Privacy Policy

AMAZON NŐI FITNESS

Hlavati András EV (hereinafter: Data Controller) manages the data of visitors to and registrants on the website https://amazonfitness.hu/ (hereinafter: Website) during its operation.

In connection with data processing, the Data Controller hereby informs the Data Subjects about the personal data it processes on the Website, the principles and practices it follows regarding the processing of personal data, as well as the method and possibilities for the exercise of the rights of the data subjects.

By using the Website, the Data Subject accepts the terms set forth in this Privacy Policy and consents to the data processing defined below.

The Data Controller pays special attention to ensuring that personal data is processed, stored, and used in compliance with the provisions of the European Parliament and Council Regulation (EU) 2016/679 (General Data Protection Regulation), which ensures the protection of individuals with regard to the processing of personal data and the free movement of such data, as well as the repeal of Directive 95/46/EC.

The Data Controller ensures that unauthorized persons cannot access personal data, and that the storage and placement of personal data is arranged in a way that it cannot be accessed, learned, altered, or destroyed by unauthorized individuals.

1. Data Controller's Information

Name: Hlavati András EV
Headquarters: 1117 Budapest, Kőrösy József utca 17
Email: andrashlavati@gmail.com
Tax number: 42445786143
Registration number: 4433870
Registering court/authority: Budai Central District Court

2. Data Processing Cases

2.1 Registration in the Gymbase System

Processed Data: Last name, first name, email address, phone number, photo (optional)

Purpose of Data Processing: Registration required for the use of sports services, user identification, communication, and contact.

Legal Basis for Data Processing: The legal basis for data processing is legitimate interest, according to Article 6(1)(f) of the Regulation.

Duration of Data Processing: Until the registration is deleted upon request.

Source of Data: Collected directly from the Data Subject.

Consequences of Not Providing Data: The Data Subject will not be able to use the appointment booking and purchasing functions available on the Website.

Legitimate Interest Assessment Test Result – for Mandatory Registration

The Data Controller has conducted a legitimate interest assessment due to the legal basis of legitimate interest. The result of the assessment – available from the Data Controller – concluded that the data processing activities carried out during mandatory registration are closely related to ensuring the convenience of the Data Subjects’ purchasing options, as well as fulfilling legal claims associated with the performance of the contract. This serves the legitimate interests of both the Data Controller and the Data Subject and complies with the legitimate interest provided under Article 6(1)(f) of the GDPR. Additionally, the rights of the Data Subjects are safeguarded by the measures taken by the Data Controller, ensuring that the interests or fundamental rights and freedoms of the Data Subjects are not overridden. Therefore, the Data Controller may process the personal data provided during mandatory registration to ensure easier purchasing opportunities for the Data Subjects and to enforce legal claims following the performance of the contract, as it complies with the legal basis under Article 6(1)(f) of the GDPR.

2.2 Purchase of Membership, Tickets, and Other Products on the Website

Processed Data: Full name, email address, ticket/membership purchase date, used session dates.

Purpose of Data Processing: Use of sports services.

Legal Basis for Data Processing: The legal basis for data processing is the performance of a contract with the Data Subject, as per Article 6(1)(b) of the Regulation.

Duration of Data Processing: The data will be processed until the ticket or membership expires, or until the sessions are used.

Source of Data: Collected directly from the Data Subject.

Consequences of Not Providing Data: The Data Controller will not be able to fulfill its legal obligations as specified by applicable Hungarian laws.

2.3 Issuance of Invoice for the Order

Processed Data: Name, address (mandatory).

Purpose of Data Processing: Fulfillment of invoicing obligations, compliance with accounting principles, preparation and recording for accounting.

Legal Basis for Data Processing: The legal basis for data processing is the fulfillment of a legal obligation, as per Article 6(1)(c) of the Regulation (VAT Act / 2007. Act CXXVII on Value Added Tax).

Duration of Data Processing: The invoice will be retained for 8 years.

Source of Data: Collected directly from the Data Subject.

Consequences of Not Providing Data: The Data Controller will not be able to fulfill its legal obligations as defined by applicable Hungarian laws.

2.4 Data Processing During Invoice Sending

Processed Data: Email address, name.

Purpose of Data Processing: Sending the invoice to the Data Subject.

Duration of Data Processing: Until the invoice is sent to the Data Subject.

Legal Basis for Data Processing: The legal basis for data processing is the fulfillment of a legal obligation, according to Article 6(c) of the Regulation (Act C of 2000 on Accounting).

Source of Data: Collected directly from the Data Subject.

Consequences of Not Providing Data: The Data Controller will not be able to fulfill its obligation to provide the invoice to the Data Subject.

2.5 Customer Correspondence, Communication, Contact

Processed Data: Depending on the contact platform, name, email address, phone number, and any other data provided by the Data Subject (optional).

Purpose of Data Processing: If the Data Subject has questions regarding the Website, the Data Controller’s services, or products, they can contact the Data Controller through the contact information provided in this Policy and on the Website. This data processing allows for communication and contact between the Data Controller and the Data Subject in relation to the issue raised.

Duration of Data Processing: The Data Controller will retain emails, postal mail, and other personal data provided in the message, including the sender’s name, email address, and other information, as long as it takes to resolve or respond to the Data Subject’s question or inquiry.

Legal Basis for Data Processing: The legal basis for data processing is the voluntary consent of the Data Subject, as per Article 6(1)(a) of the Regulation.

Source of Data: Collected directly from the Data Subject.

Consequences of Not Providing Data: Failure to communicate through customer correspondence.

2.6 Complaint Management

Processed Data: Depending on the contact platform, name, email address, phone number, and the complaint submitted by the Data Subject.

Purpose of Data Processing: If the Data Controller handles a complaint related to the provided service, personal data will be processed during the complaint management process. The purpose of data processing is to fulfill the requirements of the relevant legislation for complaint management and to enable communication between the Data Controller and the Data Subject regarding the complaint.

Duration of Data Processing: According to the rules set forth in the 1997 Act CLV on Consumer Protection, the Data Controller is required to retain the complaint for 3 years.

Legal Basis for Data Processing: The legal basis for data processing is the fulfillment of legal obligations set forth in the Consumer Protection Act and the Civil Code, as per Article 6(1)(c) of the Regulation.

Source of Data: Collected directly from the Data Subject.

Consequences of Not Providing Data: Failure to process the complaint, as the Data Controller cannot contact or resolve the issue with the Data Subject without the provision of personal data.

2.7 Newsletter

Processed Data: Last name, first name, email address.

Purpose of Data Processing: By subscribing to the newsletter, the Data Subject voluntarily consents to receiving newsletters, offers, and information related to exhibitions from the Data Controller for direct marketing purposes. By subscribing to the newsletter, the Data Subject acknowledges and accepts the data processing rules outlined in this Privacy Notice.

Duration of Data Processing: The subscription to the newsletter is valid until the Data Subject unsubscribes. The Data Subject can unsubscribe from the newsletters at any time, without restriction or justification, free of charge.

Legal Basis for Data Processing: The legal basis for data processing is the voluntary consent of the Data Subject, as per Article 6(1)(a) of the Regulation.

Source of Data: Collected directly from the Data Subject.

Unsubscribe Options:
The Data Subject can unsubscribe from the newsletters in the following ways:

Notify the Data Controller of the intention to unsubscribe by sending an email to the address listed in point 1.
Click the unsubscribe link provided in the newsletter.

2.8 Other Personal Data Logged by the System

Purpose of Data Processing: The system logs the identifier assigned by the internet service provider to the device of the Data Subject logging into the system. The purpose of this data processing is to ensure the IT system security of the Data Controller and to send HTML code appropriate for the browser type.

Duration of Data Processing: The system stores the data for 6 months from the time of creation, after which it is automatically deleted.

Legal Basis for Data Processing: The legal basis for data processing is the voluntary consent of the Data Subject, as per Article 6(1)(a) of the Regulation.

Source of Data: Collected directly from the Data Subject.

Categories of Data Recipients: Database management partner, marketing department.

Consequences of Not Providing Data: Inaccuracies in analytical measurements.

2.9 Cookies

Every browser allows the modification of cookie settings. Most browsers automatically accept cookies by default, but these settings can typically be changed to prevent automatic acceptance and offer the option to choose whether to allow cookies each time.

Since the purpose of cookies is to facilitate or enable the usability and processes of the Website, preventing or deleting cookies may result in the inability to fully use the Website’s features or cause the Website to function incorrectly in your browser.

By adjusting the settings of your browser, you can ensure that cookies are not placed on your device. Most web browsers have a help feature in the menu bar that explains how to prevent your browser from accepting new cookies, how to instruct your browser to alert you when a new cookie is received, and how to delete and block existing cookies.

Here’s how you can adjust the settings:

Internet Explorer:

From the “Tools” menu, select “Internet Options.”
Click on the “Privacy” tab.
You can choose the settings for the internet zone here. You can specify whether your browser can accept cookies, which cookies it should accept, and which to reject.
Confirm the settings by clicking the “OK” button.

Firefox:

From the “Tools” menu, select “Options.”
Click on the “Privacy” tab.
In the dropdown menu, select “Use custom settings for history.”
You can set whether the system can accept cookies, how long the accepted cookies can be stored, and which websites you want to always allow or block cookies for.
Confirm the settings by clicking the “OK” button.

Google Chrome:

In the browser’s symbol bar, click on the Chrome menu.
Select “Settings.”
Click on “Show advanced settings.”
Under the “Privacy and security” section, click on “Content settings.”
Under the “Cookies” section, you can adjust cookie handling as follows:
- Delete cookies
- Block cookies permanently
- Set cookies and site data to be deleted once the browser session ends
- Allow exceptions for cookies for certain websites or domains.

Please note that in such cases, you may not be able to fully use all features of the website.

2.9.1 Cookies used by the Data Controller on the Website

On this page, the Data Controller primarily uses the following cookie:

Legal basis for data processing: The legal basis for data processing is the data subject’s voluntary consent pursuant to Article 6(1)(a) of the Regulation.

Source of data: Directly collected from the data subject.

Possible consequences of failure to provide data: Limited use of the services on the Website, inaccurate analytical measurements.

The Data Controller and the designated external service providers place and read small data packages, called cookies, on the data subject’s computer in order to provide personalized services. If the browser returns a previously saved cookie, the service provider handling the cookie may link the data saved during the data subject’s current visits to the previous data, but only in relation to its own content.

The Data Controller uses the following cookies:

• Session cookies: These cookies are automatically deleted after the data subject’s visit. They help the Data Controller’s website function more efficiently and securely, so they are essential for certain functions or applications to work properly. • Persistent cookies: The Data Controller also uses persistent cookies to improve user experience (e.g., optimized navigation). These cookies are stored in the browser’s cookie file for a longer time. The duration depends on the settings the data subject applies in their internet browser. • Cookies used for password-protected sessions. • Cookies required for the shopping cart. • Security cookies.

The “Help” function in most browsers provides information on how the data subject can: • Disable cookies, • Accept new cookies, • Instruct the browser to set a new cookie, or • Turn off other cookies.

External servers assist in the independent measurement and auditing of the Website’s traffic and other web analytics data (Google Analytics). The data controllers can provide detailed information about the handling of the measurement data to the data subject.

Their contact: www.google.com/analytics/

If the data subject does not want Google Analytics to measure the above data in the described way and for the purpose outlined, they should install a browser extension to block it.

The Website uses Google Adwords remarketing tracking codes. This is based on targeting visitors to the page with remarketing ads later on websites belonging to the Google Display Network. The remarketing code uses cookies to tag visitors. Users of the Website can disable these cookies by visiting the Google ad settings manager and following the instructions there. Afterward, personalized offers from the Data Controller will no longer be displayed to them.

2.9.2 Cookies placed by Google Analytics

It contains a unique identifier used for generating statistics related to the data subject’s website usage. 2 years
Used for controlling Google Analytics requests. Session

2.9.3 Facebook

The Data Controller uses social plugins from the Facebook social network operated by Facebook on the Website.

If the data subject accesses a page on the Website that contains such a plugin, their browser will establish a direct connection to Facebook’s servers. Facebook will directly transfer the content of the plugin to the data subject’s browser and integrate it into the page. This integration allows Facebook to receive the information that the data subject’s browser accessed the corresponding page of the Website, even if the data subject does not have a profile on Facebook or was not logged in to Facebook at that time.

Please review Facebook’s notes on the purpose and extent of data collection by Facebook at the following link, as well as the rights you have in this regard and the possible settings that can protect your privacy: https://www.facebook.com/policy.php. An overview of Facebook’s plugins and their appearance can be found here: https://developers.facebook.com/docs/plugins

If you do not want Facebook to directly associate the data collected through the Website with your Facebook profile, you must log out of Facebook before visiting the Website. If you use plugins such as a “Facebook blocker” for your browser, you can fully prevent the download of Facebook plugins.

2.9.4. Instagram Social Plugins

The Website also uses social plugins (“Plugins”) operated by Instagram. These plugins are marked with the Instagram logo, for example, “Instagram Camera.”

If the data subject clicks on the Instagram logo, they will be directed to the Instagram page of the Website, and their browser will establish a direct connection to Instagram’s servers. Instagram will send the content of the plugin directly to the visitor’s browser, embedding it into the webpage. This allows Instagram to receive information that the browser has accessed the corresponding page of the Website, even if the data subject does not have an Instagram profile or has not logged into Instagram.

The privacy rules regarding the purpose and scope of data collection, as well as further processing and use of data by Instagram, can be found in Instagram’s privacy statement: https://help.instagram.com/155833707900388/.

2.9.5. Tiktok

The Data Controller maintains a TikTok account and uses the technical platform and services of TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. The data subject uses our TikTok channel and its features at their own risk. This particularly applies to the use of interactive features (e.g., commenting, sharing, rating).

The data collected about the data subject in this context is processed by TikTok Technology Limited and may be transferred to countries outside the European Union.

Detailed information about the service can be found at the following link: https://tiktok/discover?lang=hu

2.9.6. YouTube

Statistical

PREF – Stores a unique identifier that helps Google keep track of YouTube video usage statistics. – 8 months

Marketing

VISITOR_INFO1_LIVE – Attempts to estimate the data subject’s bandwidth on pages containing YouTube videos. – 179 days

3. Data Transfer

Personal data can primarily be accessed by the Data Controller and the data processors appointed by the Data Controller for the purpose of fulfilling their tasks. In addition, the personal data of the Data Subject may be transferred to other data controllers in the following cases:

The Data Controller informs the Data Subject that the court, the prosecutor, the investigating authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, or other bodies authorized by law may request information, data communication, transfer, or the provision of documents.

The Data Controller will provide personal data to authorities only to the extent and for the purpose that is necessary to fulfill the purpose of the request, as long as the authority has specified the precise goal and scope of the data.

The Data Controller will not transfer the Data Subject’s data for other purposes.

During card payments, the Data Subject will be redirected from the Website to the payment portal operated by the Bank, depending on the payment method. The Data Controller will transfer the following data to the financial service provider, as an independent data controller: order amount, customer’s name. The payment providers will not transfer any personal data necessary for the card payment process, which they have obtained, to the Data Controller. The Data Controller will only be informed about the completion or failure of the payment transaction.

Purpose of data transfer: to process the card payment, to notify the Data Subject by email about the success or failure of the transaction, and to perform fraud-monitoring for the protection of the Data Subject (a system supporting the control of electronically initiated banking transactions to detect fraud).

Legal basis for data transfer: According to Article 6(1)(a) of the Regulation, the Data Subject’s voluntary consent, as the online payment option is only available if the Data Subject consents to the data transfer before initiating the card payment on the Website.

4. Access to Data, Data Security Measures, Backups

The Data Controller takes all necessary measures to ensure the security of personal data, providing adequate protection against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as against accidental loss or damage. The Data Controller ensures data security through appropriate technical and organizational measures.

When selecting and operating the IT tools used for data processing during the provision of services, the Data Controller ensures that the processed data:

Is accessible only to authorized individuals (availability);
The authenticity and verification of the data are ensured (data authenticity);
The integrity of the data can be validated (data integrity);
Is protected against unauthorized access (data confidentiality).

The Data Controller maintains:

Confidentiality: Ensures that the information is protected so that only authorized individuals can access it.
Integrity: Protects the accuracy and completeness of the information and the processing methods.
Availability: Ensures that the information is accessible to authorized users when needed, and that the necessary tools for access are available.

5. Data Processing

The data may primarily be accessed by the Data Controller and the internal staff of the Data Controller; however, the data will not be disclosed or shared with third parties.

The Data Controller may engage a data processor (e.g., system administrator, transportation company, accountant) in the performance of orders and settlement of accounts. The Data Controller is not responsible for the data processing practices of such external entities.

NinjaFix
Headquarters: 6300 Kalocsa, Veres P. Utca 49
Email: info@gymbase.hu
Activity: GymBase software, which supports guest registration processes, ticket and subscription purchase processes, management of purchased tickets and subscriptions, and sending administrative emails.
Rackhost
Headquarters: 6722 Szeged, Tisza Lajos körút 41
Email: info@rackhost.hu
Activity: Hosting service provider

6. Rights of the Data Subject

6.1. Information and access to personal data

The Data Subject is entitled to request information at any time about the personal data concerning them that is processed by the Data Controller.

Upon the Data Subject’s request, the Data Controller will provide information about the personal data concerning them, the data processed by the Data Controller or by a data processor acting on its behalf, the source of the data, the purpose, legal basis, and duration of the processing, as well as the name, address, and activities related to data processing of the data processor, the circumstances, effects, and measures taken to prevent a data protection incident, and if applicable, the legal basis and recipient of the data transfer.

If the Data Controller has an internal data protection officer, the internal data protection officer will maintain a record for the purpose of monitoring measures taken in connection with data protection incidents and informing the Data Subject. This record includes the scope of the Data Subject’s personal data, the group and number of Data Subjects affected by the data protection incident, the date, circumstances, effects, and corrective actions of the data protection incident, as well as any other data required by the relevant legislation governing data processing.

The Data Subject can contact the Data Controller’s staff with any questions or comments regarding data processing at the contact details specified in point 4.

6.2. Right to rectification and completion of personal data being processed

Upon the Data Subject’s written request, the Data Controller will rectify any inaccurate personal data indicated by the Data Subject in writing without undue delay, and will complete any incomplete data with the content specified by the Data Subject. The Data Controller will inform all recipients with whom the personal data has been shared about the rectification or completion, unless this proves impossible or requires an unreasonable amount of effort. The Data Controller will provide the Data Subject with information about these recipients if requested in writing.

6.3. The Data Subject may object to the processing of their personal data.

The Data Subject may object to the processing of their personal data. The Data Controller will review the objection within the shortest time possible, but no later than 15 days from the submission of the request, make a decision regarding its legitimacy, and inform the applicant in writing about the decision.

The Data Subject can exercise their rights at the contact details specified in point 1.

6.4. Right to restriction of processing

The Data Subject may request the Data Controller to restrict the processing of their data in writing if:

They dispute the accuracy of the personal data, in which case the restriction will apply for the period necessary for the Data Controller to verify the accuracy of the personal data.
The processing is unlawful, and the Data Subject opposes the deletion of the data and instead requests the restriction of its use.
The Data Controller no longer needs the personal data for processing purposes, but the Data Subject requires it for the establishment, exercise, or defense of legal claims.
The Data Subject objects to the processing: in this case, the restriction will apply for the period until it is determined whether the legitimate grounds of the Data Controller outweigh the legitimate grounds of the Data Subject.

During the restriction, the personal data of the Data Subject can only be processed, except for storage, with the Data Subject’s consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest of the Union or a member state. The Data Controller will notify the Data Subject, whose request led to the restriction of processing, in advance about the lifting of the restriction.

6.5. Right to erasure (right to be forgotten)

The Data Subject is entitled to request the Data Controller to erase their personal data without undue delay if any of the following reasons apply:

The personal data is no longer necessary for the purposes for which it was collected or processed by the Data Controller.
The Data Subject withdraws their consent, and there is no other legal basis for the processing.
The Data Subject objects to processing based on legitimate interests, and there is no overriding legitimate reason (i.e., a legitimate interest) for processing.
The personal data has been processed unlawfully, and this has been established based on a complaint.
The personal data must be erased in order to comply with a legal obligation under applicable Union or Member State law.

If the Data Controller has made personal data concerning the Data Subject public, and is required to erase it for any of the above reasons, the Data Controller will take all reasonable steps – including technical measures – to inform other data controllers who process the data that the Data Subject has requested the deletion of links to, or copies or duplicates of, the personal data in question, taking into account available technology and the costs of implementation. However, as a general rule, the Data Controller will not disclose the Data Subject’s personal data.

The right to erasure does not apply if the processing is necessary:

For the exercise of freedom of expression and the right to information.
To comply with a legal obligation under applicable Union or Member State law (such as in the case of processing for invoicing, as the retention of invoices is required by law), or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
For the establishment, exercise, or defense of legal claims (e.g., if the Data Controller has a claim against the Data Subject that has not yet been fulfilled or if there is an ongoing consumer or data processing complaint).

6.6. Right to data portability

If the processing of data is necessary for the performance of a contract or is based on the Data Subject’s voluntary consent, the Data Subject has the right to request that the data provided to the Data Controller be provided in a machine-readable format. The Data Controller will provide the data in XML, JSON, or CSV format, and if technically feasible, the Data Subject may request that the data be transferred to another data controller in one of the previously mentioned formats.

The right to data portability is limited to the data directly provided by the Data Subject; other data (e.g., statistics, etc.) cannot be transferred.

The Data Subject has the right to:

Receive their personal data stored in the Data Controller’s system in a structured, commonly used, and machine-readable format;
Transfer the data to another data controller;
Request the direct transfer of the data to another data controller, if technically feasible in the Data Controller’s system.

The Data Controller will fulfill the data portability request solely based on a written request submitted by email or post. To fulfill the request, the Data Controller must ensure that the Data Subject making the request is indeed the rightful person. The Data Subject may request the portability of data they have provided to the Data Controller. Exercising this right does not automatically result in the deletion of the data from the Data Controller’s systems, so the data will remain stored in the systems unless the Data Subject also requests deletion of their data.

6.7. Exercising the rights of a deceased Data Subject by another person

Within five years following the death of the Data Subject, the rights that the deceased was entitled to during their lifetime, such as the right of access, rectification, erasure, restriction of processing, data portability, and objection, may be exercised by a person authorized by a statement made by the deceased during their lifetime, either through a power of attorney or a public or fully certified private document, in accordance with the Data Controller’s declaration. If the deceased made several such statements to the Data Controller, the person named in the most recent statement will be entitled to exercise these rights.

If the deceased did not make such a declaration, the rights defined in the previous paragraph, which the deceased was entitled to during their lifetime, may be exercised by the deceased’s close relative within five years following the Data Subject’s death (if there are multiple close relatives, the one who first exercises this right will be entitled to do so).

According to Section 8:1(1) of the Civil Code, close relatives include the spouse, direct relatives, adopted children, stepchildren, foster children, adoptive parents, stepparents, foster parents, and siblings. The close relative of the deceased must provide proof of:

The fact and time of the deceased’s death, with a death certificate or court ruling, and
Their own identity, and, if necessary, their relationship to the deceased, with an official document.

The person exercising the deceased’s rights will be subject to the same rights and obligations as the deceased would have had in relation to the Data Controller, the National Authority for Data Protection and Freedom of Information, and the courts, according to the provisions of the Infotv. and the Regulation.

Upon written request, the Data Controller is required to inform the close relative about the actions taken, unless the deceased explicitly prohibited it in their statement.

6.8. Deadline for fulfilling the request

The Data Controller will inform the Data Subject of the actions taken without undue delay, but in any case, within one month from the receipt of any request under Section 6. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. In such cases, the Data Controller will inform the Data Subject of the reasons for the delay and the extension within one month of receiving the request, along with the information that the Data Subject has the right to lodge a complaint with the supervisory authority and seek judicial remedy.

If the Data Subject’s request is clearly unfounded or excessive (particularly in the case of repetitive requests), the Data Controller may charge a reasonable fee for fulfilling the request or refuse to act on the request. The burden of proof for this lies with the Data Controller.

If the Data Subject submits the request electronically, the Data Controller will provide the information electronically, unless the Data Subject requests otherwise.

The Data Controller will inform all recipients with whom personal data has been shared of any rectification, erasure, or restriction of processing carried out, unless this proves impossible or requires disproportionate effort. Upon request, the Data Controller will inform the Data Subject of these recipients.

6.9. Compensation and damages

Any person who has suffered material or non-material damage as a result of a violation of the Regulation is entitled to compensation from the Data Controller or the Data Processor for the damage suffered. The Data Processor is only liable for damages caused by the processing of personal data if it has not complied with the obligations specifically imposed on Data Processors by the law or if it has disregarded or acted contrary to the lawful instructions of the Data Controller. The Data Controller and the Data Processor are exempt from liability if they can prove that they are not responsible for the event that caused the damage in any way.

6.10. The Data Subject, based on the Info Act and the Civil Code (Act V of 2013)

The Data Subject may turn to the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/c.; www.naih.hu) or enforce their rights before a court. The lawsuit – at the Data Subject’s choice – can be filed at the court of their place of residence (the list of courts and their contact details can be viewed through the following link: http://birosag.hu/torvenyszekek).
If the Data Subject provided third-party data during registration for the use of the service or caused any damage during the use of the Website, the Data Controller is entitled to enforce compensation against the Data Subject. In such cases, the Data Controller will provide all possible assistance to the authorities to determine the identity of the person committing the violation.

6.11. Data Breach Management

A data protection incident is a security breach that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data that has been transmitted, stored, or otherwise processed. The data controller maintains a record of the data protection incident for the purpose of monitoring the actions taken, informing the supervisory authority, and notifying the data subject. This record includes the types of personal data involved in the incident, the scope and number of affected data subjects, the date, circumstances, and impacts of the incident, as well as the corrective actions taken.

In the event of an incident, the data controller will inform the data subject and the supervisory authority without undue delay, and no later than 72 hours after the incident occurs, unless the incident does not pose a risk to the rights and freedoms of natural persons.

7. Other Provisions

The Data Controller reserves the right to unilaterally modify this Privacy Notice without prior notice to the Data Subject, particularly but not exclusively in the event of changes in legislation. The modifications will take effect on the day specified in the notice to the Data Subject, unless the Data Subject objects to the modifications.

The Data Controller does not verify the personal data provided to it. The person providing the data is solely responsible for the accuracy of the provided information. When providing personal data, the Data Subject assumes responsibility for ensuring that the data provided is accurate and that the service is used exclusively by them using their own personal data.