DATA PROTECTION POLICY

This Policy sets out the internal rules of the Data Controller's data processing activities in order to comply with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation).

Done at Budapest, this 24th day of May 2018

Data controller data

Name: BGR Central Europe Kft.
Address: 1047 Budapest, Perényi Zsigmond utca 10. 2. floor 2.
Company registration number: 01-09-404629
Registered : Fővárosi Törvényszék Cégbírósága
Tax number: 32054527-2-41
Bank account number: CIB
Phone number: 06-30-285-1856

Email: hello (at) baseballsapka.hu

 I. CHAPTER 2

GENERAL PROVISIONS

Purpose and scope of the Rules

1. The purpose of this Policy is to establish the internal rules and measures to ensure that the controller's data processing and data management activities comply with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016.) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter "the Regulation") - and the provisions of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter "the Infotv.").

2. This Policy covers the processing of personal data relating to natural persons by the Controller.

3. Customers, customers, customers and suppliers of self-employed persons, sole proprietors, sole proprietorships and self-employed farmers shall be considered natural persons for the purposes of these Rules.

4. The scope of the Policy does not cover the processing of personal data relating to legal persons, including the name and form of the legal person and contact details of the legal person (GDPR (14)).

Definitions

5. For the purposes of these Regulations, the definitions which shall apply are set out in Article 4 of the Regulation. The main definitions are highlighted accordingly:

"personal data": any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"data management": any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

"restriction of processing": the identification of the personal data stored in order to limit their future processing;

"profiling": any form of automated processing of personal data whereby personal data are used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with the performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that person;

"pseudonymisation": the processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relates without further information, provided that such further information is kept separately and technical and organisational measures are taken to ensure that no link is established between the personal data and an identified or identifiable natural person;

"registry system": a set of personal data, disaggregated by any means, whether centralised, decentralised or by functional or geographical criteria, which is accessible on the basis of specific criteria;

"data controller": a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the controller's designation may also be determined by Union or Member State law;

"data processor": a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

"recipient": the natural or legal person, public authority, agency or any other body with whom or to which the personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;

"third party": a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;

"consent of the data subject": a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she gives his or her consent to the processing of personal data concerning him or her;

"data protection incidents": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

CHAPTER II

ENSURE THE LAWFULNESS OF PROCESSING

Processing based on the consent of the data subject

1. Where the Data Controller intends to carry out processing based on consent, the data subject's consent to the processing of his or her personal data shall be obtained by Annex No. in accordance with the content and information provided in the data request form and, in the case of purchases made in the webshop, the data subject may give his or her consent to the processing of his or her data in accordance with this policy by ticking the relevant box before starting the purchase.

2. Consent shall also be deemed to be given if the data subject, when visiting the website of the Controller (baseballsapka.hu), ticks a box to that effect, makes the relevant technical settings when using information society services, or makes any other statement or takes any other action which, in the relevant context, unambiguously indicates the data subject's consent to the intended processing of his or her personal data. Silence, ticking a box or inaction therefore does not constitute consent.

3. Consent covers all processing activities carried out for the same purpose or purposes. Where processing is carried out for more than one purpose, consent shall be given for all the purposes for which the processing is carried out.

4. Where the data subject gives his or her consent in a written statement which also relates to other matters, the request for consent must be presented in a manner clearly distinguishable from those other matters, in a clear and easily accessible form, in clear and plain language. Any part of such a statement containing the consent of the data subject which is in breach of the Regulation shall not be binding.

5. The Data Controller may not make the conclusion or performance of a contract conditional on the giving of consent to the processing of personal data that are not necessary for the performance of the contract.

6. It should be possible to withdraw consent in the same simple way as it is given.

7. If the personal data have been collected with the consent of the data subject, the controller may process the collected data for the purpose of complying with a legal obligation to which the data subject is subject, unless otherwise provided by law, without further specific consent and even after the data subject's consent has been withdrawn.

Processing based on the performance of a legal obligation

8. In the case of data processing based on a legal obligation, the scope of the data to be processed, the purpose of the processing, the duration of data storage and the recipients are governed by the provisions of the underlying legislation.

9. The processing based on the performance of a legal obligation is independent of the consent of the data subject, as the processing is determined by law. In such cases, the data subject must be informed before the processing starts that the processing is mandatory and must be provided with clear and detailed information on all the facts relating to the processing of his or her data, in particular the purposes and legal basis of the processing, the identity of the controller and of the processor, the duration of the processing, whether the controller is processing the data subject's personal data on the basis of a legal obligation to which the data subject is subject and the persons who may have access to the data. The information should also cover the rights and remedies of the data subject in relation to the processing. In the case of mandatory processing, the information may also be provided by making public a reference to the legal provisions containing the foregoing information.

Information on data management by the Data Controller

10. The General Data Processing Notice of the Data Controller is available on the Annex No. included.

11. The Data Controller shall ensure the exercise of the rights of the data subject in all its processing.

CHAPTER III

EMPLOYMENT-RELATED DATA PROCESSING

Labour, personnel records

12. Employees may only be asked for and kept records of data and medical fitness for work examinations which are necessary for the establishment, maintenance and termination of employment and for the provision of social welfare benefits and which do not infringe their individual rights.

13. The Data Controller processes the following data of the employee for the purposes of the establishment, performance or termination of the employment relationship for the purposes of the legitimate interests of the employer (Article 6(1)(f) of the Regulation):

1. Name
2. name at birth,,
3. date of birth,
4. mother's name,
5. your address,
6. your nationality,
7. tax identification number,
8. Social security number,
9. pensioner's permanent number (in the case of a retired worker),
10. phone number,
11. e-mail address,
12. identity card number,
13. the number of the official certificate of residence,
14. your bank account number,
15. online ID (if available)
16. the starting and finishing dates of your employment,
17. job title,
18. a copy of a document certifying your education and vocational training,
19. photo,
20. CV,
21. the amount of your salary, wages and other benefits,
22. the amount of the debt to be deducted from the employee's wages, or the right to deduct it, on the basis of a final decision or a legal provision or written consent,
23. an evaluation of the employee's work,
24. how and for what reasons the employment relationship is terminated,
25. a certificate of good character, depending on the job
26. a summary of the occupational aptitude tests,
27. in the case of membership of private pension funds and voluntary mutual insurance funds, the name of the fund, its identification number and the employee's membership number,
28. in the case of foreign workers, passport number; name and number of the document certifying entitlement to work,
29. data recorded in the records of accidents to workers;
30. data necessary for the use of welfare services, commercial accommodation;
31. the camera and access control system used by the Data Controller for security and asset protection purposes,
32. or data recorded by positioning systems.

14. The employer will process data relating to your illness and trade union membership only for the purposes of fulfilling a right or obligation under the Labour Code.

15. The recipients of the personal data are: the head of the employer, the person exercising the employer's authority, the employees of the Data Controller performing labour-related tasks and the data processors.

16. Only personal data of employees in managerial positions may be transferred to the owners of the Controller.

17. Duration of storage of personal data: 3 years after termination of employment.

18. The data subject must be informed before the processing starts that the processing is based on the Labour Code and the legitimate interests of the employer.

19. The employer shall, at the time of the conclusion of the employment contract, notify the following Annex No. informs the employee about the processing of his/her personal data and personal rights by providing him/her with the Information Notice.

Data management in relation to aptitude tests

20. An employee may only be subjected to an aptitude test which is required by an employment rule or which is necessary for the exercise of a right or the performance of an obligation laid down in an employment rule. Prior to the examination, employees must be informed in detail, inter alia, of the skills and abilities to be assessed and the means and methods of assessment. If the examination is required by law, employees must be informed of the title of the law and the exact place where it is to be carried out. A model of this Information Notice is attached to this Policy Annex No. included.

21. Employers can have employees complete the test forms for fitness for work and readiness for work both before the employment relationship is established and during the employment relationship.

22. In order to carry out and organise work processes more efficiently, a test form suitable for psychological or personality traits research can only be completed by a large group of employees in the interests of a more efficient work relationship if the data revealed during the analysis cannot be linked to individual employees, i.e. the data are processed anonymously.
23. The scope of the personal data processed: the fact of suitability for the job and the conditions required for this.

24. Legal basis for processing: legitimate interest of the employer.

25. The purpose of processing personal data: to establish and maintain an employment relationship, to fill a job.

26. Recipients and categories of recipients of personal data: the results of the survey may be disclosed to the employees surveyed or to the professional carrying out the survey. The employer may only receive information on whether or not the person examined is fit for the job and on the conditions under which he or she is fit for the job. However, the employer cannot know the details of the examination or its full documentation.

27. Duration of processing of personal data: 3 years after the termination of employment.

Management of recruitment data, applications, CVs

28. The personal data that may be processed include: the name, date and place of birth, mother's name, address, qualifications, photograph, telephone number, e-mail address, employer's record (if any) of the natural person.

29. The purpose of the processing of personal data is: application, evaluation of the application, conclusion of a contract of employment with the selected person. The data subject must be informed if the employer has not chosen him/her for the job.

30. Legal basis for processing: consent of the data subject.

31. Recipients or categories of recipients of personal data: managers and employees performing labour-related tasks who are entitled to exercise rights as employers in the Data Controller.

32. Duration of storage of personal data: until the application or tender is assessed. Personal data of unsuccessful applicants will be deleted. Data of those who withdraw their application or candidature will also be deleted.

33. The employer may retain applications only on the basis of the explicit, unambiguous and voluntary consent of the data subject, provided that the retention is necessary for the purposes of the processing in accordance with the law. Such consent shall be requested from candidates after the recruitment procedure has been completed.

E-mail account usage control data processing

34. If the Data Controller provides an e-mail account to the employee - the employee may use this e-mail address and account solely for the purposes of his/her job duties, in order to keep in touch with each other or to correspond with customers, other persons and organisations on behalf of the employer.

35. The employee may not use the e-mail account for personal purposes and may not store personal mail in the account.

36. The employer has the right to check the full content and use of the e-mail account on a regular basis - every 3 months - and the legal basis for data processing is the legitimate interest of the employer. The purpose of the monitoring is to check compliance with the employer's provisions on the use of the e-mail account and to check the employee's obligations (Articles 8 and 52 of the Labour Code).

37. The head of the employer or the person exercising the employer's rights is authorised to control and manage the data.

38. Where the circumstances of the inspection do not preclude this, it must be ensured that the worker is present during the inspection.

39. Prior to the check, the employee must be informed about the employer's interest in the check, who on the employer's side may carry out the check, - the rules according to which the check may be carried out (compliance with the principle of gradual approach) and the procedure to be followed, - the employee's rights and remedies in relation to the processing of data in connection with the check of the e-mail account.

40. The principle of gradualness should be applied in the verification, so that the address and subject of the e-mail should be the primary basis for determining that it is related to the employee's job duties and not personal. The content of non-personal e-mails may be examined by the employer without restriction.

41. If, contrary to the provisions of this policy, it can be established that the employee has used the e-mail account for personal purposes, the employee must be requested to delete the personal data immediately. In case of absence or non-cooperation of the employee, the personal data will be deleted by the employer upon verification. The use of the e-mail account in violation of this policy may result in the employer taking legal action against the employee under labour law.

42. The employee may exercise the rights set out in the section of this policy on data subjects' rights in relation to the processing of data involving the control of an e-mail account.

Data processing related to the control of computer, laptop, tablet

43. The computer, laptop, tablet provided by the Data Controller to the employee for work purposes may be used by the employee only for the performance of his/her job duties, the Data Controller prohibits the private use of these devices, the employee may not manage or store any personal data or correspondence on these devices. The employer may monitor the data stored on these devices. The employer's control of these devices and the legal consequences thereof shall be governed by the provisions of the foregoing § 9.

Data processing related to the monitoring of internet use at work

44. Employees are only allowed to access websites related to their job duties, and the employer prohibits personal use of the internet at work.

45. The Data Controller is the holder of the Internet registrations carried out on behalf of the Data Controller as a job function, and the registration must use an identifier and password referring to the Data Controller. If the provision of personal data is also required for the registration, the Controller shall initiate the deletion of such data upon termination of the employment relationship.

46. Employees' use of the Internet at work may be monitored by the employer, the provisions and legal consequences of which are set out in Article 9.

Data processing related to the control of the use of company mobile phones

47. Your employer allows you to use your company mobile phone for private purposes.

48. Employees must report to their employer if they use their company mobile phone for private purposes. In this case, the employer's control can be carried out by requesting a call detail from the telephone service provider and asking the employee to make the numbers called unrecognisable on the document in the case of private calls.

49. Otherwise, the provisions of § 9 shall apply to the control and its consequences.

Data management related to entry and exit from the workplace

50. If an access control system (not electronic) is used, information on the identity of the controller and the way the data are processed must be provided.

51. The scope of the personal data processed: the name, address, car registration number, entry and exit time of the natural person.

52. Legal basis for processing: the legitimate interests of the employer.

53. The purposes of processing personal data are: asset protection, performance of contract, monitoring of employee obligations.

54. Recipients of personal data or categories of recipients: managers entitled to exercise employer's rights at the Data Controller, employees of the Data Controller's security agent as data processors.

55. Duration of processing of personal data: 6 months.

Data processing in relation to workplace CCTV

56. For the purpose of protecting human life, physical integrity, personal liberty, trade secrets and the protection of property, our Data Controller uses electronic surveillance systems at its headquarters, premises and premises open to customers, which also allow direct observation or recording and storage of images, sound or images and sound, and therefore the behaviour of the data subject recorded by the camera is also considered personal data.

57. The legal basis for this processing is the legitimate interests of the employer and the consent of the data subject.

58. Information on the fact that an electronic surveillance system is being used in a given area must be displayed in a clearly visible and legible place, in a manner that is conducive to the information of third parties wishing to enter the area. The information shall be provided for each camera. This information shall also include information on the fact of surveillance by the electronic asset protection system, the purpose of the recording and storage of images and sound recordings of personal data recorded by the system, the legal basis for the processing, the place where the recording is stored, the duration of the storage, the identity of the person using (operator) the system, the persons authorised to access the data, the data security measures relating to the storage of the recording, and information on the rights of the data subjects and the procedures for exercising them. A model for the information is set out in Annex 5 to the Code.

59. Images and audio recordings of third parties (customers, visitors, guests) entering the monitored area may be taken and processed with their consent. Consent may also be given by means of impulse. In particular, it shall be considered to be an act of interference if a natural person enters the monitored area despite being informed or being informed of the use of the electronic surveillance system installed there.

60. Recorded footage may be kept for a maximum of 3 (three) working days in the absence of use. Use is deemed to be made if the recorded image, sound or image and sound recordings and other personal data are intended to be used as evidence in judicial or other official proceedings.

61. Data security measures:

1. the monitor for viewing and reviewing the images must be positioned in such a way that it cannot be viewed by any person other than the age of consent while the images are being broadcast.
2. Surveillance and review of stored images may only be carried out for the purpose of detecting infringing acts and initiating the necessary measures to stop them.
3. The images broadcast by the cameras cannot be recorded by any device other than the central recording unit.
4. Recording media must be stored in a locked place.
5. Access to the stored images may only be made in a secure manner and in such a way that the identity of the controller can be identified.
6. The review and backup of stored image records shall be documented.
7. If the reason for the termination of the right is no longer valid, access to the stored image records must be terminated immediately.
8. A separate hard disk in the recorder runs the operating system and the
9. recorded recordings. The recordings are not backed up separately.
10. Labelling of the record of the act after the offence has been detected
11. and to take the necessary administrative action without delay
12. and inform the authority that the act has been recorded.

62. A person whose right or legitimate interest is affected by the recording of the image, sound or video recording may, within three working days of the recording of the image, sound or video recording, request that the data not be destroyed or erased by the controller by providing evidence of his or her right or legitimate interest.

63. No electronic monitoring system may be used in premises where such monitoring could be offensive to human dignity, in particular in changing rooms, showers, toilets or, for example, in a doctor's room or its adjoining waiting room, or in premises designated for the purpose of workers' breaks.

64. If no one is legally allowed to be on the workplace premises, especially outside working hours or on public holidays, the entire workplace (e.g. changing rooms, toilets, break rooms) can be monitored.

65. In addition to those authorised by law, the data recorded by the electronic surveillance system may be viewed by the operating staff, the employer's manager and deputy manager, and the manager of the workplace in the monitored area, for the purposes of detecting infringements and checking the operation of the system.

CHAPTER IV

CONTRACT-RELATED DATA PROCESSING

Contractor data management - registering customers, suppliers

1. The Data Controller shall process the name, name of the natural person contracted with it as a buyer or supplier, name of the natural person, name of the person's birth, date of birth, mother's name, address, tax identification number, tax number, entrepreneur's or self-employed person's identity card number, personal identity card number for the purpose of the performance of the contract, conclusion, performance, termination or granting of a contractual discount, address, address of the registered office, address of the establishment, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number), online identifier (list of customers, suppliers, frequent buyer lists), This processing is also considered lawful if the processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract. Recipients of personal data: employees of the Data Controller performing customer service tasks, employees performing accounting and tax tasks, and data processors. Duration of storage of personal data: 8 years after the termination of the contract.

2. The natural person concerned must be informed before the processing starts that the processing is based on the performance of a contract, which may be stated in the contract. The data subject shall be informed of the transfer of his or her personal data to a processor. The text of the data processing clause relating to a contract with a natural person is set out in the present Annex No. included.

Contact details of natural person representatives of legal person customers, buyers, suppliers

3. The scope of the personal data processed: the name, address, telephone number, e-mail address, online identifier of the natural person.

4. Purpose of the processing of personal data: performance of a contract with a legal entity partner of the Data Controller, business relations, legal basis: the data subject's consent.

5. Recipients or categories of recipients of personal data: employees of the Data Controller performing customer service tasks.

6. Duration of storage of personal data: for 5 years after the business relationship or the data subject's capacity as a representative has ended.

7. The model of the data collection form in this Regulation Annex No. included. The employee who is in contact with the customer, buyer or supplier must present this statement to the person concerned and, by signing the statement, request his or her consent to the processing of his or her personal data. The declaration shall be kept for the duration of the processing.

Visitor data management on the Controller's website

(Information on the use of cookies)

8. A cookie is a piece of data that the visited website sends to the visitor's browser (in the form of a variable name value) so that it can store it and later load its content on the same website.

9. Data may only be stored on a user's electronic communications terminal equipment or access to data stored therein on the basis of the user's clear and full consent, including the purpose of the processing (Act C of 2003, § 155/4/). On this basis, on the basis of the first visit to the Controller's website, the visitor must be given a brief summary of the use of cookies and a link to the full information available (Information Notice on data management as in Annex 2). With this information, the Data Controller ensures that the visitor of the website before and at any time during the use of the information society services of the website can be informed about the data processing purposes for which the Data Controller processes which types of data, including the processing of data that cannot be directly related to the user.

10. Pursuant to Article 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Elkertv.), the service provider may process personal data that are technically indispensable for the provision of the service. The provider must, other things being equal, choose and in any case operate the means used in the provision of the information society service in such a way that personal data are processed only if absolutely necessary for the provision of the service and for the fulfilment of the other purposes specified in this Act, but in this case only to the extent and for the duration necessary.

Registration on the Data Controller's website

11. On the website, the natural person who registers can give his/her consent to the processing of his/her personal data by ticking the relevant box. It is prohibited to tick the box in advance.

12. The scope of personal data that may be processed: the name (surname, first name), address, telephone number, e-mail address, billing, postal name and address of the natural person, the photograph necessary to complete orders on the webshop.

13. Purpose of the processing of personal data:

1. the provision of services on the website
2. contacting us by e-mail, telephone, SMS, and post.
3. Promotional mailings may be sent electronically and by post
4. analysis of the use of the website.

14. The legal basis for processing is the consent of the data subject.

15. The recipients or categories of recipients of personal data: employees of the Data Controller performing tasks related to customer service and marketing activities, employees of the IT service provider of the Data Controller providing hosting services as data processors.

16. Duration of storage of personal data: until the registration/service is active or until the data subject's consent is withdrawn (request for erasure).

17. If the data subject provides all or part of the data required for registration or for making a purchase in the webshop, but does not complete the registration, the Data Controller will store the data provided for a maximum of 60 days, after which they will be irrevocably deleted.

Data processing related to the newsletter service 

18. The natural person who registers for the newsletter service on the website can give his/her consent to the processing of his/her personal data by ticking the relevant box. It is prohibited to tick the box in advance. When subscribing, a link to the Privacy Notice (Annex 2) must be provided. The data subject may unsubscribe from the newsletter at any time by using the "Unsubscribe" application or by making a written declaration or sending an e-mail, which shall constitute a withdrawal of consent. In such a case, all data of the unsubscriber shall be deleted immediately.

19. The scope of personal data processed: the name of the natural person (surname, first name), e-mail address.

20. Purpose of the processing of personal data:

1. Sending newsletters about the products and services of the Data Controller
2. Sending promotional material

21. Legal basis for processing: consent of the data subject.

22. Recipients and categories of recipients of personal data: employees of the Data Controller performing tasks related to customer service and marketing activities, employees of the IT service provider of the Data Controller as data processors for the purpose of providing hosting services.

23. Duration of the storage of personal data: until the newsletter service is maintained or until the data subject's consent is withdrawn (request for deletion).

Data processing in the Data Controller's webshop

24. A purchase in a webshop operated by the Data Controller is considered a contract, taking into account Article 13/A of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services, and Government Decree 45/2014 (26.II.) on the detailed rules of contracts between consumers and businesses.

25. The Data Controller, as a service provider, may process the natural personal identification data and address of the customer registering in the webshop for the purpose of creating a contract for the provision of information society services, determining the content, modifying it, monitoring its performance, invoicing the fees arising from it, and enforcing claims related thereto, in accordance with paragraph 13/A(1) of Act CVIII of the year, and the telephone number, e-mail address, bank account number, online identifier, in accordance with the consent.

26. The Data Controller may process, for billing purposes, personal data relating to the use of information society services, address, delivery address, and data relating to the time, duration and place of use of the service, pursuant to Article 13/A(2) of Act CVIII of 2007.

27. The recipients or categories of recipients of personal data: employees of the Data Controller performing tasks related to customer service, payment, transport, marketing activities, as data processors, employees of the company performing tax and accounting tasks of the Data Controller for the purpose of fulfilling tax and accounting obligations, employees of the IT service provider of the Data Controller for the purpose of fulfilling hosting services, employees of the courier service for the purpose of delivery data (name, address, telephone number).

28. Duration of the processing of personal data: until the registration/service is completed or until the data subject's consent is withdrawn (request for deletion), in case of a purchase until the end of 6 years following the year of purchase.

29. A link to the Privacy Notice (Annex 2) must be made available when shopping in the online shop.

Data processing for direct marketing purposes

30. Unless otherwise provided by a separate law, advertising may be communicated to a natural person as the recipient of the advertising by direct solicitation, in particular by electronic mail or other equivalent means of individual communication, with the exception of the provisions of Act XLVIII of 2008, only if the recipient of the advertising has given his/her prior, clear and express consent.

31. The scope of personal data that the Data Controller may process for the purpose of advertising mailing enquiries: the name, address, telephone number, e-mail address, online identifier of the natural person.

32. The purpose of the processing of personal data is to carry out direct marketing activities related to the activities of the Data Controller, i.e. the regular or periodic sending of advertising publications, newsletters, current offers in printed (postal) or electronic form (e-mail) to the contact details provided at the time of registration.

33. Legal basis for processing: consent of the data subject.

34. The recipients or categories of recipients of personal data: employees of the Data Controller performing customer service tasks, employees of the IT service provider of the Data Controller performing server services as data processors, employees of the postal/ courier service in case of delivery by post or courier service.

35. Duration of storage of personal data: until consent is withdrawn.

36. Consent to the processing of data for direct marketing purposes is governed by this Policy. data request form as set out in the Annex applicable.

 V.  CHAPTER 2

PROCESSING BASED ON A LEGAL OBLIGATION

Data processing for tax and accounting obligations

1. §-of the Act of 2000 on Accounting: name, address, designation of the person or organisation ordering the transaction, signature of the person ordering the transaction and the person certifying the execution of the order, and, depending on the organisation, the signature of the controller; on the stock movement vouchers and cash management vouchers, the signature of the recipient, and on the counterfoils, the signature of the payer, and, pursuant to Act CXVII of 1995 on Personal Income Tax: entrepreneur's identity card number, farmer's identity card number, tax identification number.

2. The period of storage of personal data is 8 years after the termination of the legal relationship giving rise to the legal basis.

3. Recipients of personal data: employees and data processors of the Data Controller performing tax, accounting, payroll and social security tasks.

Payer data processing

4. The Data Controller processes the personal data of the data subjects - employees, their family members, employees, recipients of other benefits - with whom it has a relationship as a paying agent (Act 2017:CL on the Order of Taxation (Art.) 7.§ 31.) for the purposes of fulfilling legal obligations, tax and contribution obligations prescribed by law (tax, advance tax, contributions, payroll, social security, pension administration). The scope of the data processed is defined in Art. Article 50 of the Act defines the data processed, specifically highlighting the following: the natural person's natural person identification data (including previous name and title), gender, nationality, tax identification number, social security number (social security number). If the tax laws impose a legal consequence, the Controller may process data relating to employees' membership of health (Section 40 of the Social Security Act) and trade unions (Section 47(2) b) of the Social Security Act) for the purposes of tax and contribution obligations (payroll, social security administration).

5. The period of storage of personal data is 8 years after the termination of the legal relationship giving rise to the legal basis.

6. Recipients of personal data: employees and data processors of the Data Controller performing tax, payroll, social security (payroll) tasks.

 VI. CHAPTER 2

DATA SECURITY MEASURES

Data security measures

7. The Data Controller shall take the technical and organisational measures and establish the procedural rules necessary to enforce the Regulation and the Infotv. in order to ensure the security of personal data for all purposes and for all lawful purposes.

8. The Data Controller shall take appropriate measures to protect the data against accidental or unlawful destruction, loss, alteration, damage, unauthorised disclosure or access.

9. The Data Controller classifies and treats personal data as confidential. It imposes a confidentiality obligation on its employees with regard to the processing of personal data, to which the Annex No. clause shall apply. Access to personal data shall be restricted by the Data Controller by setting levels of authorisation.

10. The Data Controller protects the IT systems with firewalls and virus protection.

11. Employees of the Data Controller may connect their own computing, data storage and recording devices to the workplace computers.

12. The Data Controller shall carry out electronic data processing and record-keeping by means of a computer program that meets the requirements of data security. The programme shall ensure that access to the data is limited to the persons who need it for the performance of their tasks, and only for the purposes for which it is intended and under controlled conditions.

13. When personal data are processed automatically, the controller and the processor take additional measures to ensure:

1. prevent unauthorised data entry;
2. preventing the use of automated data processing systems by unauthorised persons using data transmission equipment;
3. the verifiability and ascertainability of the bodies to which personal data have been or may be transmitted using data transmission equipment;
4. the verifiability and ascertainability of which personal data have been entered into automated data processing systems, when and by whom;
5. the recoverability of the installed systems in the event of a failure, and
6. that errors in automated processing are reported.

14. The Data Controller shall ensure the monitoring of incoming and outgoing communications by electronic means in order to protect personal data.

15. The sharing of personal data processed by the Data Controller on the Internet is prohibited.

16. Visiting file downloading, gaming, chat, sexual services sites at work and on the Data Controller's devices is strictly prohibited.

17. You may not use unauthorised programs obtained from external sources or downloaded from external sources.

18. Only the relevant administrators have access to documents in the course of work or processing, and documents containing personnel, payroll, employment and other personal data must be kept securely locked away.

19. Ensure adequate physical protection of the data and the devices and documents that carry them.

20. It is the responsibility of the data controller to ensure the safe storage of documentation containing personal data, and paper documents must be kept in a filing cabinet or lockable cabinet.

21. After the mandatory record-keeping period, if no further record-keeping is justified, and following the withdrawal of the data subject's consent, the records containing the personal data shall be destroyed. Documents shall be destroyed by a procedure which makes it impossible to reconstruct them.

CHAPTER VII

HANDLING DATA BREACHES

The concept of a personal data breach

1. Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed; (Article 4.12 of the Regulation)

Handling and remediation of data protection incidents  

2. The prevention and handling of data protection incidents and compliance with the relevant legal requirements are the responsibility of the Data Controller's manager.

3. Access and attempted access to IT systems should be logged and analysed on an ongoing basis.

4. If employees of the Controller who are authorised to carry out checks detect a data protection incident in the course of their duties, they must immediately notify the Controller's manager.

5. Employees of the Data Controller are obliged to report to the Data Controller's manager or the person exercising the employer's rights if they become aware of a data protection incident or an event that may indicate such an incident.

6. Data breaches can be reported to the Data Controller's central e-mail address, telephone number, where employees, contractors, data subjects can report the underlying events, security weaknesses.

7. In the event of a data breach notification, the Data Controller's manager - with the involvement of the IT, finance and operations manager - shall immediately investigate the notification, identify the incident, decide whether it is a genuine incident or a false alert. It should be investigated and determined:
8. the time and place of the incident,
9. a description of the incident, its circumstances, its effects,
10. the scope and quantity of data compromised in the incident,
11. the range of persons affected by the compromised data,
12. a description of the measures taken to deal with the incident,
13. a description of the measures taken to prevent, remedy or reduce the damage.

8. In the event of a data breach, the systems, people and data involved should be contained and segregated, and care should be taken to collect and preserve evidence that the breach occurred. Damage restoration and return to lawful operations can then begin.

Records of data protection incidents

9. Records of data protection incidents must be kept, including:

1. the scope of the personal data concerned,
2. the scope and number of data subjects affected by the data breach,
3. the date of the data breach,
4. the circumstances and effects of the data breach,
5. the measures taken to remedy the data breach,
6. other data specified in the legislation providing for the processing.

10. Data on data breaches in the register must be kept for 5 years.

CHAPTER VIII

DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

Data protection impact assessment and prior consultation

11. Where a type of processing, in particular one using new technologies, is likely to present a high risk to the rights and freedoms of natural persons, taking into account its nature, scope, context and purposes, the controller shall carry out an impact assessment prior to the processing, in order to assess how the planned processing operations will affect the protection of personal data. Similar types of processing operations which present similar high risks may be assessed in the framework of a single impact assessment.
12. Where the data protection impact assessment concludes that the processing is likely to result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority before processing the personal data.
13. The detailed rules on data protection impact assessment and prior consultation are governed by the provisions of Articles 35-36 of the Regulation and the Infotv.

CHAPTER IX

THE RIGHTS OF THE PERSON CONCERNED

Information on the rights of the data subject

1. A brief summary of the data subject's rights:
   1. Transparent information, communication and facilitation of the exercise of data subject rights
   2. Right to prior information - when personal data are collected from the data subject
   3. Information to the data subject and the information to be provided to him or her where the personal data have not been obtained by the controller from him or her
   4. Right of access of the data subject
   5. The right to rectification
   6. Right to erasure ("right to be forgotten")
   7. Right to restriction of processing
   8. Obligation to notify the rectification or erasure of personal data or restriction of processing
   9. The right to data portability
   10. The right to protest
   11. Automated decision-making on individual cases, including profiling
   12. Restrictions
   13. Informing the data subject about the personal data breach
   14. The right to lodge a complaint with a supervisory authority (right to official redress)
   15. Right to an effective judicial remedy against the supervisory authority
   16. The right to an effective judicial remedy against the controller or processor

2. Your rights as a data subject in detail:

Transparent information, communication and facilitation of the exercise of data subject rights 

3. The controller shall provide the data subject with all information and any particulars relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language, in particular in the case of any information addressed to children. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. At the request of the data subject, information may be provided orally, provided that the identity of the data subject has been verified by other means.

4. The controller must facilitate the exercise of the data subject's rights.

5. The controller shall inform the data subject, without undue delay and in any event within one month of receipt of the request, of the measures taken in response to the request to exercise his or her rights. This time limit may be extended by a further two months under the conditions laid down in the Regulation, of which the data subject shall be informed.

6. If the controller fails to act on the data subject's request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.

7. The data controller shall provide the information and the information and action on the rights of the data subject free of charge, but may charge a fee in the cases provided for in the Regulation.

8. The detailed rules can be found under Article 12 of the Regulation.

Right to prior information - when personal data are collected from the data subject

9. The data subject shall have the right to be informed of the facts and information relating to the processing before the processing starts. In this context, the data subject shall be informed:

1. the identity and contact details of the controller and its representative,
2. the contact details of the Data Protection Officer (if any),
3. the purposes for which the personal data are intended to be processed and the legal basis for the processing,
4. in the case of processing based on legitimate interests, the legitimate interests of the controller or a third party,
5. the recipients to whom the personal data are disclosed, and the categories of recipients, if any;
6. where applicable, the fact that the controller intends to transfer the personal data to a third country or an international organisation.

10. To ensure fair and transparent processing, the controller must provide the data subject with the following additional information:

1. the duration of the storage of personal data or, where this is not possible, the criteria for determining that duration;
2. the right of the data subject to request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data, and the right to data portability;
3. in the case of processing based on the data subject's consent, the right to withdraw consent at any time, without prejudice to the lawfulness of the processing carried out on the basis of consent before its withdrawal;
4. the right to lodge a complaint with a supervisory authority;
5. whether the provision of the personal data is based on a legal or contractual obligation or is a precondition for the conclusion of a contract, whether the data subject is under an obligation to provide the personal data and the possible consequences of not providing the data;
6. the fact of automated decision-making, including profiling, and, at least in these cases, the logic used and clear information about the significance of such processing and the likely consequences for the data subject.

11. If the controller intends to further process personal data for a purpose other than that for which they were collected, the controller must inform the data subject of that other purpose and of any relevant additional information before further processing.

12. The detailed rules on the right to prior information are set out in Article 13 of the Regulation.

Information to the data subject and the information to be provided to him or her where the personal data have not been obtained by the controller from him or her

13. If the controller has not obtained the personal data from the data subject, the data subject shall be informed by the controller no later than one month after the personal data were obtained; if the personal data are used for the purpose of contacting the data subject, at least at the time of the first contact with the data subject; or, if the data are likely to be disclosed to another addressee, at the latest at the time of the first disclosure of the personal data, the facts and information described in the previous point, the categories of personal data concerned and the source of the personal data and, where applicable, whether the data are obtained from publicly available sources.

14. For further rules, see the previous point (Right to prior information).

15. The detailed rules for this information are set out in Article 14 of the Regulation.

Right of access of the data subject

16. The data subject has the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and related information described in points 2-3 above (Article 15 of the Regulation).

17. Where personal data are transferred to a third country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards for the transfer in accordance with Article 46 of the Regulation.

18. The controller must provide the data subject with a copy of the personal data which are the subject of the processing. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

19. Detailed rules on the right of access of the data subject are laid down in Article 15 of the Regulation.

The right to rectification

20. The data subject shall have the right to obtain from the Data Controller, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her.

21. Taking into account the purpose of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

22. These rules are set out in Article 16 of the Regulation.

Right to erasure ("right to be forgotten")

23. The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay at his or her request, and the controller shall be obliged to erase personal data relating to him or her without undue delay if.

1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
2. the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
4. the personal data have been unlawfully processed;
5. the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
6. personal data are collected in connection with the provision of information society services directly to children.

24. The right to erasure cannot be exercised if the processing is necessary

1. to exercise the right to freedom of expression and information;
2. to comply with an obligation under Union or Member State law to which the controller is subject or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. on grounds of public interest in the field of public health;
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right of erasure would be likely to render such processing impossible or seriously jeopardise it; or
5. to bring, enforce or defend legal claims.

25. Detailed rules on the right to erasure are set out in Article 17 of the Regulation.

Right to restriction of processing

26. Where processing is restricted, such personal data, except for storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

27. The data subject shall have the right to obtain, at his or her request, the restriction of processing by the Controller if one of the following conditions is met:

1. the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the Controller to verify the accuracy of the personal data;
2. the data processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
3. the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
4. the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the controller override those of the data subject.

28. The data subject shall be informed in advance of the lifting of the restriction on processing.

29. The relevant rules are set out in Article 18 of the Regulation.

Obligation to notify the rectification or erasure of personal data or restriction of processing

30. The controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of these recipients.

31. These rules can be found under Article 19 of the Regulation.

The right to data portability

32. Under the conditions set out in the Regulation, the data subject has the right to receive personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, if.

1. the processing is based on consent or on a contract; and
2. the processing is carried out by automated means.

33. The data subject may also request the direct transfer of personal data between controllers.

34. The exercise of the right to data portability shall be without prejudice to Article 7 of the Regulation (Right to erasure ("right to be forgotten"). The right to data portability shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right shall not adversely affect the rights and freedoms of others.

35. The detailed rules are set out in Article 20 of the Regulation.

The right to protest

36. AThe data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data based on the public interest, on the performance of a task carried out for the public interest (Article 6(1)(e)) or on legitimate grounds (Article 6(f)), including profiling based on those provisions. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

37. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.

38. These rights must be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the information must be clearly displayed separately from any other information.

39. The data subject may also exercise the right to object by automated means based on technical specifications.

40. Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Automated decision-making on individual cases, including profiling

41. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

42. This entitlement does not apply in the case of a decision to:

1. necessary for the conclusion or performance of a contract between the data subject and the controller;
2. is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
3. is based on the explicit consent of the data subject.

43. In the cases referred to in points (a) and (c), the controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.

44. Further rules are set out in Article 22 of the Regulation.

Restrictions

45. Union or Member State law applicable to a controller or processor may limit the scope of rights and obligations (Articles 12 to 22, 34, 5 of the Regulation) by legislative measures, provided that the limitation respects the essential content of fundamental rights and freedoms.

46. The conditions for this restriction are set out in Article 23 of the Regulation.

Informing the data subject about the personal data breach

47. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must inform the data subject of the personal data breach without undue delay. This information shall clearly and plainly describe the nature of the personal data breach and shall include at least the following:

1. the name and contact details of the Data Protection Officer or other contact person who can provide further information;
2. explain the likely consequences of the data breach;
3. describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.

48. The data subject need not be informed if any of the following conditions are met:
    1. the data controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
    2. the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
    3. information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly disclosed information or by a similar measure which ensures that the data subjects are informed in an equally effective manner.

49. Further rules are set out in Article 34 of the Regulation.

 The right to lodge a complaint with a supervisory authority (right to official redress)

50. The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the Regulation. The supervisory authority with which the complaint has been lodged must inform the data subject of the procedural developments and the outcome of the complaint, including the right of the data subject to judicial remedy.

51. These rules are set out in Article 77 of the Regulation.

Right to an effective judicial remedy against the supervisory authority

52. Without prejudice to any other administrative or non-judicial remedy, any natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him or her.

53. Without prejudice to any other administrative or non-judicial remedy, any data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments concerning the complaint lodged or of the outcome of the complaint.

54. Proceedings against the supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

55. If proceedings are brought against a decision of a supervisory authority on which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority is obliged to transmit this opinion or decision to the court.

56. These rules are set out in Article 78 of the Regulation.

The right to an effective judicial remedy against the controller or processor

57. Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with a supervisory authority, every data subject shall have an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.

58. Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in its exercise of official authority.

59. These rules are set out in Article 79 of the Regulation.

FINAL PROVISIONS

Measures to make the Code known

The provisions of this Policy shall be communicated to all employees of the Data Controller and shall be an essential part of the employment contracts of all employees. The model employment contract clause in this policy is Annex No. included.