This privacy notice is effective from January 1, 2024.

1. Purpose and scope of the Privacy Notice

The purpose of this notice is to record the data protection and data management principles applied by Infinite AD Limited Liability Company (seat: 1026 Budapest, Pasaréti út 122-124., commercial registry number: 01-09-412791, tax number: 32222632-2-42) (hereinafter: Data Controller or Company), as well as the data protection and data management policy established by the Data Controller, which the Data Controller recognizes as binding on itself.

This privacy notice also aims to provide all natural persons affected by data management with information on how the Data Controller handles their data and to ensure that their fundamental freedoms and rights related to the management, protection, and respect for their personal data and privacy are maintained by the Data Controller in the course of personal data processing — regardless of nationality or residence.

This notice applies to all data management activities carried out by the Data Controller on the website accessible at the URL https://infinite.ad/ (hereinafter: Website), regardless of the form in which it occurs.

2. Information about the Data Controller

The Data Controller is considered the processor of personal data in connection with the data management activities listed in this notice. The Data Controller informs the affected individuals that it has not appointed a data protection officer.

If the concerned person has any questions or comments regarding the processing of their data, they can contact the Data Controller at the following contact details.

Name: Infinite AD Limited Liability Company
Seat and mailing address: 1026 Budapest, Pasaréti út 122-124.
Email address: hello@infinite.ad

3. Terms used in the Privacy Notice

Below are brief explanations of the terms used in this notice:

Personal data: any information relating to an identified or identifiable natural person, either directly or indirectly, based on one or more identifiers, factors, or characteristics.

Data processing: any operation performed on personal data, regardless of the way it is carried out; this includes collection, recording, organization, structuring, storage, transformation, alteration, retrieval, querying, use, communication, transmission, dissemination, making it accessible by any other means, coordination, linking, restriction, deletion, and destruction.

Data Controller: the Infinite AD Ltd., which determines the purpose and means of personal data processing.

Data processing: execution of technical tasks related to data processing operations on personal data, regardless of the method and tools used, and the place of application.

Data Processor: a natural or legal person who processes personal data on behalf of and under the assignment of the Data Controller.

Consent: a voluntary, specific, informed declaration of intent by the person concerned by the data processing, indicating unmistakably their consent to processing their personal data.

GDPR: the General Data Protection Regulation of the European Parliament and Council No. 2016/679, which contains mandatory provisions on the processing of personal data and the rights exercisable by the person concerned in relation to personal data processing.

Restriction of data processing: marking of stored personal data to restrict future processing.

Recipient: a natural or legal person, public authority, agency, or any other body, to which the personal data is communicated.

Anonymization: actions after which it can no longer be determined which specific person the personal data relates to, i.e., the data loses its personal nature and no inference can be drawn to any identifiable natural person, the connection between the data and the data subject can no longer be restored.

Pseudonymization: activities after which it can no longer be determined which specific person the personal data relates to without additional information, if the supplementary information is stored separately and it is technically ensured that the personal data cannot be linked to identifiable natural persons.

Supervisory authority: an independent authority established to protect the rights and freedoms of natural persons and to facilitate the free flow of personal data within the Union during the personal data processing; in Hungary, the National Authority for Data Protection and Freedom of Information.

Data protection incident: a breach of data security requirements resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to transmitted, stored, or otherwise processed personal data by unauthorized persons.

Cookie: also known as “cookie”, an anonymous visit identifier placed and read back by the Data Controller on the computer, smart device, or browser of those performing activities on the website accessible at the URL https://infinite.ad/. It is a unique data string that allows saving settings applied on the website and tracking how the visitor reached the site and what actions they performed there.

Website: the online platform accessible at URL https://infinite.ad/, which affected individuals visit for viewing and registering for the services offered by the Data Controller.

Consumer: a natural person acting outside their profession, independent occupation, or business activity.

4. Method and principles of data processing

To achieve the data processing goals determined in this notice, the Data Controller processes personal data that is either provided directly by the data subjects or whose access is enabled or permitted by the data subjects.

The Data Controller pays particular attention to ensuring that unauthorized persons cannot access the personal data processed or only to the extent and duration strictly necessary for the performance of their duties or activities, for those authorized to handle it on behalf of the Data Controller.

According to point 10 of this notice, data processors also process the data of those affected within a limited scope. Furthermore, in point 11, the Data Controller provides detailed information on when third parties can have access to personal data, including but not limited to cases when official bodies reach out to them, and the Data Controller complies with its legal obligation by transferring personal data.

The Data Controller processes personal data solely in accordance with applicable legal provisions, for achieving concrete data processing goals determined prior to the commencement of data processing, and consistently with them.

The Data Controller manages all personal data they learn about legally and fairly, ensuring that data processing remains transparent for the data subjects throughout. The Data Controller only collects and processes personal data for the clearly defined, lawful purposes outlined in this notice, and pays special attention to ensure that no personal data is processed in ways incompatible with the detailed purposes of this notice.

The Data Controller emphasizes that its data processing activities do not aim to track the behavior or profile the activities of the data subjects.

In determining the method of data processing and throughout the entire data processing process, the Data Controller implements all technical and organizational measures required to ensure the enforcement of data protection principles and the protection of the rights entitled to data subjects. The measures implemented at the Data Controller were determined after evaluating the current state of science and technology, the costs necessary for implementation, and the risks to the rights of natural persons.

The Data Controller informs the subjects that at the Company, only the appropriate and relevant personal data necessary to achieve the data processing objectives in context are handled. The Data Controller strives to ensure that the data it processes are always accurate and up-to-date and takes all possible measures to supplement or correct inaccurate or incorrect data as soon as possible. The Data Controller requests that the subjects assist in fulfilling the Controller’s obligations by indicating in writing (via email) if their data has changed or needs clarification for other reasons.

Data processing continues for as long as it is strictly necessary to achieve the specific data processing goal. During data processing, the Data Controller takes all technical and organizational measures necessary to guarantee the security of personal data, including, but not limited to, protection against the unlawful processing, accidental loss, destruction, or damage of data.

In all cases where the Data Controller intends to use data for any purpose other than those specified in this notice, it will fully inform the data subjects in advance, in writing – indicating the new purpose of data processing and additional information concerning the data processing – and will ensure that a legal basis allows the processing.

The Data Controller considers it crucial to build technical and organizational measures into the data processing processes, ensuring that data processing only occurs to the extent and duration necessary to achieve the specific data processing goal and that access to the data is appropriately granted. To fulfill this obligation, the Data Controller has incorporated regulators into the data processing processes that are suitable for ensuring data processing operations remain within the above limits.

The Data Controller pays special attention to ensuring that data for which the data processing purpose has been achieved, data processing duration has expired, or the data subject has submitted a legitimate request for deletion, is deleted immediately. If deletion is not feasible, the Data Controller will anonymize the data in order to ensure that the relationship between the data and the data subject can no longer be restored.

5. Data processing related to creating and maintaining a user account

The Data Controller operates the website at the URL https://infinite.ad/, providing services to registered users of the Data Controller – for a monthly fee determined by the Data Controller – which enables users to launch ads without human intervention in the Meta system and manage them through the system provided by the Data Controller as part of the service, as well as to review, evaluate, and generate new post texts for Facebook and Instagram using AI.

If the subject registers on the Website, they must provide the following personal data: name, email address, company name (if relevant), password.

The processing of the data provided during registration is necessary for the Data Controller to ensure the subject’s access to their account created on the Website and to enable the use of the service through the Website, as well as the Data Controller’s ability to fulfill its administrative obligations related to the provision of the service (sending notifications, providing the possibility of online credit card payments).

The legal basis for processing the personal data provided during registration is the contract for the use of the service concluded between the Data Controller and the subject.

If a company uses the service, the legal basis for processing the personal data provided by the subject during registration is the legitimate interest of the Data Controller and the company using the service. The Data Controller has conducted the compatibility test for the legitimate interest, determining that the legitimate interest of the Data Controller and the company using the service, in whose name the subject registers on the Website, prevails and is stronger than the affected parties’ interest in not having their data processed. The knowledge and processing of the data are essential for the Data Controller to ensure the necessary access to use the service for the company and, in the course of providing services, to contact the company – through the subject – during the contract term and provide the necessary information. If the subject requests it in writing, the Data Controller will provide access to the detailed compatibility test. Given that the personal data provided during registration is processed based on the legitimate interest of the Data Controller and its corporate partner, the subject can object to such data processing for reasons related to their particular situation. Detailed information on the right to object to the data processing is available in section 12.E.

The Data Controller would like to point out that if the subject fails to provide their data during registration, or provides it incompletely, the Data Controller will not accept the registration due to missing essential information for providing the service, and will not be able to provide the service.

The Data Controller also processes the data of those using the service, who are natural person users, necessary for invoicing the service fees (billing name, billing address, tax number (in the case of a sole proprietor), the date, duration, and location of service use, technically indispensable data for providing the service). The purpose of this data processing in this case is to issue an invoice for the service fee paid by the subject, with the legal basis being the fulfillment of the legal obligation applying to the Data Controller pursuant to Section 169 of Act CXXVII of 2007 on General Sales Tax, and the statutory authorization contained in Section 13/A of Act CVIII of 2001 on the questions related to electronic commerce services.

The Data Controller informs the subjects that since the handling of data necessary for issuing invoices is required for the Data Controller by the provisions of the VAT Act, the Data Controller is entitled to terminate the service contract with the subject by way of termination if they do not provide their billing data or do not supply it fully.

If the service is used by a natural person user who pays the service fees by bank transfer, the Data Controller also handles the bank account number of the subject. The purpose of data processing is to register and track the payment of service fees by the Data Controller, while the legal basis is the fulfillment of the obligation imposed on the Data Controller by Section 169 (2) of Act C of 2000 on accounting.

The Data Controller handles the subject user’s data until the subject deletes their own account through the Website interface.

As per the accounting obligation imposed on the Data Controller by Section 169 (2) of Act C of 2000 on accounting, the Data Controller is obligated to retain the invoices and the records forming part of the books prepared about customers for 8 (eight) years in a readable format from the point of issuing the invoice or preparing the records, and therefore handles personal data in invoices issued to service users who are natural persons (billing name, billing address, tax number in case of sole proprietors) for 8 years from the issuance of the invoice and the bank account number for 8 years from the crediting of the service fee, regardless if the subject deletes their account before the expiration of this timeframe.

The Data Controller handles other data essential for invoicing service fees (data related to date, duration, and location of service use, and technically indispensable data for providing the service) until the service contract concluded between the subject and the Data Controller is terminated.

The Data Controller informs the subjects that the email address provided during registration is also processed for delivering general information related to service usage to the subjects. This includes informing subjects of successful registration or sending them the link required to confirm the deletion of their profile. The Data Controller points out that informational emails do not constitute a newsletter, marketing, or advertising outreach, and thus do not require the subjects’ consent for the transmission.

6. Data processing for contact purposes

Subjects may contact the Data Controller through the Website’s online interface to avail themselves of the most suitable services offered by the Data Controller.

In such cases, the Data Controller processes the following personal data provided by the subject through the online contact form: name, email address.

The purpose of processing the above data is for the Data Controller to communicate directly with the subject and provide them with information on which service is recommended for them.

The legal basis for processing the data is the legitimate interest of the Data Controller, for which a compatibility test has been conducted. During this test, the Data Controller weighed its own legitimate interest in processing the data against the subject’s interest in not having their data processed. The compatibility test concluded that the legitimate interest in processing contact data provided by individuals reaching out to the Data Controller genuinely prevails over the legitimate interest of the subject in not extending the scope of data processing to them. If the subject requests in writing, the Data Controller provides access to the detailed compatibility test.

As the data provided during contact is processed based on the Data Controller’s legitimate interest, the subject may object to such data processing for reasons related to their particular situation. Detailed information on the subject’s right to object is found in section 12.E.

Personal data specified in this section will be processed until the subjects object to the data processing.

7. Data processing during online appointment booking

The Data Controller enables individuals interested in its service to book an appointment through the Website for an online consultation to showcase the service.

If the subject utilizes the above opportunity to book an appointment for an online consultation through the Website, the Data Controller processes the subject’s name and email address, and the time of the appointment booked by the subject.

The goal of processing the personal data provided by the subject is to register the subject’s appointment, notify the subject of the appointment, and enable the subject to participate in the online consultation. Data processing is carried out based on Article 6(1)(b) of the GDPR, as processing the subject’s data is necessary for the Data Controller to provide the online consultation at the subject’s request. The Data Controller informs subjects that if they do not provide or provide personal data incompletely during the appointment booking, the Data Controller will not be able to ensure participation in the online consultation for them.

Data processing for the purpose specified in this section continues until 180 days from the date/time of the online consultation for which the subject registered through the Website interface.

8. Use of cookies on the website

The Data Controller uses anonymous visit identifiers, or so-called cookies, on the Website, which simplify the navigation process of the Website, serve system administrative, statistical, and certain marketing purposes. A cookie is a unique data string whose basic function is to ease browsing on the Website by allowing saving settings applied on the website and tracking how users visit the website and what actions they perform there.

The legal basis for processing data collected by cookies ensuring the proper functioning of the website accessed, installed on the device used by the subject, and the browser, during the visit to the Website is the Data Controller’s legitimate interest. For this legal basis, a compatibility test was conducted, in which the Data Controller compared its own legitimate interests with the interest of the website visitors in not having their data processed. The compatibility test concluded that the legitimate interest in processing data collected by cookies genuinely prevails over the legitimate interest of the subjects in not extending the scope of the processing to them. If the subject requests it in writing, the Data Controller provides access to the detailed compatibility test.

As data provided during the contact is processed based on the Data Controller’s legitimate interest, the subject can object to such data processing for reasons related to their particular situation. Detailed information on the subject’s right to object is in section 12.E.

Suppose the subject consents to the use of non-essential cookies for running the Website by utilizing the buttons on the so-called cookie panel appearing on the website’s homepage. In that case, the Data Controller places such cookies on the subject’s device and browser and reads them back for personalized service. The legal basis for the processing of data collected by cookies in this case is the subject’s consent. Subjects can withdraw their consent at any time, but the Data Controller informs them that this does not affect the lawfulness of processing conducted by the Company before the withdrawal based on the subject’s consent.

Cookies used on the website can be of different types, briefly introduced by the Data Controller as follows:

• Essential cookies: these cookies help make the Website usable by enabling basic functions such as navigation on the website, filling out and submitting online forms through the Website. Without these cookies, the Website cannot function properly.
• Cookies necessary for the website settings: they allow memorizing information that can change how the Website works, looks, such as the preferred language or region of the subject.
• Cookies for statistical purposes: they help the Data Controller understand how many people and in what manner visit the Website and how they use it. These data are collected by the Data Controller for the purpose of producing statistics and improving their website based on them. Data collected by such cookies is anonymized, meaning users cannot be identified based on them.
• Marketing cookies: these cookies are designed to track visitors’ activities on the Website. They help the Data Controller to display relevant ads to the subjects when visiting the Website and encourage them to engage with the Website. Since the data collected by marketing cookies are utilized not only by the Data Controller but also shared with the Data Controller’s media, advertising, and analytics partners, it requires placing cookies by such partners on the subject’s browser and device, meaning the subject’s consent also extends to the placement of such cookies and the related data processing.

The Data Controller informs the subjects that cookies used on the Website can be distinguished based on expiration as follows:

• temporary (session) cookie: session cookies are automatically deleted after the subject leaves the website. These cookies primarily serve to ensure effective and secure operation of the Website, and some are indispensable for certain functions or applications running on the site to function properly;
• persistent cookie: these cookies are typically used by the Data Controller to improve the user experience (e.g., providing optimized navigation, ensuring access to secure areas of the Website, analyzing activities on the Website). These cookies are stored longer in the cookie file of the subject’s browser. The lifespan of such cookies depends on the cookie settings used in the subject’s own internet browser.

Details about the cookies used by the Data Controller (cookie name, purpose of the cookie, name of the provider depositing the cookie, expiration, and type of cookie) can be accessed and read by the subjects any time via the cookie panel available on the Website.

When subjects visit the Website, the Data Controller specifically draws their attention to the use of cookies on the homepage. Additionally, the Data Controller points out that cookies are only placed on the subject’s device and browser – except for cookies strictly necessary for the operation of the Website – if the subject explicitly consents to the use of cookies, as well as to the processing of data collected and stored by cookies, using the appropriate settings on the cookie panel appearing on the Website.

The Data Controller informs the subjects that they can delete cookies from their own computer or the smart devices used to view the website at any time, and they can also disable the use of cookies in their browser. However, in this case, it may occur for technical reasons that certain functions of the Website cannot be used at all or only with limitation. Cookie management is usually possible in the browsers’ Tools/Settings menu under the Privacy menu item, named cookie, sweetie, or tracking.

By clicking the links below – depending on the type of browser used by the subject – affected users can receive further assistance to perform the above settings:

• Google Chrome
• Mozilla Firefox
• Microsoft Internet Explorer
• Microsoft Edge
• Safari (Apple Mac computer)
• Safari (other Apple smart device)

9. Data processing related to handling complaints and managing warranty claims

The Data Controller provides the possibility to submit complaints related to the service provided through the Website and its use.

In the course of handling complaints submitted in writing by subjects qualified as consumers, the Data Controller primarily processes the name and address of the subject, but if the subject voluntarily provides additional personal data, the data processing also extends to those personal data.

If the subject using the service exercises their warranty rights arising from the Data Controller’s faulty performance, the Data Controller processes the following personal data of the subject: name, address, the name of the service used, the time and description of reporting the error, the right to be exercised and data related to the settlement of the claim.

During the handling of complaints submitted against the Data Controller, the personal data provided is processed by the Data Controller in order to fulfill the legal obligations described in paragraphs 17/A (3) – (6) of Act CLV of 1997 on Consumer Protection, as processing these data is necessary for investigating and responding to complaints.

The Data Controller processes the data of subjects asserting warranty claims against the Data Controller for defects in services provided by the Data Controller in order to comply with its obligations under Chapter XXIV of Act V of 2013 on the Civil Code. The Data Controller can only act on the claims assessment and, if the claim is justified, its fulfillment with knowledge of the personal data.

The management of personal data of subjects complaining to the Data Controller is exclusively for the purpose of the Data Controller investigating and responding to written complaints within the legally required time frame. The processing of personal data relating to persons asserting warranty claims against the Data Controller occurs to assess these claims, establish contact with the affected individuals, or inform them of the decision on their request and the measures taken (if the claim is justified).

The Data Controller processes the personal data specified in the written complaint submission and in the response to it for 5 (five) years from the date of the complaint’s response. The data of the subjects asserting their warranty rights are processed by the Data Controller for 5 (five) years from the date of assessing the claim.

10. Use of data processors

The Data Controller informs subjects that there are certain data processing operations for which it uses the assistance of data processors – based on separate written contracts. In this context, the Data Controller ensures that the data processors provide guarantees necessary to ensure compliance with applicable data protection regulations and measures to protect the rights of subjects. The Data Controller informs the subjects that data processors cannot make any substantive decisions regarding data processing, as they can only process data according to the instructions and provisions of the Data Controller.

In the course of its data processing detailed in this notice, the Data Controller collaborates with the following data processors:

• A. Billingo Technologies Private Limited Company (address: 1133 Budapest, Árbóc utca 6., email: hello@billingo.hu)
  Processed personal data: billing name and address of an individual user, tax number in case of a sole proprietor
  Activity related to data processing: online invoicing program provision necessary for issuing invoices
• B. Stripe (address: 354 Oyster Point Blvd South San Francisco, CA 94080 United States, email: support@stripe.com)
  Processed personal data: billing name and address of an individual user, bank account number (only when choosing the bank transfer payment option), tax number (only for sole proprietors)
  Activity related to data processing: provision of accounting services for the Data Controller

11. Access to personal data, data transferring

In cases where the Data Controller receives an official request from a legally authorized authority or court to provide transferred data of subjects or part of it, indicating the reason for data transfer, the Data Controller is obliged and entitled to transfer the requested personal data to these authorities, or courts in compliance with its obligations.

The Data Controller informs the subjects that the data it processes about them is not transferred beyond what is described in this notice, either within the Union or to third countries, or to any other data controllers, international organizations, or third parties.

12. Rights of subjects, procedure of exercising rights

The Data Controller ensures that the subjects can exercise their rights related to the Társaság’s processing of personal data without unreasonable limitation or obstruction.

The Data Controller also ensures that data owners have the right to access data, erasure, rectification, restriction of processing, the right to object based on justified interest, the right to withdraw consent, the right to data portability, and the possibility to file legal remedies against data processing as described below.

A. Right of access to data

Subjects can request information about what data is processed about them by the Data Controller and how this data processing is conducted at any time.

If a subject submits such a written request, the Data Controller provides a copy of the data processed about them, informing about the purpose of data processing, the recipients with whom data is shared, the planned duration of data processing, and the rights entitled to the subject, and rules for exercising those rights.

The Data Controller informs the subjects that requests for data copies can only be fulfilled free of charge for the first copy of the document containing the data. If the subject requests further copies of the data processed about them after fulfilling their previous, identical subject requests or submits another request with the same content within a short time, the Data Controller is entitled to charge a fee for fulfilling the request; the amount of this fee will be communicated to the subject in the response letter to their data controller’s request.

The Data Controller alerts the subjects that it can only fulfill the request for a data copy if it does not infringe the rights and freedoms of other natural persons.

B. Right to rectify data

If a subject becomes aware that the Data Controller processes their personal data inaccurately, they can request in writing at any time for rectification, or the addition of deemed missing data by sending the appropriate/correction data concurrently to hello@infinite.ad.

C. Right to erasure of data

The subject can request the Data Controller to delete their processed personal data without undue delay if:

• The purpose of data processing has ceased, or
• The data subject has withdrawn their consent and no other legal basis can be determined for further processing of the data, or
• In the case of justified interest-based processing, the subject objected to the processing, and there is no overriding reason to justify further processing, or
• Illegal data processing occurred, or
• The Data Controller is required by law to delete the data.

The Data Controller informs the subjects about their right to data erasure, which ensures wider access to make data inaccessible. If the subject also wishes to exercise this right, the Data Controller uses all possible IT solutions to ensure that the data is not available to the Company in any form in the future. In such a case, the Data Controller ensures the deletion of files containing data from backups and performs the necessary operations for anonymizing the data if deleting the data for some reason is not possible. Based on the subject’s request, the Data Controller also obliges its data processors to delete or destroy data concerning the subject that they hold.

The Data Controller asks the subjects to consider that it cannot fulfill data deletion requests if further processing of the data is necessary for asserting and defending legal interests, exercising free expression and information rights, fulfilling legal obligations, or running a legally mandated task, fulfilling research and statistical purposes, or public health interests.

The Data Controller informs the subjects that if their deletion request is fulfilled, restoring processed data about the subject will not be possible.

D. Right to restriction of processing

Subjects can request restriction of processing in the following cases and for the following duration:

• If the subject becomes aware that their data is inaccurately processed by the Data Controller; in this case, restriction can be requested for verifying personal data accuracy;
• If the subject’s judgment is that unlawful processing occurred, and thus specifically requests the Controller not to delete their data;
• If the Data Controller no longer needs the personal data for its purposes but the subject requires it for legal claims presentation, validation, or defense;
• If the subject objects to justified interest-based processing, but the Controller rejected their request; such cases can request restriction for the duration of determining whether the Data Controller’s or third parties’ legitimate interests overrule the legitimate interests on the subject’s side.

If the subject’s request is founded, the Data Controller informs all recipients the data has been previously shared with about the restriction. The Data Controller alerts subjects that despite submitting a restriction request, restricted data remains stored, not processed.

However, should data processing consent be re-given by the subject, or if the processing is necessary for legal claims presentation, validation, or defense, or for protection of other natural or legal persons’ rights, or union or member state-level important public interest, the personal data will continue being processed despite the restriction.

If the reason indicated by the subject for restriction is no longer present, the Data Controller will inform the subject in writing of the lift of restriction, its time at least 15 days before removing the restriction.

E. Right to withdraw data processing consent

If the processing of data is based on the subject’s consent, they may decide to withdraw this consent anytime. The Data Controller informs subjects that consent withdrawal is valid only in writing, sent to hello@infinite.ad. The written requirement does not apply to personal data collected by cookies with subject’s consent; in such cases, withdrawal of consent is indicated by the subject’s decision on the cookie panel’s buttons.

The Data Controller informs subjects that withdrawing consent does not affect the legality of the data processing activities performed based on consent until the withdrawal.

F. Objection to processing

If the subject’s data is processed by the Data Controller or third party based on justified interest, the subject may object to the processing by reasons related to their situation anytime. The Data Controller informs the subjects that in this case, the Controller will not process the data, provided that there is no other legal basis for the data processing or no compelling legitimate reasons that outweigh the subject’s interests, rights, and freedoms or related to the presentation, validation or defense of legal claims.

G. Assessment of subject requests

The assessment of requests submitted by subjects for exercising the rights specified in points A-F is evaluated immediately after submission by the Data Controller, regardless of their content, and a justified written response is provided within 1 month on the outcome of the request assessment.

The Data Controller has the right to extend the above response deadline by 2 months if required based on the complexity of the request or the number of requests submitted by other subjects.

If the deadline for the response is extended, the Data Controller will inform the subject in writing within 1 month from the receipt of the request, specifying the reasons for the delay. The deadline cannot be extended if, based on the subject’s request, no data protection measures are necessary according to the Data Controller’s judgment. In such cases, the request will be responded to without delay, but no later than 1 month after its receipt, and the Data Controller will inform the subject about the reasons for not taking further measures and about the remedial options available against the decision.

No fees are charged for the assessment and fulfillment of requests or measures taken for the purpose, except if the request is clearly unfounded or is repeatedly submitted with identical content after previous assessments; in such cases, the Data Controller may charge a reasonable fee proportional to the administrative costs incurred in fulfilling the request, and the subjects are informed about the precise amount of this fee in the response to the request.

The Data Controller informs subjects that it can only fulfill requests related to the exercise of rights associated with the processing of personal data to prevent unauthorized access to data, if the identity of the subjects can be clearly established. The Data Controller therefore requests the subjects to always include at least their name and email address in their request, which can be checked against data held by the Data Controller to verify that the request was genuinely submitted by the subject.

H. Legal redress options

The Data Controller strives to ensure that data processing complies with legal requirements and the requirements of fair processing and data security, and therefore, if subjects have any dissatisfaction concerning the processing of their data, the Data Controller asks the subjects to contact the Társaság directly at one of the contact points listed in Section 2 of this notice.

If the subject believes that their personal data was not processed lawfully, they can also submit a complaint with the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11., mailing address: 1363 Budapest, Pf. 9., email: ugyfelszolgalat@naih.hu). Rules for accepting and assessing complaints and conducting authority proceedings can be found on www.naih.hu. The Data Controller informs subjects that if they disagree with the Authority’s decision, or the Authority fails to investigate their complaint within the deadline, or does not inform them within 3 months about the procedural developments or outcome related to their complaint, they can seek redress from the competent court according to the seat of the Authority (Fővárosi Törvényszék, address: 1055 Budapest, Markó u. 27., mailing address: 1363 Budapest, Pf. 16.).

If the subject considers that their rights were infringed by the processing of their data inadequate by the Data Controller, they can directly approach the Fővárosi Törvényszék (address: 1055 Budapest, Markó u. 27., mailing address: 1363 Budapest, Pf. 16.) for redress or initiate a procedure at the competent court according to their own residence, or place of habit.

The contacts for competent courts can be found at the following link: https://birosag.hu/birosag-kereso. The Data Controller alerts subjects that legal representation is required before the court, so they can only enforce their claims in court proceedings with appropriate legal representation.

If the Data Controller or its processor handles the data non-compliance with applicable data protection regulations, and the subject incurs damage related to it, they may file a claim for compensation, while for intangible damage, they can demand a restitution fee against the Data Controller or its processor. However, the processor is only liable for damage if it did not comply with specifically data processor-related statutory provisions, disregarded or contrary to instructions from the Data Controller.

The subject can enforce their compensation claim – by choice – at the competent court according to the seat of the data controller or violating data processor, or their own residence, or residence.

The contacts for eligible courts can be found at the following link: https://birosag.hu/birosag-kereso.

13. Data Security Measures

The Data Controller undertakes all necessary measures to ensure that personal data processed by it is adequately secured. The selection of the most appropriate data security measure is always based individually on the risks present and likely concerning the processed data.

To ensure data security, the Data Controller ensures that electronic records enabling personal data processing and programs processes are consistently guaranteed with their confidentiality throughout the data processing duration, the electronic records, files containing data receive necessary protection, and they are resistant to unauthorized intervention, attacks, or accidental data destruction, data loss. The Data Controller guarantees that the records, and programs used for processing are available both to carry out data processing operations and for exercising and enforcing the rights entitled to the subjects to the required extent and throughout.

Before the start of data processing, and throughout the entire period of data processing, the Data Controller continuously monitors and evaluates the risks likely regarding the personal data at the given moment, particularly those risks associated with accidental or unlawful destruction, alteration, loss, or unauthorized access to the data processed by the Data Controller.

14. Handling of Data Protection Incidents

The Data Controller draws the subjects’ attention to the fact that despite the data security measures implemented and adhered to throughout the personal data processing process, unfortunate and unwanted events can still occur that breach or threaten the protection and security of the data processed (data protection incidents).

Should an incident concerning personal data under the Data Controller’s handling arise, the Data Controller ensures, in compliance with GDPR regulations, that the incident report is submitted to the National Authority for Data Protection and Freedom of Information immediately, but no later than within 72 hours from its discovery.

The Data Controller asks subjects not to be surprised if they receive a notification about a data protection incident as, in such cases, the Data Controller fulfills its legal obligation requiring it to inform the subjects of incidents likely posing a high risk to the rights and freedoms of the subjects.

High risk, in particular, applies if the incident involves a data set considered sensitive (e.g., special categories of data, financial status information, identity theft, or affecting subjects’ social reputation).