Privacy Notice

Privacy statement for the MAHARTLOG GROUP

Data Controller: 
MAHARTLOG GROUP 

  • MAFRACHT Kft.

Registered office: 1121 Budapest, Mártonvölgy utca 26.

Tax number: 10456684-2-43

Company registration number: 01-09-072706

Represented by: Gábor Spányik

Phone number: +36 1 429-5010

Email: mahartlog@mahartlog.hu

Website: www.mahartlog.hu

  • Mahartlog Port Ltd.

Registered office: 2536 Nyergesújfalu, Bécsi út 5.

Tax number: 25717215-2-11

Company registration number: 11-09-026487

Represented by Klaudia Kovács-Domán Beáta 

Phone number: +36 1 429-5010

Email: mahartlog@mahartlog.hu

Website: www.mahartlog.hu

  • Mahartlog Invest PLC.

Registered office: 1121 Budapest, Mártonvölgy utca 26.

Tax number: 25896794-2-43

Company registration number: 01-10-049250

Represented by: Katalin Mária Bubics

Phone number: +36 1 429-5010

Email: mahartlog@mahartlog.hu

Website: www.mahartlog.hu

Last modified: 30 September 2024.

General information

Purpose of the Privacy Notice:

The purpose of this Privacy Notice is to inform the Data Controller about the data protection and data management principles and rules applicable to the processing of personal data of persons who come into contact with the Data Controller.

In drafting the provisions of this Privacy Notice, the Data Controller has taken particular account of the provisions of Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter referred to as "GDPR"), Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as "Infotv.") and other relevant legislation.

Concepts related to data management

The definitions of personal data processing are set out in the GDPR. For the sake of transparency and clarity, the Data Controller sets out the most important terms in this section, taken from the GDPR.  

  • "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  1. "sensitive data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data and biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons. The processing of these data is prohibited as a general rule.
  2. "processing" means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  3. "restriction of processing" means the marking of stored personal data for the purpose of restricting their future processing;
  4. 'controller' means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or specific criteria for the designation of the controller may also be determined by Union or Member State law;
  5. "processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
  6. "recipient" means a natural or legal person, public authority, agency or any other body to whom or with which personal data is disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
  7. "third party" means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  8. "the data subject's consent" means a freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;
  9. "enterprise" means any natural or legal person carrying on an economic activity, regardless of its legal form, including partnerships or associations carrying on a regular economic activity.
  10. "data breach" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  11. "supervisory authority" means an independent public authority established by a Member State in accordance with Article 51 of the GDPR;

Principles of data management

  • The processing of personal data must be lawful, fair and transparent for the data subject.
  • Personal data may only be processed for specific purposes and on a legal basis, for the exercise of a right or the performance of an obligation.
  • At all stages of processing, the purpose of the processing must be fulfilled and the collection and processing of data must be fair and lawful. Only personal data that is necessary for the purpose of the processing and is adequate for the purpose shall be processed.
  • Personal data may be processed only to the extent and for the duration necessary for the purposes for which they are collected.
  • The Data Controller's data management is accurate and up to date. The Controller shall take all reasonable steps to ensure that personal data inaccurate for the purposes of processing are erased or rectified without undue delay.
  • The Data Controller shall store personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, subject to the storage obligations laid down in the applicable legislation.
  • Personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures.

The Data Controller is responsible for compliance with the principles described above and must be able to demonstrate such compliance.

Purpose, legal basis and method of processing

3.1. Data processing related to contacting

3.1.1. Contact via email and online contact form

Purpose of processing: 

Contacting and maintaining contact with the data subject on the basis of the data subject's request. The Data Controller will use the data provided by the Data Subject for a specific purpose and only in connection with the Data Subject's request. The disclosure of personal data to third parties, unless otherwise required by law, shall only be possible with the express prior consent of the Data Subject.

Legal basis for processing

Voluntary consent of the data subject pursuant to Article 6(1)(a) GDPR

The processing is based on the data subject's voluntary and informed consent, which the data subject gives by sending the request and the data contained therein to the Data Controller to the extent necessary to reply to the request and to carry out the activities contained therein (e.g. providing information). 

Consent is given by the Data Subject by voluntarily providing the data in question and, in the case of a form, by completing it/checking the box.

Scope of personal data processed:

  • name (first and last name)
  • email address
  • optionally a telephone number
  • message

The Controller does not verify the personal data provided to it. The person providing the data shall be solely responsible for its accuracy. 

Duration and method of data processing:

The processing of the personal data provided in the context of contacting or maintaining contact lasts until:

  • until the data subject withdraws his or her consent,
  • but for a maximum of six months from the date of the data.

Data storage method: electronic.

 3.1.2. Contact by phone

Purpose of processing: 

The data subject may also contact the Data Controller by telephone. In this case, the Data Controller will also know the first and last name of the caller and the telephone number. The purpose of the processing is to contact the data subject on the basis of the data subject's request.

By contacting the Data Controller by telephone, the Data Controller will inform the Data Subject orally of the availability of this notice and will draw the caller's attention to the fact that the Data Controller will only process personal data if the caller confirms in writing that he or she has read and accepted the contents of this notice.

Legal basis for processing

Voluntary consent of the data subject pursuant to Article 6(1)(a) GDPR

The processing is based on the data subject's freely given informed consent, which he or she gives by sending the Data Controller the request and the data contained therein, to the extent necessary to reply to the request and to carry out the activities contained therein.

Consent is given by the data subject voluntarily providing the data in question.

Scope of personal data processed:

  • Name
  • phone number

The Controller does not verify the personal data provided to it. The person providing the data shall be solely responsible for its accuracy. 

Duration and method of data processing:

The processing of the personal data provided in the context of contacting or maintaining contact lasts until:

  • until the data subject withdraws his or her consent,
  • but for a maximum of six months from the date of the data.

Data storage method: electronic.

3.1.3. Contact via social media platform

Purpose of processing: 

The data controller operates a Facebook page (https://www.facebook.com/MAHARTLOG), an Instagram page (https://www.instagram.com/mahartlog), a TikTok page (https://www.tiktok.com/@mahartlog) and a LinkedIn profile (https://www.linkedin.com/company/mahartlog-ltd/ ) for the purpose of providing online contact opportunities, publishing posts, promoting the business and reaching potential customers.

When posting comments to posts related to the business, the Data Controller gets to know the first and last name of the commenters and their comments, which are accessed on the basis of consent. 

You can also send messages on Facebook, Instagram and TikTok. When sending a message, the Data Controller obtains the sender's first and last name, which is based on the sender's consent. In the case of contact by Facebook, Instagram and TikTok messages, the Data Controller shall inform the data subject in writing of the availability of this notice and shall draw the sender's attention to the fact that the Data Controller may process his/her personal data only if the sender confirms in writing that he/she has read and accepted the contents of this notice. 

Legal basis for processing

Voluntary consent of the data subject pursuant to Article 6(1)(a) GDPR

The data processing is carried out on the community site, so the duration of the data processing, the method of data processing and the possibility of deleting and modifying the data are governed by the rules of the community site.

The privacy policy for Facebook and Instagram (as Meta products) is available at the following link: https://www.facebook.com/privacy/explanation

The relevant TikTok privacy policy is available at the following link: https://www.tiktok.com/legal/page/eea/privacy-policy/hu

LinkedIn is operated in Europe by LinkedIn Ireland Unlimited Company (Gardner House, 5 Wilton Park, Dublin 2, Ireland). The LinkedIn Site operates within the framework of the LinkedIn Privacy Policy. The LinkedIn Privacy Policy is available at https://www.linkedin.com/legal/privacy-policy.

Scope of personal data processed:

  • Name registered on the social media platform;
  • and the user's public profile picture;

The Controller does not verify the personal data provided to it. The person providing the data shall be solely responsible for its accuracy. 

Duration of data processing:

The processing of the personal data provided in the context of contacting or maintaining contact will continue until the Data Subject withdraws his or her consent.

If the Data Subject withdraws his or her consent, the Data Controller will delete all data related to the contact without delay, based on the data erasure options provided by Facebook, Instagram and TikTok.

3.2. Data processing in connection with the ordering of services

Among the companies belonging to the MAHARTLOG group:

  • Mafracht Ltd. is engaged in road transport and freight forwarding;
  • Mahartlog Port Ltd. with port operations,
  • while Mahartlog Invest Zrt. performs asset management and tax and business advisory activities.

MAHARTLOG Group companies provide their services exclusively to legal entities.

3.2.1. Processing of data of a person authorised to act on behalf of or on behalf of a legal person

Purpose of processing: 

The Data Controller provides its services exclusively to legal entities (hereinafter referred to as Business Customers). 

The purpose of data processing is the conclusion and performance of contracts with Business Customers.

Legal basis for processing

GDPR Article 6(1)(f) - legitimate interest

The legal basis for the processing of personal data provided by representatives of Business Customers is the legitimate interest of the Data Controller and of the Business Customer on whose behalf or on whose behalf the data subject is acting.

For the processing of data on the basis of legitimate interests of a person entitled to act on behalf of or on behalf of a legal person, we have carried out the balancing of interests test, which has resulted in a finding that the legitimate interest of the Data Controller or its Business Customer to process the data is genuine and stronger than the interest of the data subjects not to have their data processed. 

The knowledge and processing of the data is essential for the conclusion of the contract between the Data Controller and the Business Customer. 

In compliance with our legal obligation, all data subjects will be given the opportunity to see the detailed balancing of interests test if they make such a request to the Data Controller.

Given that the data subjects' data are processed by the Data Controller or the Data Controller on the basis of the legitimate interests of the Data Controller or the Business Customer, the data subjects have the right to object to the processing; the detailed rules and conditions for exercising this right are set out in Section 5 of this notice.

Scope of personal data processed:

  • Data required for identification
    • Name
    • mother's name
    • place and date of birth
    • signature

Duration and method of data processing:

5 years from the date of the business relationship or the date on which the person concerned became a representative. If legislation (e.g. tax law, etc.) provides for a longer period for recording or storing contracts, the period shall be that laid down in that legislation.

Data storage method: electronic and paper-based

3.2.2. Managing business customer contact details

Purpose of processing: 

Although the Data Controller provides its services exclusively to legal persons, it processes the data of persons who request an offer from the Data Controller as a contact person for Business Clients, or with whom the Data Controller maintains contact during the performance of the contract in case of acceptance of the offer and ordering of the service. 

The purpose of processing the data of the contact persons is therefore to provide the interested Business Partner with an offer for the service and, in the event of a contractual relationship, to ensure direct contact and smooth communication with the Business Partner.

Legal basis for processing

GDPR Article 6(1)(f) - legitimate interest

The legal basis for the processing of personal data provided by Business Customer Contacts is the legitimate interest of the Data Controller and of the Business Customer to whom the contact belongs. For the processing of contact details on the basis of legitimate interest, we have carried out an interest balancing test, which has resulted in a finding that the legitimate interest of the Data Controller and the Business Customer, respectively, to process the data is genuine and outweighs the interest of the data subjects not to have their data processed. The knowledge and processing of the data is indispensable to enable the Data Controller to send the Business Partner an offer for the provision of services based on the information provided by the Business Partner and, if the Business Partner accepts the offer of the Data Controller and a contract is concluded between them, to contact the Business Partner directly and consult with him/her at short notice on issues arising in the course of the performance of the contract.

In compliance with our legal obligation, all data subjects will be given the opportunity to see the detailed balancing of interests test if they make such a request to the Data Controller.

Given that the data subjects' data are processed by the Data Controller or the Data Controller on the basis of the legitimate interests of the Data Controller or the Business Customer, the data subjects have the right to object to the processing; the detailed rules and conditions for exercising this right are set out in Section 5 of this notice.

Scope of personal data processed:

  • Contact name;
  • Email
  • Phone number

Duration of data processing:

The data of the contact persons are processed until the contractual relationship between the Data Controller and the Business Partner appointing the contact person for the task(s) specified in the contract is terminated. In the event that the identity of the contact person of the Business Partner changes in the meantime, the processing of the data of the data subject shall continue until the Business Partner or the Data Subject notifies the Data Controller in writing of such change.

3.3. Data processing in connection with image and video recordings

Purpose of processing:  

To promote and disseminate the company's activities to a wide audience by publishing video and photo footage of an event or event organised by the Data Controller on the Data Controller's website and/or social networking sites (Facebook, Instagram, TikTok) and/or LinkedIn profile.

Legal basis for processing 

In the case of recordings that are bulk recordings, the processing of data - in accordance with Article 6 (1) (e) of the GDPR and Article 6 (1) (e) of the Info tv. The statutory provision is Article 2:48 (2) of the Civil Code, according to which the consent of the data subject is not required for the making and use of a visual or audio recording in the case of public recordings and recordings of public appearances.

Crowd shots show a crowd of people, the people depicted are not seen as individuals but as part of the crowd. If the image does not show individuals individually, but as a crowd, it is a crowd shot.

If it is not a mass recording, the voluntary consent of the Data Subject is required for the creation and processing of the image and video.

The processing of data - in accordance with Article 6 (1) (a) of the GDPR and the Info tv. Article 5 (1) (a) of the GDPR.

For the creation and use of a recording made specifically about a particular person(s), the consent of the data subject is required. The same applies to the extraction of the image from the crowd, using any recording device (e.g. telephoto lens, zoom), as this will reindividualise the image and in such a case the consent of the data subject is required for the creation and use of the image. If individualisation is carried out by post-editing from the mass photograph, consent is also required.

Scope of personal data processed:

  • Image and video recording

Duration and method of data processing:

The Data Controller will process the recordings (on its own internal platform, website, social media platforms, etc.) only as long as they are of interest and up-to-date, after which they will be deleted or deleted even if the data subject withdraws his/her consent.

3.4. Data subjects, data transfers, data processing

The data may be accessed by the internal staff of the Data Controller with whom the data subject has contacted or whose access and processing of the data is related to their job duties.

Data processors:

 

Profitárhely

 

Registered office: 6000 Kecskemét, Szolnoki út 23.

Tax number: 23173080-2-03

Company registration number: 03 09 121889

 

 

Hosting (for the proper operation of the website)

 

Temarketinged Kft.

Head office: 4024 Debrecen, Wesselényi u. 1.

Tax number: 32037704-2-09

Company registration number: 09 09 034197

 

 

Provision of information technology services
 

 

Székhely: 

Cégjegyzékszám:  

Adószám: 

 

 

Vállalatirányítási rendszer

 

 

 

Székhely: 

Cégjegyzékszám:  

Adószám: 

 

 

 


 


  • Rights of the Data Subject

Rights of the data subject.

(a) request information about the processing of personal data concerning him or her and access to such personal data,

(b) request their rectification,

c) request their deletion,

d) request the restriction of the processing of personal data,

e) object to the processing of personal data,

f) exercise his or her right to data portability.

(g) exercise his or her right of appeal. 

The data subject may lodge a complaint with the National Authority for Data Protection and Freedom of Information (hereinafter referred to as "NAIH") or apply to the competent court as set out at the end of this notice.

 

Rights of data subjects in relation to data processing 

The Data Controller shall ensure that the rights of data subjects are respected as follows.

The Data Controller shall provide the data subject with the opportunity to make a request to exercise his or her data subject rights by any of the following means and through the contact details set out in this notice: (i) by post, (ii) by e-mail, (iii) by telephone.

Phone number: +36 1 429-5010

Email: mahartlog@mahartlog.hu

Postal address: 1121 Budapest, Mártonvölgy utca 26.

The controller shall comply with the data subject's request without undue delay and in any event within 30 days of receipt of the request and shall inform the data subject thereof in a concise, transparent, intelligible and easily accessible form, in clear and plain language. The Data Controller shall also decide on the refusal of the request within that period and shall inform the data subject of the refusal, the reasons for the refusal and the data subject's remedies in this respect.

As a general rule, the controller shall comply with the data subject's request by e-mail, unless the data subject requests otherwise. At the request of the data subject, information may be provided by telephone only if the data subject has provided proof of his or her identity. The controller shall not use the postal address or telephone number of the data subject for any other purpose.

The Data Controller shall not charge any fees or reimbursement of costs for the fulfilment of the data subjects' requests, as detailed below. However, in the event that a new, unfounded, excessive request for the same data subject is received from the data subject within one year of the previous, already fulfilled request, the Data Controller reserves the right to charge a reasonable fee for the fulfilment of the request, proportionate to the workload involved in fulfilling the request, or to refuse to act on the request, in its discretion, giving adequate reasons.

Right to information and access

The controller shall provide the data subject, at his or her request, with the following information in a concise, transparent, intelligible and easily accessible form, in clear and plain language:

  • whether the processing of your personal data by the Data Controller is ongoing;
  • the name and contact details of the Data Controller;
  • the personal data of the data subject processed by the Controller and their source;
  • the purposes for which the personal data are processed and the legal basis for the processing;
  • the duration of the processing;
  • the recipients or categories of recipients to whom or which personal data have been or will be disclosed;
  • about the rights of the data subject;
  • the circumstances and effects of a possible data breach and the measures taken to deal with it.

Right to rectification

The controller shall, at the request of the data subject, correct inaccurate personal data relating to the data subject.

The controller shall inform all recipients to whom or with whom the personal data have been disclosed of the rectification, unless this proves impossible or involves a disproportionate effort. At the request of the data subject, the Controller shall inform the data subject of those recipients.

Right to erasure ("right to be forgotten")

At the request of the data subject, the Data Controller shall delete personal data concerning the data subject where one of the following grounds applies:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • the data subject objects to the processing;
  • the personal data were unlawfully processed by the Data Controller;
  • the personal data must be erased in order to comply with a legal obligation under EU or Hungarian law applicable to the Data Controller.

The controller shall inform all recipients to whom or with whom the personal data have been disclosed of the erasure, unless this proves impossible or involves a disproportionate effort. At the request of the data subject, the Controller shall inform the data subject of those recipients.

Right to restriction of processing

At the request of the data subject, the Data Controller shall restrict the processing if one of the following conditions is met:

  • the data subject contests the accuracy of the personal data - in this case, the restriction applies for the period of time that allows the Controller to verify the accuracy of the personal data;
  • the processing is unlawful, but the data subject opposes the erasure of the data and instead requests the restriction of their use;
  • the Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims.

The controller shall inform all recipients to whom or with whom the personal data have been disclosed of the restriction, unless this proves impossible or involves a disproportionate effort. At the data subject's request, the Controller shall inform the data subject of those recipients.

Right to data portability

The Data Controller shall, at the request of the data subject, make available to the data subject the personal data concerning the data subject which the data subject has provided. The Controller further undertakes that the data subject may transfer such personal data to another controller without being prevented from doing so by the Controller.

Right to legal redress

If the data subject believes that the Data Controller has infringed his or her right to the protection of personal data in the course of processing, he or she may, in accordance with the applicable legislation, seek redress from the competent authorities, i.e. lodge a complaint with the NAIH (address: H-1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf. 9..; website: www.naih.hu; e-mail: ugyfelszolgalat@naih.hu; telephone: +36-1/391-1400) or apply to the competent court. 

The Data Controller undertakes to cooperate fully with the court or the NAIH concerned in these proceedings, and to disclose the data relating to the processing to the court or the NAIH concerned.

The Data Controller also undertakes to compensate for any damage caused by unlawful processing of the personal data of the data subject or by a breach of data security requirements. In case of violation of the data subject's right to privacy, the data subject may claim damages. The controller shall be exempted from liability if the damage was caused by an unavoidable cause outside the scope of the processing and if the damage or harm caused by the infringement of the personality right results from the intentional or grossly negligent conduct of the data subject.

Data security measures

The Data Controller shall ensure the security of the data. The Data Controller has taken technical and organisational measures and established procedural rules to ensure that the data recorded, stored and processed are protected and to prevent their destruction, unauthorised use and unauthorised alteration. It also requires third parties to whom the data subject's data have been disclosed to comply with the requirement of data security.

The Data Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons.

The Data Controller shall make every reasonable effort to ensure that the data are not damaged or destroyed. The Data Controller shall also impose the above commitment on its employees and partners involved in its data processing activities, including data processors acting on behalf of the Data Controller.

Handling data protection incidents

If the Data Controller becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure or transmission of, or unauthorized access to, personal data transmitted, stored or otherwise processed by it (hereinafter collectively referred to as "data breach"), it shall comply with Articles 33-34 of the GDPR. to notify the data protection incident to the competent and competent data protection authority (hereinafter referred to as "DPA") and to inform the data subject or data subjects of the data protection incident where it is likely to result in a high risk to the rights and freedoms of natural persons. 

Any person who becomes aware of a personal data breach involving personal data transmitted, stored or otherwise processed by the Data Controller as described above may notify the Data Controller at the following contact details: mahartlog@mahartlog.hu.

The person making the notification must provide the following information in addition to the subject matter of the data breach:

  • name of the applicant;
  • contact details of the notifier: telephone number and/or e-mail address, 
  • the incident affects the software, and if so, which part or which service.  

The Data Controller shall, within 1 working day at the latest, if it considers the incident to be serious, investigate the notification without delay and, if necessary, request further data from the notifier. Within 72 hours of the notification of the incident, the Data Controller shall provide the NAIH with the data.

The data must include the following:

  • the nature of the personal data breach, including the categories and approximate number of data subjects and the categories and approximate number of data subjects affected by the breach; 
  • the name and contact details of the contact person who can provide further information; 
  • the likely consequences of the data breach; 
  • the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.

If the personal data breach requires further investigation, the Data Controller will take the necessary steps to assess the actual and potential impact of the personal data breach during the investigation, with the involvement of appropriate experts. A report shall be prepared by the experts called upon. The report shall include a proposal for the security measures necessary to remedy the personal data breach.

The Data Controller decides on the measures to be taken. 

The controller shall, where it considers that the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, inform the data subject of the personal data breach without undue delay.

In the notification, the controller shall clearly and prominently describe the nature of the personal data breach, highlighting the following: 

  • the name and contact details of the contact person who can provide further information; 
  • the likely consequences of a data breach; 
  • the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.

The controller shall not inform the data subject if: 

  • implemented appropriate technical and organisational protection measures and applied these measures to the data affected by the personal data breach, in particular measures such as the use of encryption to make the data unintelligible to persons not authorised to access the personal data;
  • has taken additional measures following the data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
  • the provision of information would require a disproportionate effort, i.e. the data subjects are so numerous that the Data Controller could only provide them with the information referred to above at disproportionate expense. In such a case, the Data Controller shall arrange for the appropriate information to be made public. 

Records of data protection incidents

The Data Controller shall keep a record of the personal data breach. 

It must be recorded in the register: 

  • the scope of the personal data concerned, 
  • the scope and number of data subjects affected by the data breach, 
  • the date of the data breach,
  • the circumstances and effects of the data breach, 
  • the measures taken to respond to the data breach, 
  • other data specified in the legislation providing for the processing.

 

The Data Controller is obliged to keep the data on data protection incidents in the register for 5 years in the case of an incident involving personal data and for 20 years in the case of an incident involving sensitive data.

Right to legal redress

For any questions or comments regarding data management, please contact the Data Controller using one of the contact details provided in this notice.

You can also lodge a complaint with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information

Headquarters: H- 1055 Budapest, Falk Miksa utca 9-11.

Address for correspondence: 1363 Budapest, Pf. 9.

Address for correspondence: 1363 Budapest, Pf. 9.

Fax: +36-1-391-1410

Website: www.naih.hu

E-mail: ugyfelszolgalat@naih.hu

In the event of a breach of the data subject's rights, the Data Controller may take legal action against the data subject. The court shall rule on the case out of turn. The Data Controller shall prove that the processing complies with the law. The tribunal shall have jurisdiction to rule on the case. The action may also be brought before the courts for the place where the plaintiff, i.e. the data subject, is domiciled or resident.

The Data Controller undertakes to cooperate fully with the court or the NAIH concerned in these proceedings, and to disclose the data relating to the processing to the court or the NAIH concerned.

 

The Data Controller also undertakes to compensate for any damage caused by unlawful processing of the personal data of the data subject or by a breach of data security requirements. In case of violation of the data subject's right to privacy, the data subject may claim damages. The controller shall be exempted from liability if the damage was caused by an unavoidable cause outside the scope of the processing and if the damage or harm caused by the infringement of the personality right results from the intentional or grossly negligent conduct of the data subject.

The Data Controller reserves the right to change this information at any time.

en_GBEN
en_GBEN hu_HUHU