PRIVACY NOTICE
FOR GUESTS AND PASSENGERS

Company name: Silverline Cruises Kft.

Registered seat: 1044 Budapest, Zsilip utca 9.

Company registration number: 01-09-973821

Tax number: 23692800-2-41

Represented by: Nóra Ágnes Bakonyi, Managing Director

E-mail: silverlinecruiseskft@gmail.com

phone number, hotline: + 36-20-332-5364

e-mail: hello@silver-line.hu

As the controller, hereinafter referred to as the “Controller”, issues the following Notice for the information of its passengers and guests:

As a cruise company, Silverline Cruises Kft. provides and sells cruise sightseeing services to passengers. The services offered by Silverline Cruises Kft., a detailed description of the services, and the terms and conditions of use are contained in the Terms and Conditions of Business, the Terms of Use, and the general information available at www.silver-line.hu.

The Controller does not have a Data Protection Officer. The Managing Director is responsible for the implementation of data processing tasks.

Contents

  1. I. INTRODUCTION

  2. II. PROCESSING, TYPE OF PERSONAL DATA, PURPOSE AND LEGAL BASIS OF PROCESSING

    1. GENERAL PROVISIONS

    2. DATA PROCESSING OPERATIONS of SILVERLINE CRUISES Kft.

      1. Data processing relating to ticket purchases

      2. Payment by bank card

      3. Complaint-related data processing

      4. Processing of data relating to incidents

      5. Records of found objects

      6. Electronic surveillance system

      7. Photos and videos

      8. Other data processing

        1. E-mail contact, correspondence

      9. Further data processing, data transfer

      10. Cookies

        1. Google Analytics

  3. III. THE METHOD OF STORING PERSONAL DATA, SECURITY OF PROCESSING

  4. IV. THE DATA SUBJECT'S RIGHTS AND REMEDIES

    • Right to rectification

    • Right to erasure ("right to be forgotten")

    • Right to restriction of processing

    • Right to notification regarding rectification or erasure of personal data or restriction of processing

    • Right to data portability

    • Right to object

    • Automated individual decision-making, including profiling

    • The data subject's right to be informed of a personal data breach

    • The user’s right to lodge a complaint with a supervisory authority

    • Right to an effective judicial remedy against a controller or processor

    • Compensation and grievance award

  5. V. PROCEDURAL RULES RELATING TO THE EXERCISE OF RIGHTS

---

I. INTRODUCTION

The Controller is committed to protecting the personal data of natural persons. The Controller acknowledges that it is bound by the provisions of this Notice. The Controller undertakes to ensure that its data processing is in full compliance with this Notice. The Controller reserves the right to change this Notice. The Controller shall keep personal data confidential and shall take all security, technical and organisational measures to ensure the security of the data.

---

II. PROCESSING, TYPE OF PERSONAL DATA, PURPOSE AND LEGAL BASIS OF PROCESSING

II. 1. GENERAL PROVISIONS

The Controller's processing is primarily based on the voluntary consent of the data subject. If the processing is necessary to comply with a legal obligation, the consent of the data subject need not be obtained, but the data subject must be informed of the mandatory nature of the processing, the scope of the data processed, the purpose, legal basis and duration of the processing, the identity of the controller and processor, the rights of the data subject and the remedies available to him or her.

The Controller's data processing principles are in accordance with the applicable data protection legislation, in particular:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, ‘GDPR’);

  • Act CXII of 2011 on Informational Self-Determination and Freedom of Information (‘Info Act’);

  • Act V of 2013 on the Civil Code of Hungary (‘Civil Code’);

  • Act CLV of 1997 on Consumer Protection (‘Consumer Protection Act’);

  • Act CXCVII of 2017 on Criminal Procedure (‘Criminal Procedure Code’);

  • Act C of 2000 on Accounting (‘Accounting Act’);

  • Act CVIII of 2001 on Certain Issues of Electronic Commerce Activities and Information Society Services (‘E-Commerce Act’);

  • Act C of 2003 on Electronic Communications (‘Electronic Communications Act’);

  • Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (‘Security Services Act’);

  • Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity (‘Business Advertising Act’);

  • Act XXV of 2023 on Complaints, Notifications of Public Interest and Rules for Whistleblowing (‘Complaints Act’).

II. 2. DATA PROCESSING OPERATIONS of SILVERLINE CRUISES Kft.

II. 2.1. Data processing relating to ticket purchases

It is possible to purchase tickets for the services provided by the Controller through the website. Ticket purchases are not subject to registration.

Purpose of data processing: issuing invoices to customers, documenting purchases and payments, fulfilling accounting obligations.

Legal basis for processing: processing is necessary for the performance of a contract to which the customer concerned is a party. (Article 6(1)(b) of the Regulation)

Personal data processed: The Customer's (who is a natural person) name, address, phone number, e-mail address, order content, payment method, date of purchase, optionally other personal data if provided.

Duration of processing: In the case of invoices, 8 years pursuant to Section 169(2) of the Accounting Act. For other data: 1 year from the date of data supply.

Possible consequences of failure to provide data: the customer cannot buy a ticket. The name and address must be provided for the invoice to be issued. The invoice will be sent to the customer by e-mail, so the e-mail address is required. Providing a telephone number is also mandatory, because the Controller can inform the customer by telephone about possible cancellations or changes to cruises.

Data storage method: electronic

Legal basis for data transfer: necessary for the performance of the contract. (Article 6(1)(b) of the Regulation)

---

II. 2.2. Payment by bank card

Tickets can be purchased via the website. In the case of payment by bank card, the Controller does not process any data related to card data, does not access, collect or store such data. The Company uses the SimplePay Online Payment System developed and operated by OTP Mobil Kft. for the electronic processing of payments. For EUR payments, in addition to the SimplePay payment system, the STRIPE platform can also be used.

The operator of the SimplePay system and provider of the SimplePay service is OTP Mobil Szolgáltató Korlátolt Felelősségű Társaság.

  • Registered seat: 1143 Budapest, Hungária krt. 17-19, Hungary

  • company registration number: 01-09-174466

  • tax number: 24386106-2-42

The payment notice containing information about the operation of the SimplePay online payment system is available on the Website by clicking on the SimplePay icon on the payment page or at www.simplepay.hu.

The User is also entitled to use the SimplePay payment method.

For payments in EUR, the Stripe payment service platform in addition to SimplePay can also be used. With Stripe, payments are made by bank card in EUR. Further information is available at www.stripe.com.

Purpose of data processing: to process payment transactions, to identify the transaction, to send feedback on the result of the payment transaction, to prevent abuse.

Legal basis for processing: processing is necessary for the performance of a contract to which the Customer concerned is a party and for the performance of a legal and contractual obligation. (Article 6(1)(b) and (c) of the Regulation)

Personal data processed and transferred: name, phone number, email address, transaction amount, IP address, transaction result, transaction time and date and identifier, billing address, bank card details saved through SimplePay, bank card type, number, validity, name of product purchased in the SimplePay application.

The Controller does not have access to the credit card data, but forwards them to the processor. The data processors with access are OTP Mobil Kft., OTP Bank Nyrt. and Borgun hf.

Duration of processing: 5 years from the date of the transaction.

Possible consequences of failure to provide data: the Customer is unable to pay the purchase price by bank card.

Data storage method: electronic

Processors: OTP Mobil Kft, OTP Bank Nyrt. and Borgun hf.

Data transfer:

  • Financial operations are carried out by OTP Bank Nyrt. and Borgun hf,

  • in the case of abuse, to the official bodies authorised by law.

Legal basis for the transfer: to ensure the execution of financial transactions, performance of a contract (Article 6(1)(b) of the Regulation)

---

II. 2.3. Complaint-related data processing

Purpose of data processing: to handle complaints about the services provided by the Controller.

Legal basis for processing: processing is necessary for the performance of a contract to which the Customer concerned is a party and for the performance of a legal obligation. (Article 6(1)(b) and (c) of the Regulation)

Personal data processed: the name and address of the Customer; the place, time and manner of lodging the complaint; the description of the complaint, documents and other evidence presented by the Customer; the name and signature of the person drawing up a report on the complaint and the Customer's signature (in case of an oral complaint); the place and time of drawing up the report; the unique identification number of the complaint.

Duration of processing: Pursuant to Section 17/A(7) of the Consumer Protection Act, 5 years for the report drawn up of the complaint and a copy of the reply; 2 years for the copy of the entries in the book of customers.

Possible consequences of failure to provide data: the Customer cannot exercise his or her consumer rights.

Data storage method: paper and electronic.

Data transfer: none.

---

II. 2.4. Processing of data relating to incidents

Purpose of data processing: documentation and recording of extraordinary events (e.g. theft, damage) on the Boat and on the Pontoon.

Legal basis for processing: necessary for the purposes of the legitimate interests pursued by the Controller or a third party. The legitimate interest is to record and prove incidents. (Article 6(1)(f) of the Regulation)

Personal data processed: name, address and telephone number of the injured person or victim; name and contact details of the parent/guardian; date and time of the incident; description of the incident; description of any actions taken; name, address and telephone number of the witness; name of the person drawing up a report; signatures of the person drawing up the report, the injured person, the complainant, his/her representative, witnesses.

Duration of data processing: until the expiry of the limitation period for claims relating to the incident.

Possible consequences of failure to provide data: events cannot be proven afterwards, the injured party is prevented from exercising his/her rights.

Data storage method: on paper.

Data transfer: to competent authorities if further action is necessary (e.g. Police, Courts).

Legal basis for data transfer: to fulfil a legal obligation.

II. 2.5. Records of found objects

Purpose of data processing: to keep a record of objects found on the Boat and on the Pontoon, to keep a record of the finder, to notify the finder and the owner.

Legal basis for processing: voluntary consent of the data subject and compliance with a legal obligation (Article 6(1)(a) and (c) of the Regulation)

Personal data processed: date and time of the find; name and contact details of the finder; name of the object found; place and duration of storage; name and contact details of the owner, if known; place and date of transfer; name of the recipient; signatures.

Duration of data processing: the data are deleted after the transfer to the owner, finder, or municipal notary. In the event of a sale, the Controller will delete the data after one year from the date of the find.

Possible consequences of failure to provide data: the Controller cannot comply with its legal obligations, the finder cannot exercise the rights under Section 5:54 of the Civil Code.

Data storage method: on paper.

Data transfer: to the competent municipal notary.

Legal basis for data transfer: performance of a legal obligation (Section 5:54 of the Civil Code).

---

II. 2.6. Electronic surveillance system

Cameras have been installed on the Boats and on the Pontoons.

Cameras: Further information on the exact location of the cameras and the areas under surveillance can be found in the camera information notice on the counter in the guest lounge. The cameras are not aimed at monitoring the behaviour of guests or people on the Pontoon. The cameras are used by the Controller for live and recorded surveillance. The cameras do not record sound.

Processor: The Notice at the counter in the guest area indicates the identity and contact details of the processor.

Purpose of the processing: Protection of property, prevention of crime, proof of infringements and incidents, investigation of the circumstances of any accidents that may occur, detection of infringements.

Legal basis for processing: legitimate interest of the Controller (Article 6(1)(f) GDPR)

Legitimate interest: The Controller has a legitimate interest in the operation of the camera system. The protection of property, prevention and detection of crime cannot be effectively achieved by any other means; the cameras are placed only in the most necessary places.

Type of personal data processed: The facial images and other personal data of persons and employees entering or staying on the Boat, Pontoon area, as shown in the images and recorded by the surveillance system.

Duration of processing: In the absence of use, a maximum of 72 hours [Section 31(3)(c) and (d) of Act CXXXIII of 2005].

Information about data storage: Recordings are stored under enhanced data security measures to ensure that unauthorised persons cannot view or copy the recordings. The recordings are stored on the storage media on the Pontoon.

Access to images: Only the Controller's managing director or an authorised employee is entitled to view the recorded data. The live image transmitted by the camera is seen by the people in the coordinator's office. Viewers shall draw up a report on the viewing of the recorded camera footage. The data subject whose rights or legitimate interests are affected by the recording of the image may request, by proving his or her rights or legitimate interests, that the controller not destroy or delete the recording until requested by a court or authority. The person in the recording may also request that the controller inform him or her in writing of what is shown in the recording. The data subject may only receive a copy of a recording in which no other person is present or only in an unrecognisable way. If the above cannot be complied with, the controller shall ensure that the data subject has the possibility to view the recording that (also) depicts him or her.

Data transfer: In the event of infringement or criminal proceedings, to the authorities or courts conducting such proceedings.

Scope of the data transferred: Recordings from the camera system containing relevant information.

Legal basis for transfers: Sections 71(1), 151(2)(a) and 171(2) of the Criminal Procedure Code, as well as Sections 75(1)(a) and 78(3) of the Infractions Act.

---

II. 2.7. Photos and videos

The Controller may make audio and video recordings, live social media broadcasts of events on the Boats, the services provided on the Boats, as well as of the Pontoons and the persons on the Pontoon, which may be published and used on its website and other social media pages. The Controller reserves the right to modify the images for highlighting or blurring purposes. The Controller intends to present general situations in the photographs, always taking into account the right to human dignity, and does not publish photographs that are offensive to the persons in the photographs.

Purpose of processing: To present, document and promote the Controller and the services it provides, and to promote the use of the services.

Legal basis for processing: The Controller has a legitimate interest in increasing its popularity and documenting events. (Article 6(1)(f) of the Regulation)

Scope of the data processed: The image and voice, appearance and movements of the people in the footage.

Duration of processing: until objection by the data subject. In the event of the exercise of the right to object, the Controller will make every effort to remove the challenged recording, but may do so only to the extent that it is technically feasible and reasonable to do so.

---

II. 2.8. Other data processing

II. 2.8.1. E-mail contact, correspondence

The Controller keeps a record of the e-mails, including the name of the sender, the e-mail address, the time of sending and the personal data provided in the message.

Personal data processed: The name of the person sending the e-mail, their e-mail address, the range of personal data provided in the message.

Purpose of processing: Ensuring contact, registering clients and applicants.

Legal basis for processing: The Data Subject's voluntary consent. (Article 6(1)(a) of the Regulation)

Data transfer: No data will be transferred without the express consent of the Data Subject.

Duration of data processing: The data will be processed for the time necessary to achieve the purposes of the processing as set out in this Privacy Notice, but no later than 5 years from the date of the provision of the data.

Data storage method: Electronically

Legal consequences of not providing data: The Controller cannot be contacted by the data subject.

---

II. 2.9. Further data processing, data transfer

II. 2.9.1. In connection with the services of the website

If the Data Subject provides personal data for the services available on the Website, the Controller's hosting provider, as processor, is entitled to access these data. The processor's details are as follows:

Name: Magyar Hosting Kft.

Contact details:https://www.tarhely.com/kapcsolat

II. 2.9.2. In the context of social media platforms

The Controller's website has pages on several social media platforms (Facebook, Twitter, Google+, Instagram, You Tube); for example, if the Data Subject "likes" our website on Facebook or "follows" the Controller on Twitter, the Controller will be aware of all personal data belonging to his/her profile and available to the public. For relevant information about the data processing on these sites, please refer to the privacy policy of the respective service provider.

II. 2.9.3. In the context of issuing an invoice

In connection with invoicing, the tax authority is entitled to access the personal data provided by the Data Subjects for this purpose in the course of its activities. Details of the tax authority:

Name: National Tax and Customs Administration of Hungary

Website, contact details: https://www.nav.gov.hu/nav/kapcsolat

---

II. 2.10. Cookies

In order to ensure the proper functioning of our website, we sometimes place small data files on the Data Subject's computer device, as most modern websites do.

II. 2.10.1. What is a cookie?

A cookie is a small text file that the website places on the Data Subject's computer device (including mobile phones). This allows the website to "remember" the Data Subject’s settings (e.g. language used, font size, display, etc.) so that they do not have to reset them every time they visit our website.

The Weboldalon used cookies list:

  • Google Analytics

  • Google Tag Manager

  • Google Adwords Re-marketing Tag

  • Facebook Pixel Code

  • Smartlook Code

II. 2.10.2. What are cookies used for?

We have placed cookies on the site primarily to ensure customer experience, to provide clear and understandable content and to simplify shopping. These cookies can be deleted or blocked, but in this case the Website may not function properly. We do not use cookies to personally identify the Data Subject. These cookies are only used for the purposes described above.

II. 2.10.3. How to manage cookies?

Cookie files can be deleted (see www.AllAboutCookies.org for details) or blocked from being placed by most current browsers. However, in this case, when using our website, certain settings will have to be made by the user each time and certain services may not work.

Detailed information on how to delete or block cookies can be found at www.AllAboutCookies.org (English) and, for the browser used by the Data Subject, at the links below:

---

II. 2.10.4. Google Analytics

The Website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are saved on your computer to help the analysis of the use of the website visited by the User.

The information generated by the cookies on the website used by the User is usually transferred to a Google server in the USA and stored there. By activating IP anonymisation on the website, Google will shorten the User's IP address within the Member States of the European Union or in other states party to the Agreement on the European Economic Area.

The full IP address will be transmitted to a Google server in the USA and shortened there only in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate the User's use of the website, to compile reports on website activity for the website operator and to provide other services relating to website and internet usage.

The IP address transmitted by the User's browser within the framework of Google Analytics will not be combined with other data held by Google. The User may prevent the storage of cookies by selecting the appropriate settings on his/her browser, however, please note that in this case, not all functions of this website may be fully functional. The User may also prevent Google from collecting and processing information about their use of the website (including their IP address) through cookies by downloading and installing the browser plug-in available at https://tools.google.com/dlpage/gaoptout?hl=hu

---

III. THE METHOD OF STORING PERSONAL DATA, SECURITY OF PROCESSING

The Controller's computer systems and other data storage locations are located at the Controller's registered seat, premises and processors.

The Controller shall implement appropriate technical and organisational measures and establish rules of procedure in order to minimise the risks arising from the processing and to ensure a level of data security appropriate to the level of risk. The Controller shall treat personal data as confidential and shall protect personal data transmitted, stored or otherwise processed by it against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.

The Controller shall select and operate the IT tools used to process personal data in such a way that the processed data:

  • is accessible to authorised persons (availability);

  • can be checked for authenticity and verification (authenticity of processing);

  • can be verified to be unchanged (data integrity);

  • be protected against unauthorised access (data confidentiality).

The Controller shall ensure, by appropriate technical means, that the data stored in its various registers are not directly linkable and attributable to the data subject, except where permitted by law, in order to protect the data files managed electronically.

During the processing, the controller shall maintain:

  • confidentiality: it shall protect information so that only those who are entitled to it have access to it;

  • integrity: it shall protect the accuracy and completeness of the information and the method of processing;

  • availability: ensuring that when the authorised user needs it, he or she can actually access the information and has the means to do so.

The information technology systems and networks of the Controller and its partners involved in data processing are protected against computer fraud, espionage, sabotage, vandalism, fire and flood, computer viruses, computer intrusions and attacks that could lead to denial of service. The operator shall ensure security through server-level and application-level protection procedures.

The Controller informs users that electronic messages transmitted over the Internet, regardless of the protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that could lead to fraudulent activity, contract disputes, or the disclosure or modification of information. The Controller shall take all reasonable precautions to protect against such threats. It monitors systems to record any security discrepancies and provide evidence of any security incidents. System monitoring also makes it possible to check the effectiveness of the precautions taken.

The Controller shall impose a confidentiality obligation on its employees who process personal data, and shall inform the employees in writing of the confidentiality obligation. The Controller links access to personal data to levels of authorisation, which are defined by job function. The Controller shall ensure that employees who process personal data carry out their activities in accordance with the instructions of the Controller by carrying out regular checks.

The Controller shall keep printed materials, files and disks containing personal data securely locked in a safe, to which the head of the employer shall have access. Documents and data relating to ongoing work in progress that are being processed may only be seen by employees with access. The documents may not be left unattended; they must be returned to the place of safekeeping immediately after the processing or work has been completed.

The electronically stored and processed personal data are protected by a firewall and appropriate virus protection by the Controller. The Controller does not process or store personal data in cloud-based services. The Controller shall encrypt or, where necessary, pseudonymise the personal data stored electronically which are subject to special processing.

For electronic data processing and record keeping, the Controller uses a computer program that meets the requirements of the GDPR. Only authorised persons have access to the computer program. Access to the program, operations with personal data are logged, so that they can be retrieved afterwards.

During the automated processing of personal data, the controller and the processor shall take additional measures to ensure:

a) the prevention of unauthorised data entry;

b) the prevention of the use of automated data processing systems by unauthorised persons by means of data transmission equipment;

c) the verifiability and ascertainability of the bodies to which the personal data have been or may be transmitted using data transmission equipment;

d) the verifiability and ascertainability of which personal data have been entered into automated data processing systems, when and by whom;

e) the recoverability of the installed systems in the event of failure; and

f) that errors in automated processing are reported.

When contracting with processors, the Controller shall require processors to comply with the data security requirements set out in this point, which shall be monitored as necessary.

The Controller shall keep a record of any personal data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it. The Controller shall notify the National Authority for Data Protection and Freedom of Information of any potential personal data breach without delay and, if possible, no later than 72 hours after the data breach has come to its attention, unless the personal data breach is unlikely to pose a risk to the rights and freedoms of natural persons.

---

IV. THE DATA SUBJECT'S RIGHTS AND REMEDIES

Right to information:
The data subject shall have the right to obtain from the Controller written information about the processing of his or her personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language, with the content set out in Articles 13 and 14 of the GDPR.

Right of access:
By sending a letter to the e-mail address of the Controller or to the address of the Controller's registered office, the data subject may request that the Controller inform him or her whether or not personal data concerning him or her are being processed and, if so, provide him or her with access to the personal data processed and to the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, including, in particular, recipients in third countries or international organisations; where applicable, the envisaged period of storage of the personal data or, if this is not possible, the criteria for determining that period; the right of the user to request the Controller to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data; the right to lodge a complaint with a supervisory authority; if the data have not been collected from the data subject, any available information on their source; the fact of automated decision-making, including profiling, and, at least in these cases, the logic used and clear information on the significance of such processing and the likely consequences for the user.

If personal data are transferred to a third country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards for the transfer.

The Controller shall provide the data subject with a copy of the personal data subject to the processing at the data subject's request. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. If the data subject submitted the request electronically, the information shall be provided in a widely used electronic format except if the data subject requests otherwise.

IV. 1. Right to rectification

The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

IV. 2. Right to erasure ("right to be forgotten")

Where one of the following grounds applies, the data subject may request the Controller to delete personal data concerning him or her without undue delay:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;

c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;

d) the personal data have been unlawfully processed;

e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) the personal data have been collected in relation to the offer of information society services.

The erasure of data cannot be initiated if the processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; for reasons of public interest in the area of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or for the establishment, exercise or defence of legal claims.

IV. 3. Right to restriction of processing

At the request of the data subject, the Controller shall restrict the processing if one of the following conditions is met:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or

d) the data subject has objected to processing; pending the verification whether the legitimate grounds of the Controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.

IV. 4. Right to notification regarding rectification or erasure of personal data or restriction of processing

The data subject shall have the right to request the Controller to identify the recipients to whom personal data have been disclosed. The Controller shall inform all recipients to whom the personal data have been disclosed of the rectification, erasure or restriction of processing of the personal data, unless this is impossible or involves a disproportionate effort.

IV. 5. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

a) the processing of general or sensitive personal data is carried out with the consent of the data subject, or where the processing is necessary for the performance of a contract to which the data subject is a party or is necessary for steps which the data subject has requested prior to the conclusion of the contract; and

b) the processing is carried out by automated means.

Where technically feasible, the data subject may request the direct transfer of his or her personal data between controllers.

IV. 6. Right to object

The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, including profiling based on those provisions. In this case, the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for data processing that override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes by the Controller.

IV. 7. Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The above right does not apply if the decision:

a) is necessary for entering into, or performance of, a contract between the data subject and the Controller;

b) is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

c) is based on the data subject's explicit consent.

IV. 8. The data subject's right to be informed of a personal data breach

The data subject has the right to be informed of a personal data breach.

IV. 9. Right of withdrawal

The data subject has the right to withdraw his or her voluntary consent to data processing at any time. The withdrawal of consent shall not affect the lawfulness of processing performed before the withdrawal of such consent.

IV. 10. The user’s right to lodge a complaint with a supervisory authority

If the data subject considers that the processing of personal data relating to him or her infringes the Regulation, he or she has the right to lodge a complaint with the supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement.

Supervisory authority:
National Authority for Data Protection and Freedom of Information (postal address: 1530 Budapest, Pf. 5., registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., website: www.naih.hu, phone: +36-1-391-1400, email: ugyfelszolgalat@naih.hu).

IV. 11. Right to an effective judicial remedy against a controller or processor

If the data subject considers that the Controller has infringed his or her rights under the Regulation by improper processing of his or her personal data, he or she may bring the matter before the courts of the Member State in which the Controller is established. Legal proceedings relating to the protection of personal data are exempt from court fees.

IV. 12. Compensation and grievance award

Where the data subject has suffered pecuniary or non-pecuniary damage as a result of a breach of the Regulation, he or she shall be entitled to compensation from the Controller or processor for the damage suffered. The Controller shall be liable for any damage caused by its processing in breach of the Regulation. The Controller shall be exempt from liability for damages if it proves that it bears no responsibility whatsoever for the event causing the damage. If several controllers or several processors or both the controller and the processor are involved in the same data processing, they shall be jointly and severally liable for any damage caused.

---

V. PROCEDURAL RULES RELATING TO THE EXERCISE OF RIGHTS

The Controller shall facilitate the exercise of the rights of data subjects. The Controller shall, after identifying the data subject, inform the data subject of the measures taken in the exercise of his or her rights without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months, taking into account the complexity and number of the requests. Where the Controller exercises the right to extend the time limit, it shall inform the data subject thereof within one month of receipt of the request. If the data subject submitted the request electronically, the information shall be provided electronically if possible, except if the data subject requests otherwise.

If the Controller does not take action on the request of the data subject, the Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The Controller shall provide the requested information and information on the rights of the data subject, as well as the measures to be taken in the event of the exercise of the rights of the data subject, free of charge. If the data subject's request is clearly unfounded or excessive, the Controller may charge a fee of HUF 3,500, taking into account the administrative costs of taking the requested action, or refuse to comply with the request.

The rights set out in this Notice may be exercised through any contact details of the Controller. The Controller reserves the right to request the data subject submitting the request to provide proof of identity.

Dated: Budapest, June 1, 2025.

CONTACT US

1052 Budapest, Jane Haining Quay, Dock 11.

+ 36/20-332-5364

Customer support is available daily from 9:00 to 22:00.

Budapest, Jane Haining Quay, Dokk 11, 1052

TOP