method of data processing and throughout the entire data processing process, the Data Controller shall implement technical and organisational measures to ensure both the application of data protection principles and the protection of the rights of data subjects. The measures implemented by the Controller have been determined after taking into account and evaluating the state of the art, the costs of implementation and the risks to the rights of natural persons.
The Data Controller informs the data subjects that the Company processes personal data that are adequate, relevant and strictly necessary for the purposes for which they are processed. The Data Controller endeavours to ensure that the data it processes are always accurate and up-to-date and takes reasonable steps to supplement or correct inaccurate or incorrect data as soon as possible. The Data Controller asks the data subjects to assist the Data Controller in fulfilling its obligations by informing it in writing (by e-mail) if their data have changed in the meantime or need to be corrected for other reasons.
The processing of personal data lasts as long as strictly necessary for the specific purpose of the processing. During the processing of the data, the Controller shall take all technical and organisational measures necessary to ensure the security of the personal data, including, but not limited to, the protection against unlawful processing, accidental loss, destruction or damage.
In all cases where the Data Controller intends to use the data for a purpose other than the original purpose specified in this Notice, the Data Controller shall inform the data subjects in writing in advance, indicating the new purpose of the processing and additional information on the processing, and shall ensure that in such cases it has a legal basis for the processing.
It is of particular importance for the Data Controller to build technical and organisational measures into the data management processes to ensure that processing is only carried out to the extent and for the duration necessary to achieve the specific purpose of the processing and that access to the data is granted accordingly. In order to fulfil this obligation, the Data Controller has built in controls in the data processing processes to ensure that the processing operations remain within the above limits at all times.
The Data Controller shall pay particular attention to the immediate erasure of data for which the purpose of processing has been fulfilled, the period of processing has expired or the data subject has made a reasoned request to that effect, or, if erasure is not feasible, to the anonymisation of the data so that the link between the data and the data subjects can no longer be established.
5. Data processing related to the creation and maintenance of a User account
The Data Controller operates the website at the URL https://infinite.ad/, where the Data Controller provides its service to registered users, against payment of a monthly fee set by the Data Controller, which allows users to launch and manage ads on Meta without human intervention through the system provided by the Data Controller as part of the service, and to review and evaluate their Facebook and Instagram posts and generate new post text using AI.
When registering on the Website, the data subject is required to provide the following personal data: name, e-mail address, company name (if relevant), password.
The processing of the data provided during registration is necessary to enable the Data Controller to provide the data subject with access to the account created on the Website and to use the service via the Website, and to enable the Data Controller to fulfil its administrative obligations in connection with the provision of the service (sending notifications, providing the possibility of online payment by credit card).
The legal basis for the processing of personal data provided during registration is the contract between the Data Controller and the data subject for the use of the service.
If the service is used by a company, the legal basis for processing the personal data provided by the data subject during registration is the legitimate interest of the Data Controller and the company using the service. In order to process the data on the basis of legitimate interest, the Data Controller has carried out an interest balancing test, which has led to the conclusion that the legitimate interest of the Data Controller and the company on whose behalf the data subject registers on the Website, on which the processing is based, is genuine and overrides the interest of the data subject not to have their data processed. The knowledge and processing of the data is indispensable to enable the Data Controller to provide the company with the access necessary to use the service and to contact the company - through the data subject - in the course of providing the service, during the contract period, and to provide the necessary information. If the data subject so requests in writing, the Data Controller shall provide him or her with the possibility to consult the detailed balancing of interests test. Since the data provided by the data subject during registration are processed by the Data Controller on the basis of his or her own legitimate interests or those of his or her business partner, the data subject may object to this processing on grounds relating to his or her particular situation. For detailed information on the right of the data subject to object, see point 12.E.
The Data Controller draws your attention to the fact that if you do not provide your data or provide incomplete data during registration, the Data Controller will not accept your registration and will not be able to provide the service in the absence of the basic information necessary for the provision of the service.
In addition to the above, the Data Controller also processes the data of natural person users who use the service, which are necessary for the invoicing of service fees (billing name, billing address, tax number (in the case of sole proprietors), data on the date, duration and location of the use of the service, data technically necessary for the provision of the service). The purpose of the processing in this case is to enable the Data Controller to invoice the data subject for the service fee paid by the data subject, the legal basis being the fulfilment of the legal obligation on the Data Controller pursuant to Article 169 of Act CXXVII. of 2007 on Value Added Tax and the legal authorisation contained in Article 13/A of Act CVIII. of 2001 on certain aspects of information society services.
The Data Controller draws the attention of the data subjects to the fact that the processing of the data required for invoicing is required by the provisions of the VAT Act, so in the event that their billing data are not or not fully provided to the Data Controller, the Data Controller is entitled to terminate the service contract with the data subject by giving notice.
In the case of natural person users who use the service and pay the service fees by bank transfer, the bank account number of the user is also processed by the Data Controller. The purpose of the processing is the registration and monitoring of the payment of the service fee by the Data Controller, while the legal basis is the fulfilment of the obligation imposed on the Data Controller by Article 169 (2) of Act C. of 2000 on Accounting.
The Data Controller will process the data of the user concerned until the data subject deletes his or her own account via the Website interface.
As the Data Controller is subject to the provisions of Act C. of 2000 on Accounting No. § Article 169 (2) of the Act on Accounting, the Data Controller is obliged to keep invoices and records of customers forming part of the accounting in a legible form for 8 (eight) years from the date of issue of the invoice or the date of preparation of the records, and therefore the service user, (billing name, billing address, tax number (in the case of sole proprietors)) in the invoices issued to natural person users for 8 years from the date of issue of the invoice and the bank account number from the date of crediting the service fee, regardless of whether the account of the person concerned is otherwise deleted before the expiry of this period.
Other data necessary for the billing of service fees (data relating to the time, duration and location of the use of the service and data technically necessary for the provision of the service) will be processed by the Data Controller until the termination of the service contract between the data subject and the Data Controller.
The Data Controller informs the data subjects that the e-mail address provided during registration is also processed for the purpose of providing the data subjects with information of public interest relating to the use of the service. In particular, to notify data subjects that their registration has been successfully completed or to send them a link to confirm the deletion of their profile. The Data Controller points out that the information e-mails do not constitute a newsletter or any other marketing or advertising communication, and therefore do not require the consent of the data subjects.
6. Processing for contact purposes
Data subjects can contact the Data Controller through the online interface of the Website in order to use the services offered by the Data Controller that are most suitable for them.
In such a case, the Data Controller processes the following personal data provided by the data subject in the online contact form: name, e-mail address.
The purpose of the processing of the above data is to enable the Data Controller to contact the data subject directly and to inform him/her of the services offered to him/her.
The legal basis for the processing of the data is the legitimate interest of the Data Controller, for the application of which the balancing of interests test has been carried out. In carrying out this test, the Data Controller weighed the legitimate interests of the data subjects in not having their data processed against the legitimate interests of the data subjects in not having their data processed. The balancing of interests test established that the legitimate interest of the Data Controller in processing the data of the persons who have come into contact with the Data Controller is real and that it prevails over the legitimate interest of the data subjects in not being subject to processing by the Data Controller. If the data subject so requests in writing, the Controller shall provide him or her with the opportunity to be informed of the detailed balancing test.
Since the data provided during the contact are processed by the Data Controller on the basis of its own legitimate interests, the data subject may object to this processing on grounds relating to his or her particular situation. Detailed information on the data subject's right to object can be found in point 12.E.
The personal data described in this point will be processed until the data subject objects to the processing.
7. Processing of data provided when booking online
The Data Controller provides the possibility for those interested in its services to book an appointment with the Data Controller through the Website for an online consultation to present the service.
If the data subject uses the above option to make an appointment for an online consultation via the Website, the Data Controller shall process the name and e-mail address of the data subject and the time of the consultation booked by the data subject.
The purpose of the processing of personal data provided by the data subject is to register the reservation of the data subject, to notify the data subject of the booking and to ensure the data subject's participation in the online consultation. The processing of the data is based on Article 6(1)(b) of the GDPR, as the processing of the data subject's data is necessary for the Controller to be able to provide the data subject with the possibility to participate in the online consultation, based on the data subject's request. The Data Controller draws the attention of the data subject to the fact that if the personal data are not provided or are incomplete when making the appointment, the Data Controller will not be able to provide the online consultation.
The processing of data subjects' data for the purposes of this point lasts for 180 days from the date/time of the online consultation for which the data subject has registered via the Website.
8. Use of cookies on the website
The Data Controller uses anonymous visitor identifiers, also known as cookies, on the Website to simplify the browsing process of the Website and for system administration, statistical and, in some cases, marketing purposes. A cookie is a unique piece of data whose basic function is to facilitate browsing of the Website by allowing you to save the settings used on the Website and to keep track of which users have visited and what actions they have performed on the Website.
The legal basis for the processing of data collected by cookies installed on the device used by the data subject when visiting the Website or on the data subject's browser to ensure the proper functioning of the Website is the legitimate interest of the Data Controller. In order to apply this legal basis, a balancing of interests test was carried out, in which the Data Controller compared the legitimate interests of the Data Controller on its own side and the interest of the data subjects visiting the Website not to have their data processed. On the basis of the balancing of interests test, it was established that the legitimate interest of the Data Controller in processing the data collected by the cookies is real and prevails over the legitimate interest of the data subjects not to be subject to the processing. If the data subject so requests in writing, the Data Controller will provide him or her with the opportunity to be informed of the detailed balancing of interests test.
Since the data provided during the contact are processed by the Data Controller on the basis of its own legitimate interests, the data subject may object to this processing on grounds relating to his or her particular situation. Detailed information on the data subject's right to object can be found in point 12.E.
If the data subject consents to the use of cookies that are not strictly necessary for the operation of the Website by using the buttons on the so-called cookie panel on the home page of the Website, the Data Controller will place and read back such cookies on the data subject's device or browser in order to provide a personalised service. The legal basis for the processing of the data collected by cookies in this case is the consent of the data subject. Data subjects may withdraw their consent at any time, but the Data Controller informs them that this does not affect the lawfulness of the processing carried out by the Company prior to the withdrawal of the data subject's consent.
The cookies used on the Website may be of different types; the types of cookie are briefly described by the Data Controller below:
Essential cookies: these cookies help make the Website usable by enabling basic functions such as navigating the Website, filling in and submitting online forms through the Website. The Website cannot function properly without such cookies.
Website configuration cookie: used to remember information that can be used to change the way the Website works or looks, such as the language preferred by the data subject or the region in which the data subject is located.
Cookies for statistical purposes: they help the Data Controller to understand how many people visit the Website, how they visit the Website and how they use the Website. This data is collected by the Data Controller in order to compile statistics and to improve the Website. The data collected by this type of cookie is anonymised, meaning that users cannot be identified.
Marketing cookies: these cookies are used to track visitors' activity on the Website. They help the Controller to serve relevant advertisements to data subjects when they visit the Website and to encourage them to be active when using the Website. As the data collected by marketing cookies are not only used by the Data Controller but also transferred to the Data Controller's media, advertising and analytics partners, the cookies used by such partners must also be placed on the data subject's browser and device, which means that the data subject's consent to the placing of such cookies and the processing of data in relation thereto is also required.
The Data Controller informs the data subjects that the cookies used on the Website can be distinguished in terms of expiry as follows:
session cookie: session cookies are automatically deleted after the data subject's visit. These cookies are mainly used to enable the Website to function efficiently and securely, but also to enable certain functions of the Website or applications running on the Website to function properly;
persistent cookies: these cookies are typically used by the Data Controller to improve the user experience (e.g. to provide optimised navigation, to ensure access to secure areas of the Website, to analyse activity on the Website). These cookies are stored for a longer period of time in the cookie file of the data subject's browser. The lifetime of this type of cookie depends on the cookie settings used by the data subject's own internet browser.
Detailed information about the cookies used by the Data Controller (name of the cookie, purpose of the cookie, name of the cookie service provider, expiry date and type of cookie) can be accessed and read by the data subject at any time through the cookie panel on the Website.
When data subjects visit the Website, the Data Controller explicitly draws their attention to the fact that it will use cookies tomorrow. The Data Controller also draws the attention of the data subjects to the fact that cookies will only be placed on their devices and browsers, excluding cookies that are strictly necessary for the functioning of the Website, if the data subject expressly consents to their use and to the processing of the data collected and stored by the cookies by means of the appropriate settings in the cookie panel that pops up on the Website.
The Data Controller draws your attention to the fact that you can delete cookies from your computer or from the smart devices used to view the Website at any time, and you can also disable the use of cookies in your browser, but in this case you may not be able to use certain functions of the Website at all or only to a limited extent for technical reasons. You can usually manage cookies by going to the Tools/Preferences menu of your browser and selecting Privacy, cookie or tracking.
By clicking on the links below, depending on the type of browser used by the data subject, they can get further help on how to make the above settings:
- Google Chrome
- Mozilla Firefox
- Microsoft Internet Explorer
- Microsoft Edge
- Safari (on Apple Mac)
- Safari (on other Apple smart devices)
9. Data processing related to complaint handling and warranty claims
The Data Controller provides the possibility of making and submitting a complaint about the service provided through the Website or its use.
When investigating and responding to a complaint submitted in writing by a data subject who is a consumer, the Data Controller will in principle process the name and address of the data subject, but if the data subject also provides the Data Controller with additional personal data of his or her own choice, the processing will also cover these personal data.
If the data subject who uses the service exercises the warranty rights of the Data Controller arising from the defective performance of the service, the Data Controller shall process the following personal data of the data subject: name, address, name of the service used, date and description of the defect, the right to be enforced and data relating to the settlement of the claim.
When processing complaints against the Data Controller, the Data Controller processes the personal data provided in order to comply with its legal obligations under paragraphs (3) - (6) of Article 17/A of Act CLV. of 1997 on Consumer Protection, as the processing of personal data is necessary to investigate and respond to the complaint.
The Data Controller shall process the data of data subjects who assert a warranty claim against the Data Controller due to a defect in the service provided by the Data Controller in order to fulfil its obligations under Chapter XXIV of Act V of 2013 on the Civil Code. The Data Controller can only act on the basis of the personal data in order to assess the claim and, if the claim is justified, to fulfil it.
The processing of personal data of data subjects who lodge a complaint with the Data Controller is solely for the purpose of the Data Controller investigating and responding to the written complaint within the time limit provided for by law. The processing of personal data relating to persons who have lodged a claim against the Controller is carried out in order to enable the Controller to take action to deal with such claims, to contact the persons concerned and to inform them of the outcome of the claim and of the action taken (if the claim is justified).
The Data Controller shall process the personal data indicated in the written complaint and the response to the complaint for a period of 3 (three) years from the date of the response to the complaint. The Data Controller shall process the data of the data subjects asserting their warranty rights for a period of 5 (five) years from the date of the assessment of the claim.
10. Use of data processors
The Data Controller informs the data subjects that there are data processing operations for which - on the basis of a separate written contract - it uses the assistance of data processors. In this context, the Data Controller shall ensure that the processors provide the necessary guarantees to ensure compliance with the applicable data protection rules and to take the necessary measures to protect the rights of the data subjects. The Data Controller draws the attention of the data subjects to the fact that the processors may not take any substantive decisions regarding the processing of the data, as they may only process them in accordance with the instructions and provisions of the Data Controller.
The Data Controller cooperates with the following data processors in the course of its data processing activities detailed in this Notice:
A. Billingo Technologies Private Limited Company (address: 1133 Budapest, Árbóc utca 6., e-mail: hello@billingo.hu)
personal data processed: billing name and address of an individual user, tax number in the case of a self-employed data subject
Activity concerned: provision of online invoicing software for invoicing
B. Stripe (address: 354 Oyster Point Blvd South San Francisco, CA 94080 United States, e-mail: support@stripe.com)
personal data processed: billing name and address of the individual user, bank account number (only if bank transfer payment method is chosen), tax number (only for self-employed persons)
Activity concerned: provision of accounting services to the Data Controller
C. Digital Summit Ltd. (address: 1157 Budapest, Zsókavár u. 2., 7th floor 26., e-mail: hello@digital-summit.hu)
- personal data processed: data provided by data subjects who register on the Website during registration; data provided by data subjects who contact the Data Controller via the Website; data provided by persons who book an appointment with the Data Controller online via the Website
- Activity concerned: provision of hosting services related to the website
11. Access to personal data, transfer of data
In the event that the Data Controller receives a formal request, stating the reason for the transfer, from an authority or court empowered by law to transfer some or all of the data processed concerning the data subjects, the Data Controller shall be obliged and entitled to transfer the personal data requested by the authority or court to these bodies in order to fulfil this obligation.
The Controller informs data subjects that the data processed about them will not be transferred to other controllers, international organisations or other recipients, neither within the EU nor to third countries, beyond the scope of this notice.
12. Rights of data subjects, procedure for exercising rights
The Data Controller shall ensure that data subjects can exercise their rights to the personal data processed by the Company in full, without any unjustified restriction or hindrance.
The Data Controller shall also ensure that data subjects have the right of access to data, the right to erasure, rectification and restriction of processing, the right to object in case of processing based on legitimate interest, the right to withdraw consent and the right to data portability, and the possibility to lodge a complaint against processing, as set out below.
A. Right of access to data
Data subjects may at any time request information on what data the Data Controller processes about them and how this processing is carried out.
If the data subject makes such a request in writing, the Controller shall provide him or her with a copy of the data processed concerning him or her, inform him or her of the purposes of the processing and the recipients to whom the data are disclosed, the envisaged duration of the processing, the rights of the data subject and the rules for exercising those rights.
The Data Controller informs the data subjects that it can only grant their request for a copy of the data free of charge for the first copy of the document containing the data. If the data subject requests further copies of the data processed concerning him or her following a previous request on the same subject and/or makes a new request with the same content within a short period of time, the Data Controller shall be entitled to charge an additional fee for the execution of the request; the amount of the fee shall be notified to the data subjects in the Data Controller's reply to the request.
The Data Controller draws the attention of the data subjects to the fact that it can only comply with a request for a copy of the data if and to the extent that it does not infringe the rights and freedoms of other natural persons.
A. Right to rectification of data
If the data subject becomes aware that his or her personal data is being processed inaccurately by the Data Controller, he or she may at any time request in writing that the data be corrected or that the data he or she considers incomplete be completed by sending the correct or missing data to the e-mail address hello@infinite.ad.
B. Right to erasure
The data subject may request the Controller to erase personal data processed concerning him or her without undue delay if.
- the purpose of the processing has ceased, or
- the data subject has withdrawn his or her consent and no other legal basis for further processing can be established, or
- in the case of processing based on legitimate interests, the data subject has objected to the processing and there are no overriding reasons justifying further processing; or
- unlawful processing has taken place, or
- the Controller is required by law to erase the data.
The Data Controller draws the attention of the data subjects to the fact that they also have the right to be forgotten, which ensures the inaccessibility of data on a wider scale. If the data subject also wishes to exercise this right, the Data Controller will use all possible IT solutions to ensure that the data are not available to the Company in any form in the future. In such cases, the Data Controller shall ensure that the electronic files containing the data are deleted from the backups and shall carry out the operations necessary to anonymise the data if the deletion of the data is not possible for any reason. The Data Controller shall also require its own processors, upon request of the data subject, to erase or destroy data relating to the data subject which they are processing.
The Data Controller asks the data subjects to note that it cannot comply with their request for data erasure if the further processing of the data is necessary for the purposes of the protection and exercise of a legal interest, the right of reply and information, the fulfilment of a legal obligation or statutory task, statistical purposes, research, or in the public interest of public health.
The Data Controller also draws the attention of the data subjects the fact that, in the event that their request for erasure has been fulfilled by the Data Controller, the data processed about the data subject can no longer be restored.
C. Right to restrict processing
Data subjects may request restriction of processing in the following cases and for the following periods:
if the data subject becomes aware that his or her data are being processed inaccurately by the Controller; in this case, the restriction may be requested until the accuracy of the personal data is verified;
where the data subject considers that unlawful processing has taken place and therefore explicitly requests that the Controller not delete his or her data;
where the Controller no longer needs the personal data for the purposes for which it was collected, but the data subject requests the data for the establishment, exercise or defence of legal claims;
where the data subject has objected to processing based on legitimate interests but his or her request has been rejected by the Controller; in such a case, the restriction shall apply for the period until it is established whether the legitimate interests of the Controller or of a third party prevail over the legitimate interests of the data subject.
If the data subject's request is justified, the Controller shall inform all recipients to whom the data have been disclosed of the restriction of processing. The Data Controller draws the attention of the data subjects to the fact that, in the event of such a request, the data subject of the restriction will not be processed but will continue to be stored.
However, where the data subject has consented to the further processing of the data, or where the processing is necessary for the establishment, exercise or defence of legal claims or is justified on grounds of the protection of the rights of another natural or legal person or an important public interest of the Union or of a Member State, the Controller will continue to process the personal data, notwithstanding the restriction.
If the ground for the restriction of processing indicated by the data subject no longer applies, the Data Controller shall inform the data subject in writing of the lifting of the restriction and the date of the lifting of the restriction no later than 15 days before the lifting of the restriction.
D. Right to withdraw consent to data processing
If the processing is based on the data subject's consent, the data subject may decide to withdraw it at any time. The data controller reminds data subjects that the withdrawal of consent is only valid in writing and must be sent to the e-mail address hello@infinite.ad. The requirement of written consent does not apply to the processing of personal data collected by cookies on the basis of the data subject's consent; in such cases, the data subject may withdraw consent by indicating his or her decision to do so using the appropriate buttons on the cookie panel.
The Data Controller informs the data subjects that the withdrawal of their consent does not affect the lawfulness of the processing activities of the Data Controller carried out on the basis of their consent prior to the receipt of the withdrawal notice.
E. Objection to data processing
In the event that the data subject's data are processed by the Data Controller on the basis of his or her own or a third party's legitimate interests, the data subject may object to the processing at any time on grounds relating to his or her particular situation. The Controller draws the attention of the data subject to the fact that, in such a case, the data will no longer be processed by the Controller, unless there is another legal ground for the processing which permits the processing of the data or the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or are related to the establishment, exercise or defence of legal claims.
F. Examination of applications from interested parties
The Data Controller shall, irrespective of the content of the request submitted by the data subject in connection with the processing for the purpose of exercising the rights listed in points A to E above, start the processing of the request immediately upon receipt and shall provide a reasoned written reply on the outcome of the processing without undue delay, but no later than 1 month from the date of receipt.
The Data Controller may extend the above time limit for response by up to 2 additional months on the grounds of the complexity of the data subject's request or the number of requests from other data subjects received by the Data Controller.
If the time limit for responding to the request is extended, the Data Controller shall inform the data subject in writing within 1 month of receipt of the request at the latest, stating the reason for the delay. No extension shall be granted if, on the basis of the data subject's request, the Controller considers that no data protection measure is necessary. In such a case, the request shall be answered without undue delay, but at the latest within 1 month of receipt, and the Controller shall inform the data subject of the reasons why no further action has been taken in his or her case and of the remedies available to the data subject against the decision of the Controller.
The Data Controller shall not charge a fee for the measures taken to respond to or comply with the request, unless the request is manifestly unfounded or is repeated by the data subject with the same content after the previous request has been dealt with; in such cases, the Data Controller may charge the data subject a reasonable fee in proportion to the administrative costs incurred in complying with the request, the exact amount of which shall be specified in the Data Controller's response to the request.
The Data Controller draws the attention of the data subjects to the fact that, in order to avoid unauthorised access to the data, it can only comply with requests to exercise the rights to the processing of personal data if it can clearly establish the identity of the data subjects. The Data Controller therefore requests data subjects to always include in their request at least their name and e-mail address, which will allow the Data Controller to verify that the request has been made by the data subject by comparing it with the data at its disposal.
G. Remedies
The Data Controller shall endeavour to ensure that the processing of data complies in all respects with the requirements of lawfulness, fairness and data security, therefore, if for any reason the data subjects are not satisfied with the processing of their data, the Data Controller requests the data subjects to contact the Company directly at one of the contact details listed in section 2 of this notice.
If the data subject considers that the processing of his or her personal data was unlawful, he or she may also lodge a complaint with the National Authority for Data Protection and Freedom of Information (registered office: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9., e-mail address: ugyfelszolgalat@naih.hu). The rules on the receipt and handling of complaints and on the conduct of official proceedings can be found at www.naih.hu. The Data Controller further informs the data subjects that if they disagree with the decision of the Authority or if the Authority does not investigate their complaint within the time limit or does not inform them within 3 months of the procedural developments concerning their complaint or of the outcome of the complaint, they may appeal to the competent court of the seat of the Authority (Fővárosi Tribunal, address: 1055 Budapest, Markó u. 27., postal address: 1363 Budapest, Pf. 16.).
If the data subject considers that the Data Controller has infringed his/her rights by improper processing of his/her data, he/she may also apply directly to the Metropolitan Court of Budapest (address: 1055 Budapest, Markó u. 27., postal address: 1363 Budapest, Pf. 16.) for legal remedies, or may also initiate proceedings before the competent court of his/her place of residence or domicile.
The contact details of the competent courts can be found at the following link: https://birosag.hu/birosag-kereso The Data Controller draws the attention of data subjects to the fact that legal representation before the courts is mandatory, therefore they can only assert their claims in court if they have access to an appropriate legal representative.
In the event that the Data Controller or its processor processes the data in breach of the applicable data protection provisions and the data subject suffers damage as a result, the data subject shall be entitled to compensation before a competent court, and, in the case of non-pecuniary damage, to claim damages against the Controller or its processor, on the understanding that the processor is liable for the damage only if it has failed to comply with the legal provisions specifically applicable to processors or has disregarded or acted contrary to the instructions of the Controller.
The data subject may also, at his or her option, pursue his or her claim for damages before the courts having jurisdiction for the place where the Controller or the infringing processor is established or where he or she resides or is domiciled. The contact details of the competent courts can be found by clicking on the following link: https://birosag.hu/birosag-kereso.
13. Data security measures
The Data Controller shall make every effort to ensure that the personal data it processes are kept at an adequate level of security. The choice of the most appropriate data security measure is made by the Data Controller on a case-by-case basis, taking into account and assessing the existing and likely risks to the data processed.
In order to ensure data security, the Data Controller shall ensure that the electronic records and programs enabling the processing of personal data are kept confidential at all times during the period of data processing, that the electronic records and files containing the data have the necessary protection and are resistant to any unauthorized interference, attack, accidental destruction or loss of data. The Data Controller guarantees that the records and programs used for data management are available to the extent necessary both for carrying out data management operations and for exercising and enforcing the rights of data subjects.
The Data Controller shall continuously monitor and evaluate the current and likely risks to the personal data, in particular the risks of accidental or unlawful destruction, alteration, loss or access by unauthorised persons of the data processed by the Data Controller, before the processing starts and throughout the processing.
14. Handling data breaches
The Data Controller draws the attention of the data subjects to the fact that, despite the data security measures implemented by the Data Controller and enforced throughout the entire process of processing personal data, unfortunate and undesirable events may occur which may compromise the protection and security of the processed data (data breaches).
In the event of an incident involving personal data processed by the Data Controller, the Data Controller shall, in accordance with the provisions of the GDPR, ensure that the incident is reported to the National Authority for Data Protection and Freedom of Information without undue delay, but no later than 72 hours from the time of its discovery.
The Data Controller asks data subjects not to be surprised if they receive a notification of a personal data breach from the Data Controller; in such cases, the Data Controller is also fulfilling its legal obligation to inform data subjects of incidents that are likely to present a high risk to their rights and freedoms.
Such a high risk is in particular where the incident involves data that is considered sensitive (e.g. sensitive data, information on the financial situation of the data subject, data that could be used for identity theft or to make a public statement about your interests). This letter will describe the nature and consequences of the incident and the measures already taken or envisaged by the Data Controller to remedy the consequences and to eliminate any adverse effects.
The Data Controller will follow an action plan to detect and resolve any data breaches as soon as possible. In order to minimise the occurrence of possible incidents in the course of data processing, the Data Controller shall continuously monitor the processing of data.
In addition to the notification of incidents involving personal data, the Data Controller shall always keep a record of such incidents and keep separate records, which shall include a description of the incidents, their classification and their impact on the data subjects, as well as the measures taken by the Data Controller to eliminate them as soon as possible and to eliminate their undesirable consequences.
The Data Controller shall ensure that all processors who are also entitled to process personal data comply with their obligations to report and document incidents in accordance with the provisions of applicable law, as is the case with the Data Controller.
15. Amendments to the Privacy Policy
The Data Controller reserves the right to amend this Privacy Notice unilaterally, without time limitation.
If the Data Controller makes such a change, it shall inform the data subjects whose personal data it processes. The Data Controller shall publish the information about the modification on the Website, with a specific notice, and shall continue to make the privacy policy containing the modifications in a consolidated form available on the Website to data subjects.
16. Applicable laws
In preparing this notice, the Data Controller has taken as a basis all the mandatory provisions applicable to the performance of its data management activities, in particular, but not limited to, the following legal provisions:
Regulation (EU) No 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC] ("General Data Protection Regulation" or "GDPR"),
Act CXII. of 2011 on the Right of Informational Self-Determination and Freedom of Information ("Infotv."),
Act V. of 2013 on the Civil Code ("Civil Code"),
Act CLV. of 1997 on Consumer Protection (the "Consumer Protection Act"),
Act CVIII. of 2001 on certain aspects of electronic commerce services and information society services ("Act on electronic commerce services"),
Act CXXVII. of 2007 on Value Added Tax ("VAT Act")
Act C of 2000 on Accounting ("Accounting Act")