INTRODUCTION

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as:“GDPR Regulation”, “Regulation”, “General Data Protection Regulation”) requires that the Data Controller shall take appropriate measures to ensure that the data subject is provided with all information relating to the processing of personal data.in a concise, transparent, understandable and easily accessible form, formulated in a clear and understandable mannerprovide, and that the Data Controller facilitates the exercise of the data subject’s rights.

The obligation of prior information of the data subject is also prescribed by Act CXII of 2011 on the right to informational self-determination and freedom of information. We comply with this legal obligation with the information provided below.

Why was this information prepared?

The Data Controller processes personal data for several purposes during its operations and intends to do so while respecting the rights of the data subjects and fulfilling the legal obligations. The Data Controller also considers it important to present to the data subjects the processing of personal data that it has become aware of during its data management activities, and its most important characteristics.

On what basis is the personal data of the data subjects processed?

Personal data will only be processed for specific purposes and on appropriate legal grounds. These purposes and legal grounds will be presented individually for specific data processing.

What external assistance is used when processing your personal data?

The Data Controller mostly processes personal data at its own premises. However, there are some operations for which it uses external assistance, a data processor. The person of the data processor may vary according to the characteristics of each data processing.

Who processes your personal data?

In the following Chapter II of the data processing information, the Data Subject can obtain information about the identity and contact details of the data processors employed by the Data Controller.

What principles does the Data Controller consider important when processing your personal data?

Personal data will be processed in accordance with the applicable legal regulations, in particular with regard to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).

During the activities of the Data Controller, only personal data specified in the scope of individual data processing will be processed and the security of the personal data provided will be protected by possible and necessary technical and organizational measures. In this process, particular attention will be paid to ensuring the confidentiality, integrity and availability of personal data.

The Data Controller is responsible for the authenticity and accuracy of the personal data after it has been provided by the Data Subject. The terms used in this information have been interpreted in accordance with the terms defined in the interpretative provisions of the GDPR regulation on the right to informational self-determination.

CHAPTER I

NAME OF THE DATA CONTROLLER

The publisher of this information, which is also the Data Controller:

NAME:EV.analytica Limited Liability Company

HEADQUARTERS:1118 Budapest, Zólyomi út 7. 3rd floor, 1st door.

COMPANY REGISTRATION NUMBER: 01-09-432445

TAX NUMBER: 32593321-2-43

REPRESENTATIVE: Zoltán Papp, Managing Director

EMAIL:info@evanalytica.com 

CONTACT INFORMATION:https://evanalytica.com/hu“relationship”menu and in the EV.app application

(hereinafter referred to as:“Data Controller”, “Company”) 

CHAPTER II

DESIGNATION OF DATA PROCESSORS

Data processor: az the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; (Article 4(8) of the Regulation)

The use of a data processor does not require the prior consent of the data subject, but it is necessary to inform them. Accordingly, we provide the following information:

Hosting provider:

COMPANY NAME:Microsoft Corporation

HEADQUARTERS: One Microsoft Way Redmond, Washington, USA

(Organization listed on the DPF)

WEBSITE:https://www.microsoft.com/

COMPANY NAME:Amazon Web Services, Inc.

HEADQUARTERS: 2021 7TH Ave Seattle, WA 98121

(Organization listed on the DPF)

WEBSITE:https://www.aws.amazon.com/

COMPANY NAME:Rackforest IT Commercial Service Provider and Consultant Private Limited Company

HEADQUARTERS: 1132 Budapest, Victor Hugo Street 11. 5th floor. Door B05001

TAX NUMBER: 32056842-2-41

COMPANY REGISTRATION NUMBER: 01-10-142004

WEBSITE:https://rackforest.com/

Data processor performing accounting and payroll tasks:

COMPANY NAME:VRNG Consulting Limited Liability Company

HEAD OFFICE: 1013 Budapest, Attila út 2. B. lház. 5. door

TAX NUMBER: 25091308-2-41

COMPANY REGISTRATION NUMBER: 01-09-199234

Data processor providing online payment services:

COMPANY NAME:Stripe, Inc.

HEADQUARTERS: 354 Oyster Point Blvd South San Francisco, CA 94080

(Organization listed on the DPF)

WEBSITE:https://stripe.com/en-hu 

COMPANY NAME:Billingo Technologies Private Limited Company 

HEADQUARTERS: 1133 Budapest, Árbóc Street 6, 1st floor

TAX NUMBER: 27926309-2-41

COMPANY REGISTRATION NUMBER: 01-10-140802

WEBSITE:https://www.billingo.hu/ 

Data processor providing newsletter service:

COMPANY NAME:HubSpot, Inc.

HEADQUARTERS:25 First Street, 2nd Floor Cambridge, MA 02141

(Organization listed on the DPF)

WEBSITE:https://www.hubspot.com 

Other Recipients:

COMPANY NAME:Google LLC 

HEADQUARTERS: 1600 Amphitheatre Pkwy Mountain View, CA 94043

(Organization listed on the DPF)

WEBSITE: https://www.google.com/

COMPANY NAME:Apple Inc. (Apple Distribution International Limited)

HEADQUARTERS: Hollyhill Industrial Estate, Hollyhill, Cork, Ireland

WEBSITE:https://www.apple.com/ 

COMPANY NAME:Meta Platforms, Inc.

HEADQUARTERS: 1601 Willow Rd Menlo Park, CA 94025

WEBSITE:https://www.facebook.com/andhttps://www.instagram.com 

(Organization listed on the DPF)

COMPANY NAME:LinkedIn Corporation

HEADQUARTERS: 1000 W Maude Ave Sunnyvale, CA 94085

(Organization listed on the DPF)

WEBSITE:https://www.linkedin.com/

COMPANY NAME:X Internet Unlimited Company 

HEADQUARTERS: One Cumberland Place, Fenian Street Dublin 2, D02 AX07 IRELAND

WEBSITE:https://x.com

COMPANY NAME:TikTok Technology Limited 

SZÉKHELY: The Sorting Office, Ropemaker Place, Dublin 2, D02 HD23, Dublin, Ireland

WEBSITE:https://www.tiktok.com/ 

In cases where the Notice generally provides for the transfer of data to the Company’s data processors, in those cases it should also be understood as the transfer of data to the above recipients.

CHAPTER III

ENSURING THE LAWFULNESS OF DATA PROCESSING

1. Data processing based on the consent of the data subject

1.1. If the Company wishes to perform data processing based on consent, the data subject’s consent to the processing of his or her personal data must be requested with the content and information specified in the data request form specified in the data processing regulations.

1.2. HConsent is also deemed to be given if the data subject ticks a relevant box when visiting the Company’s website, makes relevant technical settings when using information society services, and any other statement or action that clearly indicates the data subject’s consent to the planned processing of his or her personal data in the given context. Silence, a pre-ticked box or inaction therefore does not constitute consent.

1.3. Consent shall apply to all processing activities carried out for the same purpose or purposes. If the processing serves several purposes at the same time, consent shall be given for all processing purposes.

1.4. Where the data subject gives his/her consent in the form of a written statement which also applies to other matters – for example, the conclusion of a sales or service contract – the request for consent shall be presented in a manner that is clearly distinguishable from those other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a statement containing the data subject’s consent which infringes the Regulation shall not be binding.

1.5. The Company may not make the conclusion or performance of a contract conditional on consent to the processing of personal data that is not necessary for the performance of the contract.

1.6. Withdrawal of consent must be made as easy as granting it. The data subject may withdraw his or her consent at any time by sending a letter to the e-mail address provided in Chapter I.

1.7. If the data subject withdraws his/her consent, the controller may no longer process his/her data. Upon withdrawal of consent, the controller must ensure the erasure of the data, unless another legal basis allows the processing of these data (e.g. storage requirements or the need to perform a contract). If the data is processed for more than one purpose, the controller may not use the personal data for the purpose for which the data subject withdrew consent.

2. Data processing based on compliance with a legal obligation

2.1. In the case of data processing based on a legal obligation, the scope of data that can be processed, the purpose of data processing, the duration of data storage, and the recipients are governed by the provisions of the underlying legal provisions.

2.2 Data processing based on the legal obligation is independent of the data subject’s consent, as data processing is determined by law. In this case, the data subject must be informed before the start of data processing that data processing is mandatory, and the data subject must be clearly and in detail informed before the start of data processing about all facts related to the processing of his or her data, in particular about the purpose and legal basis of data processing, the person authorized to process and process the data, the duration of data processing, whether the data subject’s personal data are processed by the data controller based on a legal obligation applicable to him or her, and who may access the data. The information must also cover the data subject’s rights and legal remedies in relation to data processing. In the case of mandatory data processing, the information may also be provided by publishing a reference to the legal provisions containing the above information.

3. Data processing based on legitimate interest

3.1. The legitimate interests of the Company or a third party may constitute a legal basis for data processing, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. The reasonable expectations of the data subject based on his/her relationship with the data controller must be taken into account, so the processing of personal data for the purpose of maintaining contact, even direct marketing, can be considered to be based on a legitimate interest.

3.2. Data processing based on legitimate interest requires a balancing test, during which the Company always takes into account the current circumstances and the situation of the data controller and the data subjects. The balancing tests carried out separately for data processing in the interests of the Company concluded with the following result: During the balancing test, the Company, taking into account the conditions described for the given data processing, concluded that the data processing is justified with the appropriate safeguards – included in this policy – ​​as the Company would not be able to operate competitively without them. In light of this, the emotional impact on the data subjects and the infringement of the right to privacy can be considered proportionate.

4. For the protection of the vital interests of the data subject or another natural person data management

4.1. The protection of the vital interests of the data subject or another natural person may also constitute a legal basis for data processing, given that the right to data protection is fundamental, but not exclusive, and in matters of life and death, the right to the protection of personal data is naturally overridden by the right to life.

5. Data processing based on contractual interest

5.1. Data processing may also be based on contractual interest if it is necessary for the performance of a contract to which the data subject is a party, or if it is necessary to take steps at the data subject’s request prior to entering into a contract.

6. Promoting the rights of the data subject

6.1. The Company is obliged to ensure the exercise of the rights of the data subject during all data processing operations.

CHAPTER IV

INFORMATION ON DATA PROCESSING BY THE COMPANY

A natural person entering into a contract with a data controller (whether a sole proprietor or an individual issuing an invoice) management of your data

(1) The Company may, under the legal title of contract performance, manage the data of persons in a contractual relationship with it for the purpose of preparing, concluding, performing, terminating the contract, providing contractual benefits – in short, supporting economic processes arising in the common interest.natural personname, birth name, date of birth, mother’s name, address, tax identification number, tax number, registration number, address, registered office, address of business, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number), online identifier (list of customers, suppliers, regular purchase lists). This data processing is also considered lawful if the data processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract.

(2) The period of storage of personal data is 15 days after the termination of the contract, taking into account the Company’s long-term business relationships.5 years. 

(3) Recipients of personal data: Personal data may be accessed by the Data Controller’s employees who participate in the preparation, execution and storage of the contract. The Company’s senior executives, employees performing customer service-related tasks, contact persons, data processors of the Company, in particular employees performing business-related tasks, and data processors. Furthermore, the bodies specified in the law that are authorized by law to inspect.

(4) Personal data may be transferred for data processing to the Hungarian Post Office or the commissioned courier service for the purpose of mailing and delivery, to the data controller’s asset protection agent for the purpose of asset protection, and to the data controller’s data processors for the purpose of asset protection.

(5) Data processing is considered lawful if it is necessary for the purpose of concluding a contract or an intention to conclude a contract (Preamble 44) or if it is necessary to take steps at the request of the data subject prior to concluding a contract (GDPR Article 6 (1) b./). Thus, personal data collected in the context of contractual offers may also be processed under the legal title of performance of a contract as described in this point. The Company is obliged to inform the offeror and the recipient of the offer of this when making or accepting an offer.

Data processing related to the issuance of invoices and the preservation of receipts related to the contract concluded by the data controller

(1) Purpose of data processing: To issue an invoice in accordance with Act CXXVII of 2007 on Value Added Tax in order to pay for the service and to fulfil the obligation to retain accounting documents

(2) Data subjects: The natural person who enters into a contract with the Data Controller, or the representative of the person who enters into a contract with the Data Controller.

(3) The scope of personal data that can be processed: Natural name, address. Name, registered office, tax number of a sole proprietor. Tax number in the case of a legal entity.

(4) Legal basis for data processing: necessary for the fulfillment of a legal obligation of the Data Controller. [GDPR Article 6 (1) (c)]

(5) Recipients of personal data and categories of recipients: Company data processors, in particular employees performing accounting and taxation tasks, and data processors. National Tax and Customs Office

(6) Duration of storage of personal data: Pursuant to Section 169 (2) of Act C of 2000 on Accounting, for 8 years after the invoice is issued.

Processing of the data of the natural person acting on behalf of the legal entity contracting with the Data Controller – the person signing the contract

(1) Purpose of data processing: The purpose of data processing is to establish a contract, exercise the rights and fulfill the obligations contained in the contract, enforce civil law claims that may arise during the performance of contracts, and record and fulfill the obligations undertaken by the Data Controller.

(2) Data subjects: Natural persons signing the contract

(3) Scope of personal data that can be processed: The natural person signing:

• name, position (job title)
• email address
• phone number
• mailing address
• signature sample

(4) Legal basis for data processing: The legitimate interests of the Data Controller based on the following balancing test. [GDPR Article 6 (1) (f)].

The Data Controller assesses that the legal basis for the processing of the data of the natural persons signing the contract complies with the legitimate interest set out in Article 6(1)(f) of the GDPR, and that the data processing does not prejudice the interests or fundamental rights and freedoms of the Data Subjects in a way that would override the legitimate interest of the Data Controller (the interest is not overridden by the specific interests or fundamental rights and freedoms of the Data Subject).

Thesignature sample management to fulfill the Data Controller’s legal obligationnecessary. [GDPR Article 6 (1) point c)]. The Data Controller is obliged to process the signature of the representative of the contracting partner pursuant to Act V of 2013, Section 3:116 (1).

(5) Recipients of personal data and categories of recipients: Personal data may be accessed by the Data Controller’s employees who participate in the preparation, execution and storage of the contract. The Company’s senior executives, employees performing customer service-related tasks, contact persons, employees performing business-related tasks of the Company. Furthermore, the bodies specified in the law that are authorized by law to inspect.

(6) Duration of storage of personal data: 5 years after the termination of the contract.

Processing of data of a natural person designated as a contact person in contracts (in the register kept by the Data Controller) – not a signatory

(1) Purpose of data processing: Ensuring contact related to the performance of the given contract or document, facilitating its performance, and maintaining the contractual relationship.

(2) Data subjects: Natural persons designated as contact persons – not signatories

(3) Scope of personal data to be processed: The contact natural person

• name, position (job title)
• email address
• phone number
• mailing address

(4) Legal basis for data processing: The legitimate interests of the Data Controller based on the following balancing test. [GDPR Article 6 (1) (f)].

The Data Controller assesses that the legal basis for the processing of data of external partners’ contact persons complies with the legitimate interest set out in Article 6(1)(f) of the GDPR, and that the data processing does not prejudice the interests or fundamental rights and freedoms of the Data Subjects in a way that would override the legitimate interest of the Data Controller (the interest is not overridden by the specific interests or fundamental rights and freedoms of the Data Subject).

(5) Recipients of personal data and categories of recipients: Personal data may be accessed by the Data Controller’s employees who participate in the preparation, execution and storage of the contract. The Company’s senior executives, employees performing customer service-related tasks, contact persons, employees performing business-related tasks of the Company. Furthermore, the bodies specified in the law that are authorized by law to inspect.

(6) Duration of storage of personal data: 5 years after the termination of the contract.

Registration in the Company’s application

(1) A natural person registering in the application may give their consent to the processing of their personal data by checking the relevant box. Pre-checking the box is prohibited.

(2) The scope of personal data that can be processed:

• Email address
• Vehicle data (license plate, make, model, type, year)
• Vehicle technical data (battery capacity (kwh), connector type, presence of converter),
• Payment details (card details – Apple/Google pay details),
• Billing information (payment method, last and first name, province, address,
• Facebook, Google, or Apple account login details (optional).
• In the case of biometric authentication, the fingerprint or facial image set up on the user’s smart device,
• Application language
• Optionally: location, time and duration data of the User’s calendar events, in order to provide route-based charging station recommendations.

The data controller may also process the following optional data in connection with registration for statistical purposes:

• The name of the natural person (surname, first name),
• Contact details (email address, phone number)
• City,
• Date of birth,
• No.

(3) The purpose of processing personal data is to provide services and collect statistical data.

(4) The legal basis for data processing is:the express consent of the data subject (based on Article 6(1)(a) of the GDPR and, in the case of sensitive personal data, Article 9(2)(a) of the GDPR at the same time).Consent may be withdrawn at any time. The withdrawal of the data subject’s consent does not affect the lawfulness of the data processing prior to its withdrawal. The deletion request must include the name and e-mail address of the data subject for the purpose of identification.

(5) Recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service and marketing activities, data processors of the Company as data processors, in particular the Company’s IT and Marketing service provider.

(6) Duration of storage of personal data: 5 years or until the data subject withdraws his/her consent (requests deletion).

(7) The data subject acknowledges that the provision of data is not a prerequisite for concluding a contract and that he is not obliged to provide his personal data. Failure to provide data may result in the non-provision of the service.

Recommending and booking charging points, and remotely managing the charging process based on location data

(1) The data controller provides a universal application available on a smart device for users of electric vehicles, within the framework of which the data controller sends a recommended charging location to the user based on the location data of the natural person customer, launches a preset navigation program to the charging location indicated by the user upon request and reserves the charger until the user arrives. Furthermore, after the user arrives – based on the user’s instructions – the charging process is automatically started, monitored and stopped.

(2) Purpose of data processing: In order to be able to show the user the nearest charging station, reserve it upon arrival if required, and then manage the charging process, the Data Controller needs to process the location and charging data received via the user’s device. Without consent, the Data Controller cannot recommend personalized, location-specific charging locations or manage the charging process via it.

(3) Legal basis for data processing: Voluntary and explicit consent of the Clients [GDPR Article 6 (1) a)]. Voluntary consent can be withdrawn at any time. Withdrawal of the data subject’s consent does not affect the lawfulness of the data processing prior to withdrawal. The deletion request must include the name of the data subject and the e-mail address provided during registration for the purpose of identification.

(4) Data subjects: Registered users

(5) The scope of personal data that can be processed: email address, location data, vehicle data, charging data, travel data of the default navigation application used by the user (Google Maps – Waze), billing data.

(6) The data controller acts exclusively as an intermediary towards the Charging Point operator through the Application: it provides a technical and IT platform through which the User and the Charging Point operator can meet, the purchase (charging) transaction can be carried out, and the payment can be made through the integrated payment system of the Application. The charging process and payment carried out by the User through the Application are therefore not established with the data controller, but directly with the operator of the given Charging Point.

(7) Recipients: the Company’s employees performing tasks related to customer service, HR and marketing, the Company’s data processors as data processors and the recipients, in particular the Company’s IT, Marketing service, payment service provider.

Although the financial payment is made through the Application, through the technical system provided by the Data Controller, the payment is processed by a third-party payment service provider.The data controller transmits personal data related to the payment process to the Charging Point operator..

(8) Duration of data processing: Until the customer withdraws their consent, otherwise as long as the profile of the user concerned exists.

(7) The data subject acknowledges that the provision of data is not a prerequisite for concluding a contract and that he is not obliged to provide his personal data. Failure to provide data may result in the non-provision of the service.

The Customer may withdraw his consent at any time, free of charge, electronically or by post. The Data Controller shall take measures to delete the personal data within 30 days of becoming aware of it. The right to withdrawal does not affect the lawfulness of the data processing carried out on the basis of consent before the withdrawal.

Data management related to calendar data when using the application

(1) The Data Controller’s application may – based on the User’s express permission – access upcoming calendar events stored on the User’s device in order to recommend electric charging stations that are appropriate in terms of time and performance and that are aligned with the User’s scheduled programs.

(2) The application reads and processes the following calendar event data locally on the User’s device:

• name (title) of the event,
• the date and duration of the event,
• the location of the event.

(3) Only the following data will be transmitted to the Data Controller’s servers:

• the location of the event,
• the time and duration of the event.

(4) The following will not be transmitted to the Data Controller’s servers and will not be transferred to third parties:

• the name or address of the event,
• description of the event,
• other personal data related to the calendar entry.

(5) The purpose of data processing is to recommend electric charging stations that are suitable in terms of capacity and availability and that are aligned with the dates of the trips and programs planned by the User, as well as to provide route-based charging suggestions.

(6) Legal basis for data processing: the User’s voluntary and explicit consent [GDPR Article 6 (1) a)].

(7) Duration of data processing: data regarding the location, time and duration of the event will be used exclusively for the time necessary to carry out the recommendation process and will not be stored in the long term.

Providing user analytics regarding the use of the Company’s application services

(1) The data controller may, when using the application available on a smart device, create detailed reports and provide user-friendly templates to the user, based on which the user can easily track the vehicle fleet, charging history, and charging settings provided for each vehicle, and create personalized billing profiles.

(2) Purpose of data processing: Provision of services

(3) Legal basis for data processing: Voluntary and explicit consent of the Clients [GDPR Article 6 (1) a)]. Voluntary consent can be withdrawn at any time. Withdrawal of the data subject’s consent does not affect the lawfulness of the data processing prior to withdrawal. The deletion request must include the name of the data subject and the e-mail address provided during registration for the purpose of identification.

(4) Data subjects: Registered users

(5) The scope of personal data that can be processed: registered vehicles, charging history, charging priorities (fast – nearby – cheap – easily accessible – plug & charge – free parking – services), RFID code, billing profiles, invoices.

(6) Recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service, HR and marketing, data processors of the Company as data processors and recipients, in particular the Company’s IT and Marketing service.

(7) Duration of data processing: Until the customer’s consent is withdrawn, otherwise as long as the customer profile of the customer concerned exists.

Data processing related to newsletter service

(1) By checking the relevant box, a natural person acting on behalf of a legal entity who registers for the newsletter service on the website acknowledges that the Company will process his/her data for the purpose of sending newsletters, marketing inquiries, and informational materials, based on the legitimate (other business acquisition) interests of the data controller and the consent of the data subject, until the service is active or until the relevant cancellation request (unsubscribe request sent by email) is received. It is prohibited to check the box in advance. During the subscription, the Data Protection Notice (Annex 2) must be made available with a link. The data subject may unsubscribe from the newsletter at any time by making a written or e-mail statement. In such a case, all data of the objector must be deleted immediately.

(2) The scope of personal data that can be processed: the name (surname, first name), e-mail address, telephone number of the natural person.

(3) Data subjects: Subscribers to the newsletter.

(4) The purpose of processing personal data is:

• Sending a newsletter about the Company’s services
• Sending advertising and information materials

(5) Legal basis for data processing: Voluntary consent of the data subject. [GDPR Article 6 (1) a)]. Voluntary consent can be withdrawn at any time. We inform you that the withdrawal of your consent does not affect the lawfulness of the data processing before its withdrawal. The name and e-mail address of the data subject must be indicated in the deletion request in order to be identifiable.

The legal consequence of failure to provide consent is that the service will not be provided.

(6) Recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service and marketing activities, the Company as a data processor, in particular, employees of the newsletter sender, Marketing and IT service provider for the purpose of providing hosting services.

(7) Duration of storage of personal data: In the case of a newsletter, the Data Controller processes the data provided by the data subject during the subscription to the newsletter until the data subject unsubscribes from the newsletter from the list of subscribers, as found at the bottom of the newsletter.“Unsubscribe”by clicking on the button. In case of unsubscribing, the Data Controller will no longer contact the data subject with the newsletter. The data subject may unsubscribe from the newsletter free of charge and withdraw their consent at any time.

(8) The data subject acknowledges that the provision of data is not a prerequisite for concluding a contract and that he is not obliged to provide his personal data. Failure to provide data may result in the failure to provide the newsletter.

Data processing related to the organization of a prize draw

(1) If the company organizes a prize draw (Act XXXIV of 1991, Section 23), it may process the name, address, telephone number, e-mail address, online identifier, and tax identification number of the natural person concerned based on his or her consent. Participation in the game is voluntary. Consent to data processing is given by accepting these regulations and participating in the game.

(2) The purpose of processing personal data is: determining and notifying the winner of a prize game, sending the prize, marketing inquiries, sending information materials. The legal basis for data processing is: the consent of the data subject.

(3) Legal basis for data processing: the data subject’s voluntary consent [GDPR Article 6(1)(a)]. Voluntary consent may be withdrawn at any time. Withdrawal of the data subject’s consent does not affect the lawfulness of the data processing prior to withdrawal. The deletion request must include the data subject’s name and the e-mail address provided during the prize draw for the purpose of identification.

(4) Recipients of personal data and categories of recipients: employees of the enterprise performing tasks related to marketing and customer service, data processors of the Company as data processor, in particular the Company’s IT service provider, employees performing accounting, and other data processors of the company named in the data processing regulations.

With express consent, the company may display the names of the winners on social media platforms, drawing the attention of the data subjects in the data protection information that the news may be shared by others. Referring behavior on social media sites can be considered consent.

(5) Storage period of personal data: 5 years, in the case of winner data 8 years for the purpose of preserving accounting documents.

Data processing related to customer satisfaction management

(1) This data processing enables the Data Controller to understand the needs and feedback of users and to develop its services and business processes based on this.

(2) The scope of personal data that can be processed:

• data necessary for the identification of the data subject
• ratings given by the data subject measuring the quality of the data controller’s services
• other feedback, opinions of the person concerned

(3) Purpose of data processing: Using user feedback to develop and improve the Data Controller’s services in order to better meet the needs of users.

(4) The legal basis for data processing is the voluntary consent of the data subject [Article 6(1)(a) GDPR]. Voluntary consent may be withdrawn at any time. Withdrawal of the data subject’s consent shall not affect the lawfulness of the data processing prior to its withdrawal. The request for erasure shall include the name and e-mail address of the data subject for the purpose of identification.

(5) Recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service, marketing and development activities, data processors of the Company as data processors, in particular the Company’s IT and Marketing service provider.

(6) Duration of storage of personal data: The data controller may store the data for a period of five years, in accordance with the general limitation period of the Civil Code.

Data processing on social media (Facebook, Instagram, LinkedIn, TikTok and Youtube)regarding

(1) Our Company has only limited influence on the data processing of social media platform operators. In places where we can influence and parameterize it, we promote data processing in accordance with data protection standards within the scope of our available options.However, in most cases we cannot influence the operator’s activities, so we have no information about which data is processed exactly.

FacebookThe data processing policy can be found on the following page:https://www.facebook.com/privacy/explanation/ 

InstagramThe data processing policy can be found on the following page:https://help.instagram.com/519522125107875

LinkedInThe data processing policy can be found on the following page:https://www.linkedin.com/legal/privacy-policy 

TikTokThe data processing policy can be found on the following page:https://www.tiktok.com/legal/page/eea/privacy-policy/hu

Youtube The data processing policy can be found on the following page:https://www.youtube.com/intl/ALL_hu/howyoutubeworks/privacy/

(2) The Data Controller manages its own page on Facebook. The data subject can subscribe to the news feeds published on the Facebook page’s message board by clicking on the “like” link on the pages. In order to contact the Data Controller via Facebook, you must log in. For this, Facebook also requests, stores and processes personal data. The data controller has no influence on the type, scope and processing of this data, and does not receive personal data from the Facebook operator. The Data Controller processes the personal data of followers on Facebook pages based on the followers’ voluntary consent, and the consent is deemed to be given by the person liking, following the page, posts or commenting on them. The data subject declares that he or she has reached the age of 16 in relation to requesting services on the data controller’s Facebook page. The consent of a person under the age of 16 to data processing is subject to the consent of their legal representative pursuant to Article 8(1) of the GDPR. The controller is not able to verify the age and entitlement of the person giving consent, so the data subject guarantees that the data provided is accurate.

(3) Purpose of data management: providing information about current information, news concerning the Data Controller, advertising on social media platforms, presentation and promotion of services. The Data Controller uses the Facebook page for marketing purposes in order for interested parties to learn about its services and to contact the Data Controller.

(4) Legal basis for data processing: voluntary consent of the data subject (in accordance with the data processing regulations of Facebook, Instagram, LinkedIn, TikTok and Youtube)

(5) Scope of data subject to data processing: name of the data subject; data subjects: users of the social media platform

(6) Duration of data processing: The data subject can unsubscribe from following the Data Controller’s Facebook page by clicking the “dislike” or “don’t like” button, or delete unwanted content using the message board settings. As long as the service is active.

(7) Recipients: Employees of the data controller performing tasks related to customer service and marketing, data processors of the Company as data processor, in particular the Company’s IT service provider.

Data processing for direct marketing purposes

(1) Unless otherwise provided by a separate law, advertising may be communicated by direct contact with a natural person as the recipient of the advertisement (direct marketing), in particular by electronic mail or other equivalent individual means of communication – with the exception specified in Act XLVIII of 2008 – only if the recipient of the advertisement has given his prior clear and express consent. According to paragraph 47 of the GDPR Preamble, the processing of personal data for the purpose of direct marketing may also be considered to be based on a legitimate interest.

(2) The scope of personal data that may be processed by the Company for the purpose of advertising addressee inquiries: the name, address, telephone number, e-mail address, online identifier of the natural person.

(3) The purpose of processing personal data is to carry out direct marketing activities related to the Company’s activities, i.e. to regularly or periodically send advertising publications, newsletters, and current offers in printed (postal) or electronic form (e-mail) to the contact details provided upon registration.

• to invite you by email to events we organize that are relevant to you,
• to recommend content relevant to you via email,
• We will send you a newsletter with topics and subjects related to technology, agility, training, webinars, professional presentations, and events via email,
• contact you by email with a direct offer,
• to display targeted advertising to you in an email message.

The general purpose of personalized marketing messages is to increase awareness of us as the Data Controller and our products and services among those who are interested in them. We aim to achieve this by only sending you information that is relevant to you if you have given your prior consent.

(4) Legal basis for data processing: Voluntary consent of the data subject [Article 6(1)(a) of the GDPR].

Voluntary consent can be withdrawn at any time. We inform you that the withdrawal of consent does not affect the lawfulness of data processing prior to withdrawal. In the deletion request, please indicate your name and e-mail address for identification purposes.

(5) Recipients of personal data and categories of recipients: the Company’s customer service and employees performing sales-related tasks, data processors of the Company as data processors, in particular the Company’s IT, Marketing, Newsletter service provider, and employees of the Posta in the case of postal delivery.

(6) Duration of storage of personal data: until the data subject withdraws his/her consent (requests for deletion).

Management of data of employees applying for employment, applications, CVs

(1) The scope of personal data that can be processed: the natural person’s name, date of birth, place of birth, mother’s name, address, photograph, telephone number, e-mail address, data relating to professional background, experience, education and qualifications.

If, following the application of the data subject, a personal interview of the data subject takes place, the Data Controller will make a record of it, the content of which also qualifies as personal data.

(2) The purpose of processing personal data is:

• identification of the data subject,
• the processing by the Data Controller of the job application submitted to the Data Controller concerned
• assessment,
• the participation of the data subject in the selection procedure,
• selecting a data subject with the appropriate skills and professional experience for the position advertised by the Data Controller,
• contacting the data subject and maintaining contact during the selection process,
• offering the data subject a subsequent job opportunity if the data subject is not selected by the Data Controller for the advertised job position.

(3) Legal basis for data processing: The Company’s legitimate interests as an employer (Article 6(1)(f) of the GDPR) and, in the case of sensitive personal data, Article 9(2)(f) of the GDPR at the same time)is processed under the legal title of, except for the possibility of offering a subsequent job opportunity. In the latter case, the applicant – after the conclusion of the recruitment procedure – may declare that he expressly consents to the further processing of his application materials for the purpose of subsequent successful recruitment. In this case, the legal basis for further data processing is: Voluntary consent of the data subject (Article 6 (1) a) of the GDPR).

(4) Recipients of personal data and categories of recipients: managers and employees performing labor duties authorized to exercise employer rights at the Company.

(5) Duration of storage of personal data: The Data Controller stores the personal data of the data subject until the termination of the employment relationship in the case of a winning application, otherwise until the assessment of the job application, and then deletes it, unless the data subject has expressly requested its retention for the purpose of further job opportunities. In this case, the data controller processes the application for 1 year after the consent or until the data subject withdraws his consent.

Please note that when evaluating the application, we may also view publicly available information on social media sites (Facebook, Linkedin, Instagram, Twitter, etc.). We handle this information solely for informational purposes and will not copy, print, or record it in any way.

Data processing for the purpose of fulfilling tax and accounting obligations

(1) The Company processes the data of natural persons who come into contact with it on the basis of the legal obligation, for the purpose of fulfilling tax and accounting obligations prescribed by law (accounting, taxation). The processed data are, in particular, pursuant to Sections 169 and 202 of Act CXXVII of 2017 on Value Added Tax: tax number, name, address, tax status; pursuant to Section 167 of Act C of 2000 on Accounting: name, address, designation of the person or organization ordering the economic transaction, the person issuing the order and the person certifying the execution of the order, and, depending on the organization, the signature of the auditor; on the stock movement documents and cash management documents, the signature of the recipient, and on the counter-receipts, the signature of the payer, and on the counter-receipts, pursuant to Act CXVII of 1995 on Personal Income Tax: tax identification number.

(2) Data management related to the management of travel records and journey logs (in relation to vehicles that can be used by multiple beneficiaries): the Company processes the data specified in the law (name of the driver, type of vehicle, registration number, time of travel, purpose, route taken, name of business partner visited) of the company and the employee’s own vehicle used for official and business purposes (name of driver, type of vehicle, registration number, date of travel, purpose, route taken, name of business partner visited) on the basis of a legal obligation, for the purposes of cost accounting, documentation, determination of tax bases, and accounting for fuel savings. The relevant legislation is Act CXVII of 1995 (Act on the Roads and Transport), Section 27/2/, Annex 3, Section 6 and Annex 5, Section 7.

(3) The storage period of personal data is 8 years after the termination of the legal relationship that gave rise to the legal basis.

(4) Recipients of personal data: employees and data processors of the Company performing tax, accounting, payroll and social security tasks.

Payer data management

(1) The Company processes the personal data of those data subjects – employees, their family members, employees, recipients of other benefits – prescribed in tax laws, with whom its payers (2017:CL. Act on the Taxation System (Art.) 7.§ 31.) are in a relationship, for the purpose of fulfilling legal obligations and tax and contribution obligations prescribed by law (assessment of tax, tax advance, contributions, payroll accounting, social security, pension administration). The scope of the processed data is determined by Art. 50.§, specifically highlighting: the natural person’s personal identification data (including the previous name and title), gender, citizenship, tax identification number of the natural person, social security identification number (TAJ number). If tax laws provide for legal consequences, the Company may process data related to employees’ health (Szja tv. § 40) and trade union membership (Szja § 47(2) b./) for the purpose of fulfilling tax and contribution obligations (payroll accounting, social security administration).

(2) The storage period of personal data is 8 years after the termination of the legal relationship that gave rise to the legal basis.

(3) Recipients of personal data: employees and data processors of the Company performing tax, payroll and social security (payer) tasks.

Data management regarding documents of lasting value according to the Archives Act

(1) The Company manages its documents that are considered to be of permanent value in accordance with Act LXVI of 1995 on public documents, public archives and the protection of private archival material (Archives Act) in order to ensure that the permanent value of the Company’s archival material remains intact and in a usable condition for future generations. Data storage period: until transfer to the public archives.

(2) Recipients of personal data: the manager of the Company, employees responsible for document management and archiving, and employees of the public archives.

CHAPTER V

VISITOR DATA PROCESSING ON THE COMPANY’S WEBSITE – INFORMATION ON THE USE OF COOKIES

1. The visitor to the website must be informed on the website about the use of cookies, and for this purpose – thetechnically essentialexcept session cookies –your consent must be requested.

A cookie is a small text file that is stored on the long-term storage of the data subject’s computer or mobile device (HDD, SSD) for the expiration period set in the cookie and is reactivated on subsequent visits. Its purpose is to record data related to the visit and personal settings, but these data cannot be linked to the visitor. It helps to create a user-friendly website and to enhance the Data Subject’s online experience. If the Data Subject does not agree to the Data Processor’s use of cookies, they must discontinue using the website.

Purpose of data processing:

• By recording your settings and usage habits, we facilitate navigation on the site and thus the use of the website.
• To improve your user experience by collecting information about how you use the website, which pages you visit or use most often, so we can learn how to provide an even better user experience when you visit our website again.
• Collecting statistics, the analysis of which helps us understand how you use the website and other online services, which we can then further develop.
• Further development and fine-tuning of the website according to your needs.
• Identification of possible malicious IT operations.

Legal basis for data processing:In the case of cookies that are essential for the proper functioning of the web interface, the legitimate interest of the data controller [Article 6(1)(f) of the GDPR].

The Data Controller has a legitimate interest in ensuring the secure operation of its website.

If the legal basis for data processing is the legitimate interest pursued by the Data Controller, you as the Data Subject (i.e. the person who uses or visits the website) have the right to object at any time to the processing of your personal data based on such legal grounds for reasons relating to your own situation. In such cases, the Data Controller is obliged to examine the objection submitted by the data subject on its merits and, based on the so-called balancing of interests (comparison of the interests of the data controller and the data subject) conducted by it, decide on the continuation, possible restriction or termination of data processing. The Data Controller has prepared a so-called balancing of interests test in order to prove its legitimate interests.

The legal basis for the processing of other cookies is the voluntary consent of the data subject [Article 6 (1) (a) of the GDPR]. Voluntary consent can be withdrawn at any time. We inform you that the withdrawal of consent does not affect the lawfulness of data processing prior to withdrawal. In the deletion request, please indicate your name and e-mail address for identification purposes.

Scope of data subject to data processing: By placing cookies and reading them back, we process the data of visitors related to their use and browsing of the website and the information related to them in accordance with the data processing purposes.

Duration of data management: We distinguish between cookies stored until the end of a given session and cookies that are managed for a longer period of time. The different cookies are only stored for a specific period of time in order to achieve their purpose. The data subject can delete the cookies stored on their computer or mobile phone at any time through their browser settings.

2. Detailed information about cookies

2.1. A cookie is a piece of data that a website sends to the visitor’s browser (in the form of a variable name-value pair) so that it can store it and later be loaded by the same website. A cookie can be valid until the browser is closed, or for an unlimited period of time. In the future, the browser will also send this data to the server with every HTTP(S) request. This modifies the data on the user’s computer.

2.2. The nature of modern website services requires cookies, the function of which is to mark a user (for example, that he has entered the site) and to be able to handle it accordingly in the future, even to identify him upon his later return. The danger lies in the fact that the user is not always aware of this and it may be suitable for the user to be followed by the website operator or another service provider whose content is integrated into the site (e.g. Facebook, Google Analytics), thereby creating a profile about him, in which case the content of the cookie can be considered personal data.

2.3. Types of cookies:

2.3.1. Technically essential session cookies: without which the site simply would not work functionally, these are necessary for identifying the user, e.g. to manage whether they are logged in, what they have put in the basket, etc. This is typically a session-id storage, the rest of the data is stored on the server, which is therefore more secure. There is a security aspect, if the session cookie value is not generated correctly, then there is a risk of session-hijacking attacks, therefore it is absolutely necessary that these values ​​are generated correctly. Other terminologies call all cookies that are deleted when you exit the browser a session cookie (a session is a browser use from launch to exit).

2.3.2. User-friendly cookies: This is the name given to cookies that remember user choices, such as how the user would like to view the site. These types of cookies essentially represent the settings data stored in the cookie.

2.3.3. Performance cookies: although they have little to do with “performance”, this is usually the name given to cookies that collect information about the user’s behavior within the website they visit, their time spent, and their clicks. These are typically third-party applications (e.g. Google Analytics, AdWords, or Yandex.ru cookies). They are suitable for creating visitor profiles.

You can find out more about Google Analytics cookies here:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

You can find out more about Google AdWords cookies here:

https://support.google.com/adwords/answer/2407785?hl=hu

2.4. It is not mandatory to accept or allow the use of cookies.You can reset your browser settings to refuse all cookies or to indicate when a cookie is being sent.Most browsers automatically accept cookies by default, but these can usually be changed to prevent automatic acceptance.

You can find information about cookie settings for the most popular browsers at the links below.
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
• Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
• Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8
• Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
• Safari: https://support.apple.com/hu-hu/HT201265

However, please note that certain website features or services may not function properly without cookies.

3.Information about cookies used on the Company’s website, andabout the data generated during the visit

3.1. Data processed during the visit: Our company’s website may record and process the following data about the visitor and the device used for browsing when using the website:
• the IP address used by the visitor,
• browser type,
• characteristics of the operating system of the device used for browsing (set language),
• date of visit,
• the (sub)page, function or service visited.

• click.

We retain this data for a maximum of 90 days and may use it primarily for investigating security incidents.

3.2. Cookies used on the website

3.2.1. Technically essentialsession cookies

The purpose of data processing is to ensure the proper functioning of the website. These cookies are necessary to allow visitors to browse the website, to use its functions smoothly and fully, and to use the services available through the website, including, among other things, to remember the actions performed by the visitor on the given pages.or the identification of the logged-in userduring a visit. The duration of data management of these cookies applies only to the visitor’s current visit, and this type of cookie is automatically deleted from your computer when the session ends or the browser is closed.

The legal basis for this data processing is Section 13/A. (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Elkertv.), according to which theThe service provider may process personal data for the purpose of providing the service that are technically indispensable for the provision of the service. All other conditions being the same, the service provider must select and in all cases operate the means used in the provision of the information society service in such a way that personal data are processed only if this is absolutely necessary for the provision of the service and for the fulfilment of other purposes specified in this Act, but even then only to the extent and for the period necessary.

3.2.2. Cookies that facilitate use:

These remember the user’s choices, such as how the user would like to view the page. These types of cookies are essentially settings data stored in a cookie.

The legal basis for data processing is the visitor’s consent.

The purpose of data processing is:A increasing the efficiency of the service, enhancing the user experience, and making the website more convenient to use.

This data is typically on the user’s computer; the website only accesses it and can recognize the visitor.

3.2.3. Performance cookies:

They collect information about the user’s behavior within the website they visit, the time spent, and their clicks.

The legal basis for data processing is the consent of the data subject.

The purpose of data processing is: analyzing the website and sending advertising offers.

CHAPTER VI

INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

1. Your rights in brief:

You may request the following from the Data Controller:

• information about the processing of your personal data (before the start of data processing and during data processing). We ensure your right to information by preparing and publishing this Data Processing Notice.
• access to your personal data (the provision of your personal data by the data controller),
• correction and completion of your personal data,
• the deletion or restriction (blocking) of your personal data – with the exception of mandatory data processing,
• you have the right to data portability,
• you can object to the processing of your personal data,
• you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you,
• has the right to legal remedy.

You are theData processing related legal enforcement, legal remediesAccording to Chapter 1, you may submit your data subject request to the Data Controller in writing. The Data Controller will fulfill your legitimate request within a maximum of 30 days and will notify you of this in a letter sent to the contact information provided.

1. Your rights in detail:

The right to request information (based on the data controller’s obligations set out in Articles 13-14 of the GDPR)

You are theData processing related legal enforcement, legal remediesAccording to Chapter 1, you may request information in writing from the Data Controller about

• what personal data,
• on what legal basis,
• for what purpose of data processing,
• from what source,
• how long does it take to treat,
• whether it employs a data processor, if so, the name, address and activities related to data processing of the potential data processor,
• to whom, when, based on what legal basis, the Data Controller provided access to which personal data or to whom the personal data was transferred,
• the circumstances and effects of a possible data protection incident and the measures taken to prevent it.

Right of access (pursuant to Article 15 of the GDPR)

You have the right to receive feedback from the Data Controller as to whether your personal data is being processed and, if such processing is taking place, you have the right to access your personal data and to obtain this from the Data Controller.Data processing related legal enforcement, legal remediesYou can request it in writing according to chapter.

The Data Controller shall provide you with a copy of the personal data subject to data processing, unless otherwise prohibited by law. If you have submitted your request electronically, the information shall be provided in a widely used electronic format, unless you request otherwise.

The right to rectification and completion (based on Article 16 of the GDPR)

You are theData processing related legal enforcement, legal remediesAccording to Chapter 1, you may request in writing that the Data Controller modify any of your personal data (for example, you may change your e-mail address or postal address at any time or request that the Data Controller correct any inaccurate personal data processed by the Data Controller).

Taking into account the purpose of data processing, you have the right to request the appropriate completion of incomplete personal data processed by the Data Controller.

The right to erasure (pursuant to Article 17 of the GDPR)

The deletion of personal data can basically be requested if our data processing is based on your voluntary consent, e.g. you have given your consent for us to process your data (telephone number, e-mail address). In such a case, we will delete your personal data.

Your voluntary consent can be withdrawn at any time. We inform you that the withdrawal of consent does not affect the lawfulness of the data processing prior to its withdrawal. In the deletion request, please indicate your name and e-mail address for identification purposes.

Right to blocking (restriction of data processing) (based on Article 18 of the GDPR)

You are theData processing related legal enforcement, legal remediesAccording to Chapter 1, you may request in writing that the Data Controller block your personal data (by clearly indicating the limited nature of the data processing and ensuring separate processing from other data).

The blocking will last as long as the reason you have indicated makes it necessary to store the data. You may request the blocking of the data, for example, if you believe that your submission has been processed unlawfully by the Data Controller, but it is necessary for the Data Controller to not delete the submission in the interest of the official or court proceedings initiated by the Data Controller.

In this case, the Data Controller will continue to store the personal data (for example, the given submission) until the authority or court requests it, after which the data will be deleted.

Right to data portability (pursuant to Article 20 of the GDPR)

You are theData processing related legal enforcement, legal remediesYou may request in writing to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used and machine-readable format, and you have the right to transmit these data to another data controller without hindrance from the Data Controller, if:

• the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR, or
• is based on a contract within the meaning of Article 6(1)(b); and
• data processing is automated

The right to object (pursuant to Article 21 of the GDPR)

You are theData processing related legal enforcement, legal remediesYou may object in writing, via the contact details provided in Chapter 1, to the processing of your personal data necessary for the purposes of the legitimate interests pursued by the Controller or by a third party pursuant to Article 6(1)(f) of the General Data Protection Regulation, including profiling based on those provisions.

In this case, the Data Controller will no longer process the personal data, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or which are related to the establishment, exercise or defence of legal claims.

Automated decision-making in individual cases, including profiling (based on Article 22 of the GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

This right does not apply if the decision:

1. necessary for the conclusion or performance of a contract between you and the data controller;
2. is permitted by Union or Member State law applicable to the controller and which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject; or
3. based on your express consent.

In the cases referred to in points a) and c) above, the controller shall take appropriate measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your point of view and to object to the decision.

CHAPTER VII

ENFORCEMENT OF RIGHTS RELATED TO DATA PROCESSING, LEGAL REMEDIES

Contacting the Data Controller

We recommend that before initiating any court or regulatory proceedings, you should send your inquiry or complaint regarding the processing of your personal data to the Data Controller so that we can investigate and resolve it satisfactorily, orinformation about the rights of the person concernedWe may fulfill any request or claim under this chapter, if it is well-founded.

The Data Controller is yourinformation about the rights of the person concernedIn the event of exercising any of your rights related to data processing under Chapter 1, requesting information related to data processing, or objecting to or complaining about data processing, the Data Controller shall investigate the matter without undue delay, take action regarding the request and provide you with information on the matter within the time period prescribed by the applicable laws. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended as provided for in the law.

If you have submitted your request electronically, we will provide the information electronically if possible, unless you request otherwise. If the Data Controller does not take action on your request without delay, but no later than within the deadline specified in the law, it will inform you of the reasons for the failure to take action, the refusal to comply with the request, and that you may initiate court or official proceedings in your case as follows.

In order to enforce your rights related to data management or if you have any questions or doubts regarding your data managed by the Data Controller, or if you request information regarding your data, wish to submit a complaint or wish to exercise any of your rights under the chapter on the rights of the data subject, you can do this as a so-called data subject request in writing by traditional letter, e-mail or through the contact details of the Data Controller.

EV.analytica Limited Liability Company

Headquarters: 1118 Budapest, Zólyomi út 7. 3rd floor, door 1.

Phone number: +36 30 397 7561

Email address:info@evanalytica.com 

Initiation of official proceedings

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the provisions of the GDPR. For contact details of the individual supervisory (data protection) authorities within the EU, see:https://edpb.europa.eu/about-edpb/board/members_huYou are in Hungary.At the National Data Protection and Freedom of Information Authority(1055 Budapest, Falk Miksa u. 9-11., website:http://naih.hu, postal address: 1363 Budapest, P.O. Box: 9.; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail:ugyfelszolgalat@naih.hu) may initiate an investigation or an official procedure in order to enforce his/her rights, citing that a violation of the law has occurred in connection with the processing of his/her personal data or that there is an immediate risk of such a violation, in particular,

• if, in the opinion of the Data Controller,information about the rights of the person concernedrestricts the exercise of the data subject’s rights specified in Chapter 1 or rejects the request to exercise these rights (initiating an investigation), and
• if, in your opinion, the Data Controller, or the data processor acting on his/her behalf or on his/her instructions, violates the provisions on the processing of personal data set out in law or in a binding legal act of the European Union (request for an official procedure).

Initiation of legal proceedings

You may bring an action before a court if you consider that the Controller is processing personal data in breach of the provisions of the law or a binding legal act of the European Union on the processing of personal data. Such proceedings may also be brought before the court of the Member State of the habitual residence of the data subject. In Hungary, such proceedings fall within the jurisdiction of the General Court. The data subject may also, at his/her choice, bring the action before the court competent for his/her place of residence or residence. You can find information about the jurisdiction and contact details of the court (tribunal) on the following website:https://birosag.hu/. 

CHAPTER VIII

DATA SECURITY

The Data Controller undertakes to ensure that the personal data it processes areabout safety. Taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, it shall take technical and organizational measures and establish procedural rules that ensure that the data recorded, stored and processed are protected and prevent their destruction, unauthorized use and unauthorized alteration.

The Data Controller also undertakes to call on all third parties to whom the data is transmitted or transferred on any legal basis to comply with the data security requirements. The Data Controller ensures that unauthorized persons cannot access, disclose, transmit, modify or delete the processed data.

The processed data may only be accessed by the Data Controller, its employees, or the data processor(s) and recipients used by the Data Controller, according to their authorization levels. The Data Controller shall not disclose the data to third parties who are not authorized to access the data. The employees of the Data Controller and the Data Processor may access the personal data in a specific manner and according to their authorization levels, assigned to the positions specified by the Data Controller and the Data Processor.

The Data Controller protects the IT systems with a firewall in order to ensure the security of the IT systems and uses a virus scanner and anti-virus program in order to prevent external and internal data loss. The Data Controller has also ensured that all incoming and outgoing communication in any form is properly checked in order to prevent abuse.

The Data Controller and the Data Processor classify and process personal data as confidential data. In order to protect the data files managed electronically in various registers, the Data Controller ensures that the data stored in the registers cannot be directly linked and assigned to the Data Subject, with exceptions specified by law.

The Data Controller guarantees a level of data security appropriate to the level of risk, including, among others, where applicable:

• pseudonymization and encryption of personal data,
• ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data (operational and development security, intrusion protection and detection, prevention of unauthorized access)
• the ability to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident (data breach prevention; vulnerability and incident management)
• a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures taken to guarantee the security of data processing (maintaining business continuity, protection against malicious code, secure storage, transmission and processing of data, security training of our employees)

When determining the appropriate level of security, specific account shall be taken of the risks arising from the processing of personal data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

We inform you that further detailed information about data security can be obtained from the Data Controller (email address: info@evanalytica.com).

CHAPTER IX

DATA TRANSFER TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION

1.) Based on a compliance decision (Article 45 of the GDPR)

Pursuant to Article 45 of the GDPR, personal data may be transferred to a third country or to an international organisation if the European Commission has determined in a decision that the third country, or a territory or one or more sectors thereof, or the international organisation in question ensures a level of protection equivalent to that of the Union. Article 45(2) of the GDPR sets out the general criteria that the Commission will take into account when assessing the adequacy of the level of protection. The Commission shall periodically and systematically monitor the adequacy of the level of protection in those countries (or territories, sectors, international organisations) for which it has previously adopted an adequacy decision and shall repeal, amend or suspend its decision if it finds that the adequate level of protection is no longer ensured.

2.) Transatlantic Compliance Framework (Data Privacy Framework)

On 10 July 2023, the European Commission adopted an adequacy decision on the new EU-US data protection framework, establishing that personal data can be transferred safely from the European Union to US companies participating in the new framework, and that the United States ensures an adequate level of protection for personal data transferred from the EU to participating US companies. The basic condition for joining the Transatlantic Compliance Framework Decision is that US companies, as data controllers, commit to implementing data protection measures in line with the GDPR.

3.) Data transfers based on appropriate safeguards (Article 46 of the GDPR)

In the absence of an adequacy decision pursuant to Article 45 of the GDPR, the controller or processor may only transfer personal data to a third country or to an international organization if it has provided appropriate guarantees regarding the adequacy of the transfer and if enforceable data protection rights and legal remedies are available to the data subjects.

The Data Controller informs you that the personal data you provide may be transferred to a third country during data processing.

CHAPTER X

OTHER

During the processing of personal data detailed in this Data Protection Noticeautomated decision-makingdoes not happen.

The Data Controller reserves the right to unilaterally amend this information with effect for the future. The current Data Protection Information is available on the Data Controller’s website. The Data Subjects will be informed of the amendments via the Data Controller’s website.

Date: Budapest, December 21, 2025

EV.analytica Ltd.

Represented by: Zoltán Papp, CEO