Privacy notice and data protection information

This is a translated version of the original hungarian privacy notice and data protection information (you can find "Adatvédelmi szabályzat" here). We do our best to improve this text and correct the mistranslations, if any. As all webshops in EU we follow EU and national regulations aswell. If there is any doubt, or question, the hungarian version is the standard.

DATA MANAGEMENT INFORMATION

TABLE OF CONTENTS

INTRODUCTION

CHAPTER I - NAME OF THE DATA CONTROLLER

CHAPTER II - NAMES OF DATA PROCESSORS

1. Our company's IT service provider

2. Postal services, delivery, parcel dispatch

3. Our company's accounting service provider

CHAPTER III - ENSURING THE LEGALITY OF DATA PROCESSING

1. Data processing based on the consent of the data subject

2. Data processing based on legal obligations

3. Facilitating the rights of the data subject

CHAPTER IV - VISITOR DATA MANAGEMENT ON OUR COMPANY'S WEBSITE - INFORMATION ABOUT THE USE OF COOKIES (COOKIE)

1. Informing visitors to the website about cookies

2. General information about cookies

3. Information about cookies used on our company's website, and data generated during the visit

4. Registration on our company's website

CHAPTER V - INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

CHAPTER VI - SUBMISSION OF THE DATA SUBJECT'S REQUEST, ACTIONS OF THE DATA CONTROLLER

CHAPTER VII – OTHER INFORMATION

INTRODUCTION

The REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) requires that the Data Controller takes appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and that the Data Controller facilitates the exercise of the data subject's rights.

The obligation of the data controller to inform the data subject in advance is also prescribed by the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information. The following information fulfills our legal obligation in this regard.

This information must be published on our company's website or sent to the data subject upon request.

CHAPTER I - NAME OF THE DATA CONTROLLER

The issuer of this information, and the Data Controller:

Company Name: Hodács Composites Egyéni Cég (abbreviated name: Hodács ec)

Registered Office / Site: 8175 Balatonfűzfő, Road leading to Papkeszi, HRSZ 1500/61

Company Registration Number: 19-11-500357

Tax Number: HU24178198

Phone Number: 06-88-450-683

Email Address: info@optimistwebshop.com

Website: www.optimistwebshop.com (hereinafter: our company)

CHAPTER II - NAMES OF DATA PROCESSORS

Data Processor: a natural or legal person, public authority, agency, or another body which processes personal data on behalf of the controller; (Regulation Article 4(8))

The prior consent of the data subject is not required for the use of a data processor, but their information is necessary. Accordingly, we provide the following information:

1. Our company's IT service provider

Our company employs a data processor for the maintenance and management of its website, who provides IT services (hosting services) and, within this framework – for the duration of our contract with them - manages the personal data provided on the website, their operation involves storing personal data on the server.

The name of this data processor is as follows:

Company Name: Takó Kornél

Registered Office: 8225 Szentkirályszabadja, Erkel Ferenc Street 7.

Company Registration Number:

Tax Number: Phone Number:

Email Address: takokornel@gmail.com

Website:

2. Postal services, delivery, parcel dispatch

This data processor receives from our company the personal data necessary for the delivery of the ordered product (data subject's name, address, phone number, value of the package) and uses it to deliver the product. The name of this data processor is as follows:

Company Name: Magyar Posta Zrt.

Registered Office: Budapest, Dunavirág Street 2-6.

Company Registration Number: 01-10-042463

Tax Number: 10901232-2-44

Phone Number: 06-1-767-8200

Email Address: ugyfelszolgalat@posta.hu

Website: www.posta.hu

3. Our company's accounting service provider

Our company engages an external service provider under an accounting service contract to fulfill its tax and accounting obligations, who manages the personal data of natural persons in contract or payment relationship with our company, for the purpose of fulfilling the tax and accounting obligations incumbent on our company.

The name of this data processor is as follows:

Company Name: “P-H-L” Financial, Commercial and Service Partnership

Registered Office: 8200 Veszprém, Bartók Béla Street 14.

Company Registration Number: 19-06-501724

Tax Number: 27244351-2-19

Phone Number:

Email Address: sphungaria.kft8@upcmail.hu

Website: -

CHAPTER III - ENSURING THE LEGALITY OF DATA PROCESSING

1. Data processing based on the consent of the data subject

1.1. If our company intends to perform data processing based on consent, it requests the consent of the data subject for the processing of their personal data according to the content and information specified in the data processing policy.

1.2. Consent is also considered to be given if the data subject ticks a relevant box while visiting our company's website, makes related technical settings during the use of services related to the information society, or any other statement or action which in the given context clearly indicates the data subject's consent to the planned processing of their personal data. Silence, pre-ticked boxes, or inaction therefore do not constitute consent.

1.3. Consent extends to all processing activities carried out for the same purpose or purposes. If the processing serves multiple purposes, consent must be given for all of them.

1.4. If the data subject's consent is given within a written statement which also concerns other matters – e.g., conclusion of a sales or service contract - the request for consent must be presented in a manner clearly distinguishable from those other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a statement which constitutes a breach of the Regulation shall not be binding.

1.5. Our company cannot condition the conclusion or performance of a contract on the provision of consent to process personal data that is not necessary for the performance of the contract.

1.6. It must be as easy to withdraw consent as to give it.

1.7. If personal data were collected based on the consent of the data subject, in the absence of a provision to the contrary by law, the data controller may continue to process the data for the purpose of fulfilling a legal obligation without further consent, and even after the withdrawal of consent by the data subject.

2. Data processing based on legal obligations

2.1. In the case of data processing based on legal obligations, the scope of data that can be processed, the purpose of data processing, the duration of data storage, and the recipients are governed by the provisions of the underlying legislation.

2.2. Data processing based on the fulfillment of legal obligations is independent of the consent of the data subject, as the data processing is determined by law. In this case, it must be communicated to the data subject before the start of data processing that the data processing is mandatory, and the data subject must be clearly and comprehensively informed about all facts related to the processing of their data, especially about the purpose and legal basis of data processing, the person authorized for data processing and data processing, the duration of data processing, if the data controller processes the personal data of the data subject based on a legal obligation, and who may have access to the data. The information must also cover the rights related to data processing and the possibilities of legal remedy of the data subject. In the case of mandatory data processing, the information can also be provided by making public references to the legal provisions containing the above information.

3. Facilitating the rights of the data subject

Our company is obliged to ensure the exercise of the rights of the data subject in all its data processing activities.

CHAPTER IV - VISITOR DATA MANAGEMENT ON OUR COMPANY'S WEBSITE - INFORMATION ABOUT THE USE OF COOKIES (COOKIE)

1. Visitors to the website must be informed about the use of cookies, and their consent must be obtained for this – except for technically essential session cookies.

2. General information about cookies

2.1. A cookie is data sent by the visited website to the visitor's browser (in the form of variable name-value) for storage and later loaded by the same website. Cookies can have a validity period, valid until the browser is closed, but can also be unlimited. In subsequent HTTP(S) requests, these data are also sent by the browser to the server, thereby modifying data on the user's machine.

2.2. The essence of a cookie is that, due to the nature of website services, it is necessary to identify a user (e.g., that they have logged into the site) and accordingly manage them in subsequent actions. The risk lies in the fact that the user may not always be aware of this and it may be suitable for the website operator or another service provider, whose content is integrated into the site (e.g., Facebook, Google Analytics), to follow the user, thereby creating a profile about them, in which case the content of the cookie can be considered personal data.

2.3. Types of cookies:

2.3.1. Technically essential session cookies: without which the site simply would not function functionally, these are necessary for user identification, e.g., to manage whether they have logged in, what they have put in the cart, etc. This typically involves storing a session ID, with other data stored on the server, making it more secure. There is a security aspect if the session cookie value is not properly generated, as there is a risk of session hijacking attacks, so it is essential that these values are properly generated. Other terminologies call any cookie that is deleted upon exiting the browser a session cookie (a session is a browser usage from start to exit).

2.3.2. User experience enhancing cookies: these are cookies that remember the user's choices, for example, how the user wants to see the site. Essentially, these types of cookies mean the setting data stored in the cookie.

2.3.3. Performance cookies: although they do not have much to do with "performance," these cookies are generally called those that collect information about the user's behavior within the visited website, time spent, clicks. These are typically third-party applications (e.g., Google Analytics, AdWords, or Yandex.ru cookies). These are suitable for creating profiles about the visitor. Information about Google Analytics cookies can be found here: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage Information about Google AdWords cookies can be found here: https://support.google.com/adwords/answer/2407785?hl=en

2.4. Accepting or allowing the use of cookies is not mandatory. You can reset your browser settings to reject all cookies or to indicate when a cookie is being sent. Most browsers automatically accept cookies by default, but these can usually be changed to prevent automatic acceptance and offer the choice each time. You can find out about the cookie settings of the most popular browsers at the following links:

• Google Chrome: https://support.google.com/accounts/answer/61416?hl=en

• Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

• Microsoft Internet Explorer 11: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-11

• Microsoft Edge: http://windows.microsoft.com/en-us/windows-10/edge-privacy-faq

• Safari: https://support.apple.com/en-us/HT201265

However, it is important to note that some website features or services may not function properly without cookies.

személyes adatok tárolásának időtartama: a regisztráció / szolgáltatás fennállásáig, vagy az érintett hozzájárulásának visszavonásáig (törlési kérelméig).

3. Information about cookies used on our company's website and data generated during the visit

3.1. Data processed during the visit: Our company's website may record and process the following data about the visitor and the device used for browsing during the use of the website:

• The visitor's IP address,

• Browser type,

• Characteristics of the operating system of the device used for browsing (set language),

• Time of visit,

• Visited page(s), function or service,

• Searched expressions, words, products,

• Clicks.

These data are kept until the withdrawal of consent for the aforementioned data processing purposes by the visitor, but for no more than 5 years from the visitor's last search activity. Thereafter, the personal data of the subjects are deleted by the data controllers.

3.2. Cookies used on the website

3.2.1. Technically essential session cookies Purpose of data processing: Ensuring the proper functioning of the website. These cookies are necessary for visitors to browse the website, use its functions smoothly and fully, and access services available through the website, including, among others, remembering operations performed by the visitor on the pages or identifying the logged-in user during a visit. The duration of this cookie processing is limited to the current visit of the visitor, and this type of cookies is automatically deleted from the computer at the end of the session or when the browser is closed.

The legal basis for this data processing is Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services, which allows the service provider to process personal data that are technically essential for the provision of the service. The service provider must select and operate the tools used in providing information society services in such a way that personal data is processed only if it is absolutely necessary for the provision of the service and for fulfilling other purposes specified in this law, but even in this case, only to the necessary extent and duration.

3.2.2. User experience enhancing cookies: These remember the user's choices, such as how the user wants to see the site. Essentially, these types of cookies mean the setting data stored in the cookie. The legal basis for data processing is the visitor's consent. Purpose of data processing: Increasing the efficiency of the service, enhancing user experience, making the use of the website more convenient. This data is more on the user's machine, the website only accesses and can recognize the visitor through it.

3.2.3. Performance cookies: Collect information about the user's behavior within the visited website, time spent, clicks. These are typically third-party applications (e.g., Google Analytics, AdWords, Shopware). The legal basis for data processing: the consent of the subject. Purpose of data processing: analyzing the website, sending advertising offers.

4. Registration on our company's website

4.1. On the website, the registering natural person can give their consent to the processing of their personal data by ticking the relevant box. Pre-ticking the box is prohibited.

4.2. Scope of personal data that can be processed: the natural person's name (surname, first name), address, phone number, email address, online identifier, in case of purchase the amount of purchase, payment and delivery method.

4.3. Purpose of personal data processing:

• Fulfillment of services provided on the website.

• Contact via electronic, telephone, SMS, and postal inquiries.

• Information about our company's products, services, contractual conditions, promotions.

• Analysis of website usage.

4.4. The legal basis for data processing is the consent of the subject.

4.5. Recipients or categories of recipients of personal data: employees of our company involved in customer service, marketing activities, and as data processors, employees of our company's IT service provider performing hosting services.

4.6. Duration of personal data storage: until the registration/service exists, or until the withdrawal of consent (request for deletion) by the subject.

CHAPTER V - INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

I. Summary of the data subject's rights:

1. Transparent information, communication, and facilitation of the exercise of the data subject's rights

2. Right to be informed in advance – if personal data are collected from the data subject

3. Information to be provided to the data subject and the information to be made available if personal data have not been obtained from the data subject

4. Right of access by the data subject

5. Right to rectification

6. Right to erasure (‘right to be forgotten’)

7. Right to restriction of processing

8. Obligation to notify regarding rectification or erasure of personal data or restriction of processing

9. Right to data portability

10. Right to object

11. Automated individual decision-making, including profiling

12. Restrictions

13. Information to the data subject in case of a data breach

14. Right to lodge a complaint with a supervisory authority (right to an effective judicial remedy against a supervisory authority)

15. Right to an effective judicial remedy against a data controller or processor

II. Detailed description of the data subject's rights:

1. Transparent information, communication, and facilitation of the exercise of the data subject's rights

1.1. The data controller must provide all information and every communication relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, especially for any information addressed to children. The information must be provided in writing or by other means, including, where appropriate, by electronic means. Upon request, information may also be provided orally, provided the identity of the data subject has been proven by other means.

1.2. The data controller must facilitate the exercise of the data subject's rights.

1.3. The data controller must inform the data subject without undue delay and in any event within one month of receipt of the request about actions taken regarding their request. This period may be extended by two more months where necessary, under the conditions written in the Regulation, about which the data subject must be informed.

1.4. If the data controller does not take action on the request of the data subject, it must inform the data subject without undue delay and at the latest within one month of receipt of the request about the reasons for not taking action and that the data subject may lodge a complaint with a supervisory authority and seek a judicial remedy.

1.5. The data controller must provide information and communication regarding the rights of the data subject free of charge, but a fee may be charged in cases specified in the Regulation.

The detailed rules can be found under Article 12 of the Regulation.

2. Right to be informed in advance – if personal data are collected from the data subject

2.1. The data subject has the right to be informed about the facts and information related to data processing before the start of processing. This includes informing the data subject about: a) the identity and contact details of the data controller and its representative, b) contact details of the data protection officer (if applicable), c) the purposes of processing for which the personal data are intended as well as the legal basis for the processing, d) in case of processing based on legitimate interests, about the legitimate interests pursued by the data controller or a third party, e) the recipients or categories of recipients of the personal data, if any, f) where applicable, that the controller intends to transfer personal data to a third country or international organization.

2.2. To ensure fair and transparent processing, the data controller must provide the data subject with the following additional information: a) the period for which the personal data will be stored, or if not possible, the criteria used to determine that period, b) the data subject's rights to request access to, rectification or erasure of personal data, or restriction of processing, and to object to such processing, as well as the right to data portability, c) where processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal, d) the right to lodge a complaint with a supervisory authority, e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data, f) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2.3. If the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected, it must provide the data subject prior to that further processing with information on that other purpose and all relevant further information.

The detailed rules for the right to be informed in advance are contained in Article 13 of the Regulation.

3. Information to be provided where personal data have not been obtained from the data subject

3.1. If the data controller has not obtained the personal data from the data subject, it must provide the data subject with information on the facts and information mentioned in point 2 above, as well as the categories of personal data concerned, and the source of the personal data, and if applicable, whether the data came from publicly accessible sources, within a reasonable period after obtaining the personal data, but at the latest within one month, if the personal data are used to communicate with the data subject, at least at the time of the first communication to the data subject; or if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

3.2. The additional rules are as stated in point 2 above (Right to be informed in advance).

The detailed rules of this information are contained in Article 14 of the Regulation.

4. Right of access by the data subject 4.1. The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the information specified in points 2-3 above (Article 15 of the Regulation).

4.2. If personal data are transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation regarding the transfer.

4.3. The data controller must provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.

The detailed rules regarding the right of access by the data subject are contained in Article 15 of the Regulation.

5. Right to rectification

5.1. The data subject has the right to have the data controller rectify inaccurate personal data concerning them without undue delay.

5.2. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

These rules are contained in Article 16 of the Regulation.

6. Right to erasure (‘right to be forgotten’)

6.1. The data subject has the right to have the data controller erase personal data concerning them without undue delay, and the data controller has the obligation to erase personal data without undue delay where one of the following grounds applies: a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) The data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing; c) The data subject objects to the processing and there are no overriding legitimate grounds for the processing; d) The personal data have been unlawfully processed; e) The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject; f) The personal data have been collected in relation to the offer of information society services directly to a child.

6.2. The right to erasure does not apply where processing is necessary for: a) Exercising the right of freedom of expression and information; b) Compliance with a legal obligation which requires processing by Union or Member State law to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) Reasons of public interest in the area of public health; d) Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or e) The establishment, exercise or defense of legal claims.

The detailed rules regarding the right to erasure are contained in Article 17 of the Regulation.

7. Right to restriction of processing

7.1. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

7.2. The data subject has the right to obtain from the data controller restriction of processing where one of the following applies: a) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; b) The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; d) The data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

7.3. The data subject must be informed before the restriction of processing is lifted.

The rules regarding the right to restriction of processing are contained in Article 18 of the Regulation.

8. Obligation to notify regarding rectification or erasure of personal data or restriction of processing The data controller must communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. The data subject has the right to be informed about those recipients if they request it. These rules are found under Article 19 of the Regulation.

9. Right to data portability

9.1. Under the conditions set out in the Regulation, the data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another data controller without hindrance from the controller to which the personal data have been provided, where: a) The processing is based on consent or on a contract; and b) The processing is carried out by automated means.

9.2. The data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

9.3. The exercise of the right to data portability shall not adversely affect the rights and freedoms of others.

The detailed rules regarding the right to data portability are contained in Article 20 of the Regulation.

10. Right to object

10.1. The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on public interest or the exercise of official authority vested in the controller (Article 6(1)(e)), or on legitimate interests (Article 6(1)(f)), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

10.2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

10.3. The right to object must be explicitly brought to the attention of the data subject no later than the time of the first communication with them, and shall be presented clearly and separately from any other information.

10.4. The data subject may exercise the right to object by automated means using technical specifications.

10.5. If personal data are processed for scientific and historical research purposes or statistical purposes, the data subject has the right to object, on grounds relating to their particular situation, to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The relevant rules are contained in Article 21 of the Regulation.

11. Automated individual decision-making, including profiling

11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

11.2. This right shall not apply if the decision: a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or c) is based on the data subject's explicit consent.

11.3. In the cases referred to in points (a) and (c), the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.

Further rules are contained in Article 22 of the Regulation.

12. Restrictions

Union or Member State law may restrict by legislative measures the scope of the rights and obligations (Articles 12 to 22 and 34 and Article 5 insofar as its provisions correspond to the rights and obligations) if such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society.

The conditions for such restrictions are contained in Article 23 of the Regulation.

13. Information to the data subject in case of a data breach

13.1. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay. This communication shall describe in clear and plain language the nature of the personal data breach and at least: a) the name and contact details of the data protection officer or other contact point where more information can be obtained; c) describe the likely consequences of the personal data breach; d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

13.2. The data subject shall not be required to be informed if any of the following conditions are met: a) the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; c) communication would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Further rules are contained in Article 34 of the Regulation.

14. Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to them infringes the Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy.

These rules are contained in Article 77 of the Regulation.

15. Right to an effective judicial remedy against a supervisory authority

15.1. Without prejudice to any other administrative or non-judicial remedy, every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

15.2. Without prejudice to any other administrative or non-judicial remedy, every data subject has the right to an effective judicial remedy if the competent supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

15.3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

15.4. If a supervisory authority's decision against which an action has been brought was preceded by an opinion or decision of the Board in the consistency mechanism, the supervisory authority must forward that opinion or decision to the court.

These rules are contained in Article 78 of the Regulation.

16. Right to an effective judicial remedy against a data controller or processor

16.1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, every data subject shall have the right to an effective judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

16.2. Proceedings against a data controller or processor shall be brought before the courts of the Member State where the data controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has their habitual residence, unless the data controller or processor is a public authority of a Member State acting in the exercise of its public powers.

These rules are contained in Article 79 of the Regulation.

CHAPTER VI - SUBMISSION OF THE DATA SUBJECT'S REQUEST, ACTIONS OF THE DATA CONTROLLER

1. The Data Controller shall inform the data subject without undue delay and in any event within one month of receipt of the request about the actions taken regarding their request.

2. If necessary, taking into account the complexity and number of the requests, this period may be extended by two further months. The Data Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

3. If the data subject has made the request by electronic form means, the information shall, where possible, be provided by electronic means unless otherwise requested by the data subject.

4. If the Data Controller does not take action on the data subject's request, it shall inform the data subject without undue delay and at the latest within one month of receipt of the request of the reasons for not taking action and that the data subject may lodge a complaint with a supervisory authority and seek a judicial remedy.

5. The Data Controller shall provide the information on action taken on a request under Articles 13 and 14 and the rights of the data subject under Articles 15 to 22 and 34 free of charge. If the data subject's request is manifestly unfounded or excessive, particularly because of its repetitive character, the Data Controller may either: a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or b) refuse to act on the request.

The burden of proving the manifestly unfounded or excessive character of the request lies with the Data Controller. If the Data Controller has reasonable doubts concerning the identity of the natural person making the request, it may request the provision of additional information necessary to confirm the identity of the data subject.

CHAPTER VII – ADDITIONAL INFORMATION

Clicking on links on the website that navigate to other (non-company-operated) pages will take the visitor away from the website to the linked pages, and from that point on, data processing occurs there. This process can be monitored in the browser's menu bar. The company does not assume responsibility for the handling of personal data provided on other pages, or for technical data generated or collected by the operators of other pages in their computer systems.

Dated: Balatonfűzfő, 2018-06-13