Data Privacy Policy

I. Purpose, scope and applicable law of the Privacy Notice ("Notice")

The English version of this data privacy policy is provided for reference purposes only. In case of any discrepancies or inconsistencies between the English and Hungarian versions, the Hungarian version shall prevail and be considered the authoritative document. Please consult the Hungarian version for the official and legally binding terms and conditions.

1. The purpose of this Privacy Policy is to set out the data protection and data management principles applied by Planergy Solutions Ltd. (registered office: 4400 Nyíregyháza, Debreceni út 43; company registration number: 15-09-089001; tax number: 27408016-2-15; representative: Marcell Szűcs, Managing Director; hereinafter referred to as "Company", also referred to as "Data Controller") and the Company's data protection and data management policy, which the Data Controller acknowledges as binding.  The scope of this Policy covers the processing of data related to the use of the websites dimensim.hu and dimensim.com (hereinafter referred to as "Website1") and the website planergy.hu (hereinafter referred to as "Website2", Website1 and Website2 together hereinafter referred to as "Websites") and the online conclusion of a subscription contract for the DimenSim software and the use of the DimenSim software.

2. This Notice sets out the information on the processing of Personal Data in a clear and comprehensible manner, taking into account the principle of transparency.

3. This Policy does not cover the services and data processing related to promotions, sweepstakes, services, other campaigns of third parties advertising on the Websites, or the content published by them. Furthermore, this Policy does not cover the services and data processing of websites and/or service providers to which the Websites contain a link. In no case will the Data Controller request or expressly prohibit its Subscribers and/or Users from providing specific data and/or Health Data.

4. The Data Controller shall process Personal Data in accordance with applicable law. The legislation governing the processing of personal data shall in particular:

• Regulation (EU) No 2016/679/EU of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter "GDPR")
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as "the Information Act")
• Act V of 2013 on the Civil Code (hereinafter "Civil Code")
• Act XLVIII of 2008 on the Fundamental Conditions and Certain Restrictions of Economic Advertising Activities (hereinafter referred to as "Grtv.")

II. Identity, contact details and activities of the Data Controller

1. The Data Controller is Planergy Solutions Kft. (registered office: 4400 Nyíregyháza, Debreceni út 43.; register: Nyíregyháza General Court; company registration number: 15-09-089001; tax number: 27408016-2-15; representative:Marcell Szűcs, Managing Director; telephone: +36 30‍ 5 987654; e-mail: planergysolutionskft@gmail.com; website: https://planergy.hu and https://dimensim.com hereinafter referred to as "the Company"). The personal data of the Users is processed by the Data Controller in connection with the operation of the Websites on the basis of this Policy.

2. The Data Controller operates the Website1 through which the DimenSim Software can be ordered from the Data Controller. On Website1, Users may collect information on the operation of the Controller's DimenSim Software, request a quote, enter into an online Subscription Agreement or subscribe to the newsletter/direct marketing service provided by the Controller.

3. Pursuant to Article 37(1) of the GDPR, the Data Controller is not obliged to appoint a Data Protection Officer, and therefore no Data Protection Officer has been appointed at the Data Controller.

III. Definitions

Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Data Controller: the person, as defined in point II.1, who determines, alone or jointly with others, the purposes and means of the Processing of Personal Data.

Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller, the use of which does not require the consent of the data subject, but the data subject must be informed of the identity of the processor;

Recipient: the natural or legal person, public authority, agency or any other body, whether or not a third party, with whom or to which the personal data are disclosed. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;

Data Subject: a natural person who is or may be identified, directly or indirectly, on the basis of personal data; a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;

Consent of the Data Subject: a voluntary, specific, informed and unambiguous indication of the Data Subject's wishes, by which the Data Subject signifies, by means of a statement or an unambiguous act of affirmation, that he or she gives his or her consent to the processing of Personal Data concerning him or her;

User: a person who registers as a user in the User Account of a Subscriber who is a legal person, who is a contact person of the Subscriber and/or who subscribes to the newsletter of the Data Controller and, in this context, provides the data listed in point VIII below, or who registers on the Websites of the Data Controller.

Supervisory Authority: in Hungary, the National Authority for Data Protection and Freedom of Information ("NAIH").

Third party: a natural or legal person, public authority, agency or any other body other than the Data Subject, the Controller, the Processor or the persons who, under the direct authority of the Controller or the Processor, are authorised to process Personal Data;

Special categories of data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data and biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons.

Personal Data: any data or information relating to a Data Subject which makes it possible to identify, directly or indirectly, a natural person.

Notice: this Privacy Notice of the Data Controller.

Definitions used in the Prospectus and not specifically defined in this Section III shall have the meaning given to them in the legislation referred to in Section I.5.

IV. Principles and methods of data processing

1. In order to ensure a consistent and high level of protection of Personal Data, the Controller shall fully respect the legal requirements and shall carry out its activities in particular in accordance with the following principles, within a transparent and regulated framework. The Data Controller shall act in cooperation with Users in accordance with the requirements of lawfulness, fairness and transparency in the processing of Personal Data.

2. The Data Controller collects Personal Data only for specified, explicit and legitimate purposes and processes only the data specified by law or provided by Users for the purposes set out below. The scope of the Personal Data processed shall be proportionate to the purpose of the processing, shall not go beyond that purpose and shall be limited to the extent necessary ("purpose limitation").

3. Personal Data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed ("data minimisation");

4. In all cases where the Data Controller intends to use the Personal Data for a purpose other than that for which it was originally collected, the User shall be informed thereof and shall obtain his or her prior explicit consent or be given the opportunity to prohibit the processing.

5. The Data Controller shall make every effort to ensure that the Personal Data it processes are accurate and, where necessary, kept up to date, and shall take all reasonable steps to promptly delete or rectify Personal Data that are inaccurate for the purposes of the Processing ("Accuracy"). The Data Controller does not verify the Personal Data provided to it. Only the person who provided the Personal Data is responsible for the accuracy of the Personal Data.

6. The Data Controller shall not transfer the Personal Data it processes to any third party other than the Data Processors specified in this Policy, except for the possible use of the data in a statistically aggregated form, which shall not contain any other form of data that can identify the User concerned.

7. In certain cases - official judicial or police requests, legal proceedings for copyright, property or other infringements or reasonable suspicion of infringement of the interests of the Data Controller, etc. - the Data Controller may make available to third parties the Personal Data of the User concerned.

8. The Data Controller shall notify the User concerned and all those to whom the Personal Data was previously transmitted for the purpose of Processing of the rectification, restriction or erasure of the Personal Data processed by the Data Controller. The notification may be omitted if this does not harm the legitimate interests of the User with regard to the purpose of the Processing.

9. The Controller shall store Personal Data in a form which permits identification of Data Subjects only for the time necessary to achieve the purposes for which the Personal Data are processed; Personal Data shall be stored for longer periods only in cases provided for by law ("limited storage");

10. The Controller shall process personal data in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage (" integrity and confidentiality"), by implementing appropriate technical or organisational measures.

The Controller is responsible for compliance with the above principles and must be able to demonstrate such compliance ("accountability").

V. Legal basis for processing

They contact the Data Controller on a per User basis, voluntarily using the services of the Data Controller. In the absence of the Users' consent, the Data Controller shall process data only if expressly and unambiguously authorised by law.The processing of Personal Data is lawful only if and to the extent that at least one of the following conditions is met:

A) Voluntary consent (Article 6(1)(a) GDPR)

In this case, the legal basis for the processing is the express consent of the Users based on their voluntary and duly informed consent.If none of the processing under the legal titles below applies, the Data Controller may process Personal Data on the basis of the express consent of the Data Subject, given the purpose of the processing (e.g.: the name and e-mail address of the Data Subject is required to subscribe to the newsletter). The Data Subject has the right to withdraw his/her consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal.

B) Contract performance (Article 6(1)(b) GDPR)

The processing of Personal Data is necessary for the performance of the contract or, at the request of the data subject, in order to establish a contractual relationship (e.g.: User's name and e-mail address are required to send a test password).

C) Compliance with a legal obligation (Article 6(1)(c) GDPR)

Processing of Personal Data to the extent necessary to comply with a legal obligation to which the Data Controller is subject (e.g.: employee's tax identification number).

D) Vital interest (Article 6(1)(d) GDPR)

The processing is necessary to protect the vital interests of the Data Subject or another natural person.

E) Legislative mandate

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

F) Legitimate interest (Article 6(1)(f) GDPR)

The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party (other than the Data Subject), unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (e.g. the processing of the name, residence or tax number of the data subject, which are public company register data).

The Data Controller records the User's IP address when the User accesses certain websites in connection with the provision of the service, in the legitimate interest of the Data Controller and for the lawful provision of the service (e.g. to detect unlawful use), without the User's consent.

The Data Controller does not process personal data on legal bases other than those indicated in point V.

Transfers of Data to the Data Processors specified in this Policy may be made without the User's specific consent. Unless otherwise provided by law, the disclosure of personal data to third parties or public authorities is only possible on the basis of a final decision by a public authority or court or with the prior express consent of the User.

When providing any User's e-mail address and the data provided during the contact (e.g. surname, first name, e-mail address, telephone number, job title or position, etc.), the User also assumes responsibility for the fact that only the User will use the service from the e-mail address provided or using the data provided. In view of this assumption of responsibility, any liability for contacting the User from an e-mail address and/or using the data provided shall be borne solely by the User who registered the e-mail address and provided the data.

VI. Purpose of the processing

1. The Controller processes personal data solely for specified purposes, for the exercise of rights and the performance of obligations. At all stages of the processing, the purpose of the processing is fulfilled. The data are collected and processed fairly and lawfully. The Data Controller shall endeavour to process only personal data that is necessary for the purpose of the processing and is adequate for the purpose. Personal data shall only be processed to the extent and for the duration necessary to achieve the purpose.

2. The purpose of the processing is primarily the operation of the Websites and the recording of Personal Data necessary for the conclusion of an online Subscription Contract with the Data Controller and/or for the verification of the right of representation.

3. The purpose of the processing based on the above:

• Identifying the User, contacting the User;
• Send an offer to the User;
• Sending direct marketing or solicitation (e.g. newsletter) to Users;
• Fulfilling the obligations incumbent on the Data Controller, exercising the rights of the Data Controller;
• Analysis, statistics, development of services - for this purpose, the Data Controller uses only anonymised data, aggregated data that cannot be personally identified;
• Protection of Users' rights.

VII. Source of data

In addition to the data specified in the Cookie Policy, the Data Controller only processes Personal Data provided by Users and does not collect Personal Data from other sources.

Personal Data is provided when the User contacts us. When contacting us, the User provides his/her first and last name, e-mail address, company name, position/job title/authority and telephone number.

VIII. Scope of the data processed

The Data Controller processes only the Personal Data provided by the User. The details of the data processed are as follows:

A) Contact via websites

The Data Controller processes the following data in relation to contacting you via the Websites (i.e., to call you back, to try a trial and request a quote, or to send you a direct e-mail):

Source of Personal Data: the source of all Processed Data under the above table is the data subject.

Voluntary nature of the provision of the data, consequences of not providing the data: the provision of Personal Data according to the above table is voluntary and in any case depends on the choice of the data subject, but without the provision of the data, no contact will be possible.

Duration of storage of Personal Data: the Data Controller shall store the Personal Data referred to in the table above for the period indicated in the table under the heading " Purpose of processing, legal basis for processing".

Automated decision making, profiling: no automated decision making, profiling will take place in the course of the processing according to the above table.

Personal Data of the recipient or categories of recipients: the Data Controller's employees who deal with the offer, the Personal Data as set out in the table above will not be disclosed by the Data Controller to any other person other than the recipient.

Transfers to third countries or international organisations: no transfers are made to third countries or international organisations in the course of processing.

Use of a data processor: the Data Controller may use data processors in the field of marketing to fulfil the purpose of the contact, the contact details of which are set out in point XII.

Rights of the data subject: in relation to the processing of data in accordance with the above table, the data subject may exercise the following rights:

• a) in respect of all processing: the right of access, rectification, erasure, restriction and the right to lodge a complaint;
• b) in case of processing based on consent: the right to withdraw.

B) Details of Users and/or contacts of Subscribers who have entered into an online contract via Website1

The Data Controller processes the data of Subscribers who have concluded an online subscription contract via Website1 in relation to their Users/Contacts as set out in the table below:

Source of Personal Data: the source of all Processed Data under the above table is the data subject.

Voluntary provision of data, consequences of failure to provide data: the provision of Personal Data according to the above table is voluntary and in any case depends on the decision of the data subject, but without the provision of the data, no Subscription Contract can be concluded.

Duration of storage of personal data: the Data Controller will store the Personal Data according to the table above for the period indicated in the table under the heading " Purpose and legal basis of processing".

Automated decision making, profiling: no automated decision making, profiling will take place in the course of the processing according to the above table.

Personal data of the recipient or categories of recipients: the Data Controller's employees involved in contracting and invoicing, the Personal Data in the table above will not be disclosed by the Data Controller to persons other than the recipients.

Transfers to third countries or international organisations:No transfers to third countries or international organisations will take place during the processing.

Use of a data processor: the Data Controller may use data processors in the field of marketing to fulfil the purpose of the contact, the contact details of which are set out in Section XIII.

Rights of the data subject: in relation to the processing of data in accordance with the above table, the data subject may exercise the following rights:

• a) in respect of all processing: the right of access, rectification, erasure, restriction and the right to lodge a complaint;
• b) in case of processing based on consent: the right to withdraw.

C) Data of Users registered on Website1 who are not Subscribers

The Data Controller processes the personal data of Users who are not Subscribers and who have registered on Website1 in accordance with the following table:

Source of Personal Data: the source of all Processed Data under the above table is the data subject.

Voluntary provision of data, consequences of failure to provide data: the provision of Personal Data according to the above table is voluntary and in any case depends on the choice of the data subject, but in case of failure to provide such data (except for the telephone number), the registration and the services linked to the registration cannot be performed.

Duration of storage of Personal Data: the Data Controller will store the Personal Data according to the table above for the period indicated in the table under the heading " Purpose, legal basis for processing".

Automated decision making, profiling: no automated decision making or profiling will take place in the course of the processing of data according to the above table.

Personal data of the recipient or categories of recipients: the Data Controller's employees involved in the contracting process, the Personal data according to the above table will not be disclosed by the Data Controller to persons other than recipients.

Transfers to third countries or international organisations: no transfers to third countries or international organisations will take place in the course of data processing.

Use of a Data Processor: the Data Controller may use Data Processors for its performance, the contact details of which are set out in Section XIII.

Rights of the data subject: in relation to the processing of data in accordance with the above table, the data subject may exercise the following rights:

• a) in respect of all processing: the right of access, rectification, erasure, restriction and the right to lodge a complaint;
• b) in case of processing based on consent: the right to withdraw.

D) IP addresses, event logs of Users and/or contacts of Subscribers who have entered into an online contract via Website1 and or Registrants

Scope of the data processed: the Data Controller records it when you use its services:

• a) the IP address of the electronic device used to make the request;
• (b) the activities carried out by the Data Subject in the context of the use of the Data Controller's services and the requests made therefrom (hereinafter referred to as the "Event Log").

The purpose of the Data Processing is:to increase data security with regard to IP addresses, to fulfil the online Subscriber Agreement between the Data Controller and the Subscriber and for statistical data analysis. The purpose of the processing is to increase data security for the Event Log and statistical data analysis.

The legal basis for the processing is the legitimate interest of the Data Controller and, in addition, the performance of the Subscriber Agreement between the Data Controller and the Data Subject in respect of IP addresses.

As regards the IP addresses and the Event Log, the Data Controller carried out an interest analysis in order to assess whether a legitimate interest actually exists, in order to ensure that only lawful processing takes place. In the course of the interest analysis, the Data Controller examined, inter alia, the purposes of the processing, the interest and lawfulness of the processing, the necessity of the processing and the possible effects (positive and negative) of the processing on the data subjects.

As a result of the balancing of interests, the interests of the Data Controller in the processing have been found to prevail over the interests, fundamental rights and freedoms of the data subject, with a view to which the result of the balancing of interests establishes the legal basis for the processing based on the balancing of interests in all respects.

In the balancing of interests, particular weight was given to the fact that the contractual relationship between the Data Controller and the customer has a common interest in the fulfilment of the contractual obligations of the Data Controller and its provability, the balance of the service and the enhancement of data security. Due to the nature of the services provided by the Data Controller, personal data relating to the Data Subject can only be inferred indirectly, and therefore the interest of the Data Controller in the processing of IP addresses and the Event Log overrides the interests and rights of the Data Subjects. In weighing the interests, the Data Controller has also considered as a relevant circumstance the fact that it does not disclose the processed data to the public and does not make it available to persons other than the data processor.

Source of personal data:the source of all the above Processed Data is the data subject.

Voluntary provision of data, consequences of failure to provide data:The provision of the processed data is mandatory in order to use the services of the Data Controller, in their absence the service is not available.

Duration of storage of personal data: the duration of storage of data is 3 months for load balancer and web server log entries, 1 year from the date of creation of the data, in case of legitimate interest until the effective objection.

Automated decision making, profiling: no automated decision making or profiling takes place in the course of the above data processing.

The recipient or categories of recipients of the Personal Data: the Data Controller's IT security staff, the above Personal Data will not be disclosed by the Data Controller to any other person as a recipient.

Transfers to third countries or international organisations:No transfers to third countries or international organisations will take place during the processing.

Use of a data processor:The Data Controller uses a data processor for the analysis of log entries (log analysis), the contact details of which are set out in point XIII.

Rights of the data subject: in relation to the above processing, the data subject may exercise the following rights:

• a) in respect of all processing: the right of access, rectification, erasure, restriction and the right to lodge a complaint;
• b) in case of processing based on consent: the right to withdraw.

E) Identifying information (Username and Password) of persons and/or Subscribers who register via Website1

Scope of the data processed: the Data Controller requires the provision of a username and password for the services on Website1 that are subject to registration. Accordingly, the scope of the data processed for this purpose includes the following:

• a) an online username (hereinafter referred to as "Username");
• b) an online password (hereinafter referred to as "Password").

Purpose of the Processing:

• In the case of Subscribers and Registrants who are not Subscribers, the primary purpose of the Processing is to provide the service to the Subscribers of the Data Controller. With regard to the User Name, the secondary purpose of the Processing is statistical data analysis.

Legal basis for processing:

• the legitimate interest of the Controller; or the consent of the Data Subject; and
• In the case of Subscribers, the legal basis for data processing is the performance of the Subscriber Contract between the Data Controller and the Subscribers.

In assessing whether a legitimate interest actually exists, the Data Controller has carried out an interest analysis to ensure that only lawful processing takes place. In the interest analysis, the Data Controller has assessed, inter alia, the purposes of the processing, the interest and lawfulness of the processing, the necessity of the processing and the possible effects (positive and negative) of the processing on the data subjects.

As a result of the balancing of interests, the interests of the Data Controller in the processing have been found to prevail over the interests, fundamental rights and freedoms of the data subject, with a view to which the result of the balancing of interests establishes the legal basis for the processing based on the balancing of interests in all respects.

In the balancing of interests, particular weight was given to the fact that the contractual relationship between the Data Controller and the customer has a common interest in the fulfilment of the contractual obligations of the Data Controller and its provability, the balance of the service and the enhancement of data security.

Source of personal data: the Data Subject registering the User Name and Password. If the Password is generated by the Controller, the source of the data is the Controller.

Voluntary provision of data, consequences of failure to provide data: the provision of the processed data is mandatory for registration with the Data Controller, without them the registration is not available.

Duration of storage of personal data:5 years from the termination of the contract for Subscribers (statute of limitations); for Users who are not Subscribers, until the effective objection in case of legitimate interest. In case of consent, until revocation.

Automated decision making, profiling: no automated decision making or profiling takes place in the course of the above processing.

The recipient or categories of recipients of the Personal Data: the Data Controller's employees involved in the provision of services or IT security, the above Personal Data will not be disclosed by the Data Controller to any other person other than the recipient.

Transfers to third countries or international organisations: no transfers are made to third countries or international organisations in the course of processing.

Use of a Data Processor: the Data Controller does not use a Data Processor to process these data.

Rights of the data subject: in relation to the above processing, the data subject may exercise the following rights:

• a) in respect of all processing: the right of access, rectification, erasure, restriction and the right to lodge a complaint;
• b) in case of processing based on consent: the right to withdraw.

F) Complaints handling

Scope of the data processed: the Data Controller processes the following Personal Data in the context of its complaint handling:

• a) the surname and first name of the complainant
• b) the telephone number of the complainant
• c) the complainant's e-mail address

Purpose of the processing: to handle complaints, to provide information in response to the Data Subject's complaint;

Legal basis for processing: the data subject's consent.

Source of Personal Data: the source of all Personal Data is the Data Subject (the complainant).

Voluntary provision of data, consequences of failure to provide data: the provision of data is voluntary and always depends on the decision of the data subject, but without the provision of data, it is not possible to lodge a complaint or provide the appropriate information.

Duration of storage of personal data: the Data Controller stores personal data until the complaint is settled, the appropriate information is provided or the case is closed.

Automated decision making, profiling: no automated decision making or profiling takes place in the course of the above processing.

The recipient or categories of recipients of the Personal Data: the Data Controller's employees involved in contracting and/or providing services, the above Personal Data will not be disclosed by the Data Controller to persons other than recipients.

Transfers to third countries or international organisations: no transfers to third countries or international organisations will take place in the course of data processing.

Use of a Data Processor: the Data Controller does not use a Data Processor to process these data.

Rights of the data subject: in relation to the above processing, the data subject may exercise the following rights:

• a) in respect of all processing: the right of access, rectification, erasure, restriction and the right to lodge a complaint;
• b) in case of processing based on consent: the right to withdraw.

G) Newsletter

Scope of data processed: the Data Controller processes the following personal data in relation to the newsletters:

• the first and last name of the person subscribing to the newsletter;
• the e-mail address of the person subscribing to the newsletter.

Purpose of the Processing: the provision of a newsletter service by the Data Controller to subscribers of the newsletter in respect of all Personal Data;

Legal basis for processing: the consent of the Data Subject, i.e. the person subscribing to the newsletter.

Source of Personal Data: the source of all Personal Data is the Data Subject (newsletter subscriber).

The voluntary nature of the data, the consequences of not providing data:

Data processing is completely voluntary, the Data Subject is not obliged to provide the Data Controller with the Personal Data, however, without the provision of the data, the newsletter service cannot be provided.

In order to prevent unauthorised persons from subscribing to the newsletter on behalf of the Data Subject, the Data Subject must confirm the subscription by clicking on the link in the e-mail sent to the e-mail address provided by the Data Subject.

Duration of storage of personal data:

The Data Controller stores the Data Subject's data until the consent is withdrawn, i.e. until the newsletter is unsubscribed. You can unsubscribe from the newsletter by clicking on the link in the newsletter.

Automated decision making, profiling: no automated decision making or profiling takes place in the course of the above processing.

The recipient or categories of recipients of the Personal Data: the Data Controller's employees engaged in the provision of services or marketing, the above Personal Data will not be disclosed by the Data Controller to any other person as a recipient.

Transfers to third countries or international organisations: no transfers are made to third countries or international organisations in the course of processing.

Use of a data processor: the Data Controller uses a data processor for the purpose of sending out newsletters, whose contact details are set out in point XIII.

Rights of the data subject: in relation to the above processing, the data subject may exercise the following rights:

• a) in respect of all processing: the right of access, rectification, erasure, restriction and the right to lodge a complaint;
• b) in case of processing based on consent: the right to withdraw.

IX. Description of the data management process

The Data Controller processes Personal Data - in addition to point XI - only on the basis of the User's data. The source of the data is therefore the User himself, who provides the data during the contact. The User provides the data on a voluntary basis and independently, the Data Controller does not give any binding guidelines or content requirements in this respect. The User gives his/her explicit consent to the processing of the data provided by him/her.

By contacting us, the User, by providing his/her data, expressly consents to the Data Controller's Data Processors having access to his/her data.

X. Processing for direct marketing purposes

If the User explicitly consents, the Data Controller will contact the User using the contact details provided and send him/her a newsletter including a direct marketing message and/or a direct marketing message by e-mail or by sending a message to the User Account by direct contact method. The User may withdraw his consent at any time without giving any reason.

XI. Technical data and cookie management

The Data Controller's system automatically records the IP address of the user's computer, the starting time of the visit and, in some cases, depending on the computer's settings, the type of browser and operating system. The data thus recorded cannot be linked to other personal data. The data are processed for statistical purposes only.

Cookies allow Websites to recognise previous visitors. Cookies help the Data Controller, as the operator of the Websites, to optimise the Websites, to tailor the services of the Websites to the habits of the Users. Cookies can also be used to

• remember the settings, so that the User does not have to re-enter them when entering a new page,
• remember previously entered data, so you don't have to re-enter it,
• analyse the use of the Websites to ensure that the improvements made using this information result in the best possible user experience, so that users can easily find the information they are looking for, and
• monitor the effectiveness of advertising.

The Data Controller provides information on further details on cookies in a separate Cookie Policy.

XII. Transmission of data

The Data Controller shall only transfer personal data to third parties if the User has given his/her unambiguous consent - knowing the scope of the data transferred and the recipient of the data transfer - or if the transfer is authorised by law.

The Data Controller is entitled and obliged to transmit to the competent authorities any Personal Data at its disposal and stored by it in accordance with the law, which Personal Data it is obliged to transmit by law or by a final and binding obligation of a public authority. The Data Controller shall not be held liable for such transfers and the consequences thereof.

In all cases, the Data Controller shall document the transfers and keep records of the transfers.

XIII. Data processing

The Data Controller is entitled to use a data processor for the performance of its activities. Processors do not take independent decisions and are only entitled to act in accordance with the contract concluded with the Data Controller and the instructions received. The Controller shall monitor the work of the processors. Processors shall only be entitled to use additional processors with the written consent of the Controller.

The Data Controller shall identify the data processors used in this Notice.

The data processors used by the Data Controller:

• ...............; based at .............. (hosting service)
• ...............; head office: .............. (accounting, tax)
• ................; registered office: .............. (billing)
• .................domicile: .................. (payment by credit card)
• ...............; registered office: .............. (claims management)

If the User enters into a contract with the Data Controller and chooses to pay online, the User will be redirected to the online payment service provider's website. After the redirection, the payment is made on the website of Stripe Payments Europe Limited (Dublin, Ireland), during which the data is transferred by the User to the payment service provider acting as a data processor. The Data Controller will be notified when the payment has been made and will not receive any other data provided by the data processor. The legal basis for the notification is the consent of the data subject, the purpose of which is to verify that the payment has been made.

XIV Data security, access to data

The Data Controller shall ensure the security of the data, take the technical and organisational measures and establish the procedural rules necessary to enforce the applicable laws, data protection and confidentiality rules. The Data Controller shall take appropriate measures to protect the data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or damage and against inaccessibility resulting from changes in the technology used.

The Data Controller shall keep records of the data processed by it in accordance with the applicable laws, ensuring that the data may only be accessed by employees and other persons acting in the interests of the Data Controller (data processors) who need to know the data in order to perform their job or task. The data may only be accessed under logging. The employees of the Data Controller shall carry out individual searches and operations on the data only at the request of the User or when necessary for the provision of the service.

The Data Controller shall take into account the state of the art when defining and applying measures for data security. The Data Controller shall choose among several possible data processing solutions the one which ensures a higher level of protection of personal data, unless this would involve a disproportionate effort.

The Data Controller shall ensure, in particular, in the context of its IT security responsibilities:

• Measures to protect against unauthorised access, including protection of software and hardware devices and physical protection (access protection, network protection);
• Measures to ensure that data files can be recovered, including regular backups and separate secure management of copies (mirroring, backup);
• Protecting data against viruses (virus protection);
• The physical protection of data files and the media on which they are stored, including protection against fire, water, lightning and other natural hazards, and the recoverability of damage caused by such events (archiving, fire protection).

Employees and other persons acting on behalf of the Data Controller shall keep secure the data media containing personal data which they use or have in their possession, regardless of the means of recording the data, and shall protect them against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or damage.

The Data Controller shall operate the electronic register by means of an IT program that meets the requirements of data security. The programme shall ensure that access to the data is limited to the persons who need it for the performance of their tasks, and only for the purposes for which it is intended and under controlled conditions.

XV. Duration of processing

The Controller shall delete personal data if.

a) unlawful treatment;

If it is found that the data is being processed unlawfully, the Data Controller will delete it without delay.

b) at the request of the User (except for processing based on law);

The User may request the erasure of data processed on the basis of the User's voluntary consent. In this case the Data Controller will delete the data. Deletion may only be refused if the processing of the data is authorised by law. The Data Controller shall in any case provide information on the refusal of the request for erasure and on the law authorising the processing.

(c) the data is incomplete or inaccurate, and this situation cannot be lawfully remedied, provided that erasure is not excluded by law;

(d) the purpose of the processing has ceased or the statutory time limit for the storage of the data has expired.

Erasure may be refused (i) for the exercise of the right to freedom of expression and information, or (ii) where the processing of Personal Data is authorised by law; and (iii) for the establishment, exercise or defence of legal claims.

The Data Controller shall inform the User of the refusal of the request for erasure in each case, indicating the reasons for the refusal. Once the request for erasure of personal data has been complied with, the previous (erased) data can no longer be restored.

The newsletters sent by the Data Controller can be unsubscribed via the unsubscribe link in the newsletter. In case of unsubscription, the Data Controller will delete the User's Personal Data in the newsletter database.

As the Data Controller provides a continuous service to the User, the relationship between the parties is not time-limited. Therefore, unless the User requests otherwise, the Data Controller shall process the data for as long as the relationship between the Data Controller and the User exists and for as long as the Data Controller is able to provide the User with the service.

All other data will be deleted by the Controller if it is clear that the data will no longer be used, i.e. the purpose of the processing has ceased.

(e) it has been ordered by a public authority

If a court, the National Authority for Data Protection and Freedom of Information or other competent authority has issued a final order for the deletion of the data, the Data Controller shall carry out the deletion.

Instead of deletion, the Data Controller shall block the personal data - after informing the User - if the User so requests or if the information available to the Data Controller suggests that deletion would harm the legitimate interests of the User. The personal data blocked in this way may be processed only for as long as the processing purpose which precluded the deletion of the personal data persists. The Data Controller shall mark the personal data it processes if the User contests the accuracy or correctness of the personal data, but the incorrectness or inaccuracy of the contested personal data cannot be clearly established.

In the case of processing required by law, the erasure of data shall be governed by the law.

In the event of deletion, the Data Controller shall render the data unidentifiable. Where required by law, the Controller shall destroy the storage medium containing the personal data.

XVI. Rights of Users and their enforcement

The Data Controller shall inform the User about the processing of the data at the time of contacting the User. The User shall also have the right to request information on the processing at any time.

Upon the User's request, the Data Controller shall provide information about the User's data processed by the Data Controller or by a data processor appointed by the Data Controller or under its instructions, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the data processor and its activities related to the processing, the circumstances and effects of the data breach and the measures taken to remedy the data breach, and, in the event of the transfer of the User's Personal Data, the legal basis and the recipient of the data transfer. The Data Controller shall provide the information in writing in an intelligible form within the shortest possible time from the date of the request, but not later than 25 days from the date of the request, upon the User's request. The information shall be provided free of charge if the person requesting the information has not yet submitted a request for information in the current year for the same set of data. In other cases, a fee may be charged. The fee already paid shall be refunded if the data have been processed unlawfully or if the request for information has led to a correction.

The User may request that the Controller rectify the personal data incorrectly provided. In the event that the data to be corrected are regularly provided, the Data Controller shall, if necessary, inform the recipient of the data of the correction and shall draw the User's attention to the fact that the correction must be initiated with another data controller.

The User may request the deletion of his/her personal data, except for processing required by law. The Controller shall inform the User of the erasure.

The User may object to the processing of his/her personal data.

The User may submit a request for information, rectification or deletion in writing, by sending an e-mail to the Data Controller.

The User may request the Controller to restrict the processing of his/her Personal Data if the User contests the accuracy of the Personal Data processed. In such case, the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the Personal Data. The Controller shall mark the Personal Data it processes if the User contests its accuracy or correctness but the incorrectness or inaccuracy of the contested Personal Data cannot be clearly established.

The User may request that the Controller restrict the processing of his/her Personal Data even if the processing is unlawful, but the User opposes the erasure of the processed Personal Data and instead requests the restriction of their use.

The User may also request the restriction of the processing of his/her Personal Data by the Controller if the purpose of the processing has been achieved, but the User requires the processing of his/her Personal Data by the Controller for the establishment, exercise or defence of legal claims.

The User may request that the Data Controller provide the Personal Data provided by the User and processed by the User in an automated way to the Data Controller in a structured, commonly used, machine-readable format and/or transfer them to another data controller.

If the Controller does not comply with the User's request for rectification, blocking or erasure, the Controller shall, within 25 days of receipt of the request, communicate in writing the reasons for refusing the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the User of the possibility of judicial remedy and of recourse to the National Authority for Data Protection and Freedom of Information.

The User may make the above declarations concerning the exercise of his/her rights at the contact details of the Data Controller provided in point II.

If the Data Subject believes that the processing of personal data relating to him or her is unlawful, the Data Subject has the right to lodge a complaint with the supervisory authority, which in Hungary is the National Authority for Data Protection and Freedom of Information (NAIH).

• Head office: 1055 Budapest, Falk Miksa utca 9-11.
• Postal address: 1363 Budapest, Pf.: 9.
• Phone: +36 (1) 391-1400
• Fax: +36 (1) 391-1410
• Website: http://naih.hu
• E-mail: ugyfelszolgalat@naih.hu

If the Data Subject User believes that the processing of personal data concerning him or her is unlawful, he or she may also seek judicial remedy. The court of law will have jurisdiction to rule on such a claim. The lawsuit shall be brought before the court of the seat of the Data Controller (Nyíregyháza Court), but the Data Subject may also bring the lawsuit before the court of the place of his/her domicile or, failing that, of his/her domicile. Upon request, the Data Controller shall inform the User in detail about the possibilities and means of legal remedy.

XVII Amendments to the Privacy Notice

The Controller reserves the right to amend this Notice at any time by unilateral decision.

The User accepts the current provisions of this Policy by entering the Site, without the need to seek the consent of individual Users.