DATA MANAGEMENT DECLARATION

The purpose of this Data Management Declaration is to define the principles and rules for the processing of personal data and other data provided by users of the website during its use and managed by the operators of the website (Rutz Ferenc e.v. and Laczkó Gábor e.v.).

This data management regulation applies to data voluntarily provided by visitors on the https://www.hajlitottfa.hu website, data provided on the contact form, and data related to newsletter dispatch. Personal data is processed in accordance with the following principles:

i) Personal data can be processed exclusively for a specified purpose, in the interest of exercising rights and fulfilling obligations. The data processing must be fair and lawful throughout all stages, and it must comply with the purpose of data processing.

ii) Only such personal data may be processed that is essential for achieving the purpose of data processing and suitable for that purpose. Personal data can be processed only to the extent and for the time necessary for achieving this purpose.

iii) Personal data retains its status as such during the data processing for as long as its connection to the data subject can be restored. The connection with the data subject can be restored if the data controllers have the technical conditions required for restoration.

iv) During data processing, the accuracy, completeness of the data must be ensured, and – if necessary considering the purpose of data processing – its up-to-dateness, and also that the data subject can only be identified for as long as is necessary for the purpose of the data processing.

---

I. GENERAL PROVISIONS

Name of the data controllers: Rutz Ferenc and Laczkó Gábor individual entrepreneurs (hereinafter referred to as: Data Controllers)

Address of the data controllers: 2230 Gyömrő, Mendei út 109.

Contact details of the data controllers:

Email: hajlitotfa@gmail.com

Tel: +36 30 408 6645 and +36 30 591 5335

Website: https://www.hajlitottfa.hu

Legal basis for data processing: based on paragraph a) of subsection (1) of Section 5 of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, the consent of the data subject. Scope of data subjects: Those who fill out the contact form. Consent to data processing: During registration, Users expressly consent to their personal data being processed by the Data Controllers in the manner described in this notice. Purpose of data processing: sending out information via email, making contact, and sending newsletters (with consent). Method of data processing: automated data processing.

2. THE SCOPE OF PERSONAL DATA PROCESSED: During the voluntary data provision by the user, the following data can be provided (on a voluntary basis, but essential for using the service) on the https://www.hajlitottfa.hu website’s contact form:

• User’s name “Name” – the one sending the message – purpose: making contact, identification.
• Email address “Email” – purpose: making contact, sending information, sending newsletters.
• Phone number “Telephone number” – not mandatory to fill out for the service – purpose: making contact via phone.

3. DURATION OF DATA PROCESSING:

The provided data is processed by the Data Controllers indefinitely or until the consent of the data subject is withdrawn.

4. RIGHTS OF THE DATA SUBJECT: The data subject may request from the Data Controllers: a) information about the processing of their personal data, b) correction of their personal data, and c) deletion or blocking of their personal data, except for mandatory data processing. Upon the request of the data subject, the Data Controllers provide information about the data processed by them, or by a data processor appointed by them, the source of such data, the purpose, legal basis, and duration of data processing, the name and address of the data processor, activities related to data processing, circumstances of any data breaches, their impacts, measures taken to address them, and – in case of data transfer – the legal basis and recipients of such transfer.

The Data Controllers, if they have an internal data protection officer, through this officer, maintain a record to monitor measures related to data breaches and to inform the data subject. This record includes details about the processed personal data, those affected by the data breach, date and circumstances of the breach, impacts, measures taken to address it, and other data specified by the relevant law. The Data Controllers must provide the requested information in an understandable form, in writing, within a maximum of 25 days from the submission of the request. The information is free of charge if the requester has not submitted a similar request to the Data Controller in the current year. Otherwise, the Data Controller may charge a fee.

The Data Controllers shall delete personal data if: i) its processing is illegal; ii) it is requested by the data subject; iii) it is incomplete or incorrect, and this cannot be legally rectified, unless the deletion is prohibited by law; iv) the purpose of the processing has ceased, or the legal storage period has expired; v) it is ordered by a court or Authority.

The data subject, and anyone to whom the data has been previously transferred for processing, must be informed about corrections, blocking, marking, and deletions. The notification can be omitted if it doesn’t infringe upon the legitimate interests of the data subject.

If the Data Controllers do not fulfill a request for correction, blocking, or deletion, they must, within 30 days of receiving the request, provide written or electronic reasons for the denial, provided the data subject has given consent. If the request for correction, deletion, or blocking is rejected, the Data Controllers must inform the data subject about their right to legal recourse and the possibility to turn to the Authority.

6. OBJECTION TO THE PROCESSING OF PERSONAL DATA: The data subject can object to the processing of their personal data if: a) the processing or transfer of personal data is necessary only to meet a legal obligation relating to the Data Controller or to enforce the legitimate interests of the Data Controller, data recipient, or a third party, except in the case of mandatory data processing; b) personal data is used or transferred for direct marketing, public opinion research, or scientific research; and c) in other cases defined by law.

The Data Controllers must examine the objection as soon as possible, but no later than 15 days from the submission, decide on its validity, and inform the applicant in writing.

If the Data Controllers find the objection valid, they must terminate the data processing, including further data collection and transfer, lock the data, and notify anyone to whom the affected personal data had been previously transferred, ensuring that the right to object is upheld.

If the data subject disagrees with the decision of the Data Controllers or if the Data Controllers miss the deadline, the data subject may go to court within 30 days of the decision or the expiry of the deadline.

In cases where a data subject objects to the processing of their personal data, seeks legal remedies, or when a third-party request for data transfer is not based on the consent of the data subject, the data can be released to the legal representatives appointed by the Data Controllers to evaluate the legality of the aforementioned.

7. JUDICIAL REMEDIES: We ask our users to contact us if they feel that their rights related to the protection of personal data have been violated so we can address the issue.

Furthermore, users are informed that in case of a violation of their rights, they can sue the Data Controller. The court will act on the case urgently. Jurisdiction lies with the court of law. The lawsuit can be initiated either at the registered seat of the Data Controller or at the domicile or residence of the data subject. Even those who otherwise lack litigation capacity can be a party in the lawsuit.

If the Data Controllers cause harm to someone by unlawfully processing their data or by violating data security requirements, they must compensate for the damages. If the Data Controllers violate the personality rights of the data subject by unlawfully processing their data or by violating data security requirements, the data subject can demand compensation. The Data Controllers are exempted from liability for damages and from the obligation to pay compensation if they can prove that the damage or the violation of the data subject’s personality rights was caused by an unavoidable cause outside the scope of data processing. No compensation for damage and no indemnity can be demanded to the extentthat the damage or violation of personality rights was caused by the intentional or seriously negligent behavior of the injured party.

8. ENFORCEMENT OF DATA PROTECTION RIGHTS: If anyone believes their rights were violated by the Data Controllers’ data processing actions, they can turn to the Authority for legal remedy.

The report must be made to the Authority in writing, which can be done in the form of a private document with full probative value, or electronically, in a way that the document’s authenticity and the applicant’s identity are unquestionable.

The Authority decides on the matter within 60 days. This period can be extended by 30 days if necessary. The Authority informs the applicant and the Data Controllers about the decision, which includes the legal remedy available against it.