Data management information

WEBSITE DATA MANAGEMENT INFORMATION

Tom Apartmans (Balaton Tamás Gábor EV), hereinafter referred to as the “Enterprise”, by publishing this Privacy Policy, complies with the obligation of prior information of the persons concerned regarding the processing of personal data as required by Regulation (EU) 2016/679 of the European Parliament and of the Council. All information in accordance with the relevant Articles of the Regulation should be made available in a clear, comprehensible and comprehensible form to data subjects in a concise, transparent, comprehensible and easily accessible form.

NAME OF DATA MANAGER

The Company informs the data subject that it is a data controller for the management of your personal data.

Tom Apartmans (BALATON TAMÁS E.V.):

Siofok 8600 Aradi Vértanuk út 35.

Tax number: 79166434-1.34

PHONE: 3630 331 4559.

REPRESENTATIVE NAME: Gábor Tamás Balaton

E-MAIL: tomapartmans@gmail.com

WEBSITE DATA MANAGEMENT INFORMATION

NAME OF DATA MANAGER

The Company informs the data subject that it is a data controller for the management of your personal data.

TOM APARTMENT (GÁBOR GÁBOR TAMÁS BALATON):

Siofok 8600 Aradi Vértanuk út 35.

Tax number: 79166434-1-34

PHONE: 3630 331 4559

REPRESENTATIVE NAME: Gábor Tamás Balaton

E-MAIL: tomapartmans@gmail.com

WEBSITE: www.tomapartmans.eu

Personal information may be disclosed by the Company to its employees having access rights related to the relevant data management purpose, or by persons or organizations performing data processing activities based on service contracts to the Company, to the extent and to the extent necessary for the performance of their activities.

NAME OF THE DATA PROCESSOR (K)

(1) The Enterprise shall not use an external data processor entrusted with personal data managed on the basis of its voluntary contribution for the purpose of operating and maintaining its website.

III. DEFINITIONS

“Personal data” means any information relating to an identified or identifiable natural person (“affected”); identifies a natural person who, directly or indirectly, in particular by reference to an identifier, such as name, number, positioning data, online identifier or one or more factors relating to the physical, physiological, genetic, intellectual, economic, cultural or social identity of a natural person identified;

“Data management” means any set of operations or operations performed automated or non-automated on personal data or files, such as collection, recording, systematization, subdivision, storage, transformation or alteration, query, insight, use, communication, dissemination or other means by making available to the public, coordination or interconnection, restriction, deletion or destruction;

“Limitation of data management” means the marking of stored personal data in order to limit their future treatment;

“Profiling” means any form of automated processing of personal data in which personal data are used to evaluate certain personal characteristics associated with a natural person, in particular performance at work, economic situation, health, personal preferences, interest, reliability, behavior, location or movement; used to analyze or predict related features;

“Pseudonymization” means the handling of personal data in such a way that it is no longer possible to determine, without the use of further information, which specific natural person is covered by such personal information, provided that such additional information is stored separately and provided with technical and organizational measures that personal data cannot be linked to identified or identifiable natural persons;

‘Record-keeping system’ means a set of personal data in any way – centralized, decentralized or functionally or geographically – accessible based on specified criteria;

‘Data controller’ means any natural or legal person, public authority, agency or any other body which determines the purposes and means of the processing of personal data, either alone or in association with others; if the purposes and means of data processing are defined by EU or Member State law, the specific aspects of the appointment of the controller or the controller may be determined by Union or national law;

‘Data processor’ means any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

‘Recipient’ means any natural or legal person, public authority, agency or any other body with which personal data are communicated, whether or not a third party is involved. Public authorities that have access to personal data in the context of a specific investigation in accordance with EU or Member State law shall not be considered to be

addressed to them; the management of such data by these public authorities must be in accordance with the applicable data protection rules in accordance with the purposes of the data processing;

“Third party” means any natural or legal person, public authority, agency or any other body which is not identical with the data subject, the controller, the data processor or the persons empowered to process personal data under the direct control of the controller or processor; they got;

“Consent of the data subject” means a declaration of the will of the data subject on a voluntary, concrete and appropriate basis, by which he or she expresses his / her consent to the processing of personal data concerning him or her by means of an act which expressly confirms the declaration;

“Data protection incident” means a security breach that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data transmitted, stored or otherwise processed;

“Undertaking” means any natural or legal person pursuing an economic activity, regardless of its legal form, including partnerships and associations carrying out regular economic activities.

LEGAL BASIS FOR DATA MANAGEMENT
The consent of the data subject
1. The lawfulness of the processing of personal data must be based on the consent of the data subject or on another legitimate basis established by law.

(2) In the case of data processing under the consent of the data subject, the data subject may give his / her consent to the processing of his / her personal data in the following form:

(a) in a written declaration giving consent for the processing of personal data;
or clearly indicated for the intended treatment.
(3) Silence, pre-selected squares, or non-action shall not therefore constitute consent. 4. The consent shall cover all data processing activities carried out for the same purpose or purposes.

(5) If the data management serves several purposes simultaneously, the consent shall be given for all data management purposes. If the data subject’s consent is given after an electronic request, the request should be clear and concise and should not unnecessarily hinder the use of the service for which the consent is sought.

6. The data subject shall be entitled to withdraw his consent at any time. Withdrawal of consent does not affect the legality of the pre-withdrawal data management based on consent. Before giving consent, the person concerned must be informed accordingly. The withdrawal of consent shall be allowed in the same simple manner as its granting.

Contract performance

Data processing is considered to be lawful if it is necessary for the performance of a contract in which the party concerned is required to take action at the request of the data subject prior to the conclusion of the contract.
Affected consent to the processing of personal data not necessary for the performance of the contract shall not be a condition for the conclusion of the contract.

Compliance with the legal obligation of the controller or the protection of the vital interests of the data subject or other natural person

The legal basis for data management is determined by law when the legal obligation is fulfilled, so the consent of the data subject to the processing of personal data is not necessary.
The data controller is obliged to inform the data subject about the purpose, legal basis, duration of the data management about the person of the data controller, as well as about the rights and remedies.
The Data Controller is entitled to handle the data circle necessary for the fulfillment of a legal obligation to the Data Controller upon the withdrawal of the consent of the data subject.

Execution of a task carried out in the public interest or in the exercise of a public authority delegated to the controller, to enforce the legitimate interests of the controller or a third party.

Contract performance

Compliance with the legal obligation of the controller or the protection of the vital interests of the data subject or other natural person

Execution of a task carried out in the public interest or in the exercise of a public authority delegated to the controller, to enforce the legitimate interests of the controller or a third party.

The controller, including the controller with whom the personal data may be disclosed, or the legitimate interest of a third party may provide a legal basis for data processing provided that the interests, fundamental rights and freedoms of the data subject do not take precedence, taking into account the data subject’s reasonable understanding of the data subject. expectations. Such a legitimate interest may be, for example, where there is a relevant and appropriate relationship between the data subject and the controller, for example in cases where the data subject is a customer of the controller or is employed by it.
In order to establish the existence of a legitimate interest, it is necessary to examine carefully, inter alia, whether the data subject can reasonably expect to be able to handle the data for that purpose at the time and in the context of the collection of personal data.
The interests and fundamental rights of the data subject may take precedence over the interests of the data controller if personal data are handled in circumstances in which the data subjects do not expect further processing.

RIGHTS RELATING TO THE HANDLING OF DATA OF THE PERSON CONCERNED
The following information about the rights of the person concerned is briefly provided by the Company:
The data subject has the right to:

for information before the data management begins,
to receive feedback from the controller on whether personal data are being processed and, if such data is being processed, to have access to personal data and to the following information:
to request correction, deletion of data from the data controller, notification of the data controller
request limitation of data management, to receive notification from the controller about this,
for data storage,
protest if your personal data is processed for public interest purposes or by reference to the legitimate interest of the data controller.
exempt from automatic decision-making, including profiling,
to complain to the supervisory authority. Your right to complain may be exercised at the following contact points: National Authority for Data Protection and Freedom of Information, address: 1125 Budapest, Szilágyi Erzsébet fasor 22 / c., Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410 ., www: http: //www.naih.hu e-mail: ugyfelszolgalat@naih.hu
effective judicial remedy against the supervisory authority, \ t
Effective judicial remedy against the controller or the data processor
For information about the privacy incident.

Detailed information on affected rights

Right to information

1. The data subject shall have the right to be informed of information relating to data management prior to the commencement of activities for the processing of his data.

(2) Information to be provided when personal data are collected from the data subject:

the identity and contact details of the controller and, if any, of the controller;
contact details of the DPO, if any;
the purpose of the intended management of personal data and the legal basis for data management;
in the case of data processing based on Article 6 (1) (f) of the Regulation, the legitimate interests of the controller or of a third party;
where applicable, the recipients of the personal data or categories of recipients, if any;
where applicable, the fact that the controller wishes to transfer personal data to a third country or an international organization, as well as the existence or absence of a Commission conformity decision, or Article 46, Article 47 or Article 49 (1) of the Regulation. in the case of the transmission referred to in the second subparagraph of paragraph 1, the indication of appropriate and suitable guarantees and the means by which they may be obtained or made available;

reference to your availability.

3. In addition to the information referred to in paragraph 1, the controller shall inform the data subject at the time of the acquisition of personal data, in order to ensure fair and transparent data management, of the following additional information: \ t

the duration of the storage of personal data or, if this is not possible, the criteria for determining that period;
the right of the data subject to apply to the controller for access to, rectification, erasure or restriction of personal data relating to him or her and to object to the processing of such personal data and his / her right to data portability;
in the case of data processing based on Article 6 (1) (a) or Article 9 (2) (a) of the Regulation, the right to withdraw the consent at any time, without prejudice to the lawfulness of the data processing carried out on the basis of the consent prior to the withdrawal;
the right to lodge a complaint with the supervisory authority;
whether the provision of personal data is based on a statutory or contractual obligation or a prerequisite for the conclusion of a contract, and whether the data subject is obliged to provide personal data, and what the possible consequences of failure to provide data may be;
the fact that automated decision-making, including profiling, as referred to in Article 22 (1) and (4) of the Regulation, as well as at least in these cases the logic used and understandable information on the significance of such data management and the expected impact on the data subject. consequences.

4. Where personal data have not been obtained from the data subject, the controller shall make the following information available to the data subject: \ t

the identity and contact details of the controller and, if any, of the controller;
contact details of the DPO, if any;
the purpose of the intended management of personal data and the legal basis for data management;
the categories of personal data involved;
the recipients of the personal data and the categories of recipients, if any;
where applicable, the fact that the controller wishes to transfer personal data to a third country recipient or to an international organization, as well as to the existence or absence of a Commission conformity decision or to Article 46, Article 47 of the Regulation or Article 49 ( In the case of the transmission referred to in the second subparagraph of paragraph 1, indication of appropriate and suitable guarantees, as well as a reference to the means of obtaining such copies or their availability.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent data management for the data subject: \ t

the duration of the storage of personal data or, if this is not possible, the criteria for determining that period;
where the processing is based on Article 6 (1) (f) of the Regulation, on the legitimate interests of the controller or a third party;
the right of the data subject to apply to the controller for access to, rectification, erasure or restriction of personal data relating to him or her, and to object to the processing of personal data and his / her right to data portability;
in the case of data processing based on Article 6 (1) (a) or 9 (2) (a) of the Regulation, the right to withdraw the consent at any time, without prejudice to the lawfulness of the data processing carried out on the basis of the consent prior to the withdrawal;
the right to lodge a complaint with a supervisory authority;
the source of personal data and, where applicable, whether the data originate from publicly available sources; and
the fact that automated decision-making, including profiling, as referred to in Article 22 (1) and (4) of the Regulation, as well as at least in these cases the logic used and understandable information on the significance of such data management and the expected impact on the data subject. consequences.

3. Where the controller wishes to process further data for personal purposes other than for the purpose for which they were obtained, he shall inform the data subject of this different purpose and of any relevant additional information referred to in paragraph 2 before further processing.

4. Paragraphs 1 to 3 shall not apply where and to the extent that: \ t

commitment would probably make it impossible or seriously jeopardize the achievement of the purposes of this data management. In such cases, the controller shall take appropriate measures, including public disclosure of the information, to protect the rights, freedoms and legitimate interests of the data subject;
the acquisition or communication of data is expressly provided for by Union or Member State law applicable to the controller which provides for appropriate measures to protect the data subject’s legitimate interests; or
personal data must be kept confidential by virtue of professional secrecy imposed by EU or Member State law, including statutory confidentiality obligations.
Right of access of the data subject

1. The data subject shall have the right to receive feedback from the controller on whether personal data are being processed and, if such processing is in progress, to have access to personal data and the following information:

the purposes of data management;
the categories of personal data involved;
the categories of recipients or recipients with whom or with whom the personal data were communicated, including in particular third-country recipients or international organizations;
where appropriate, the planned duration of the storage of personal data or, if this is not possible, the criteria for determining that period;
the right of the data subject to request from the controller the rectification, erasure or restriction of personal data relating to him or her and to object to the processing of such personal data;
the right to lodge a complaint with a supervisory authority;
if the data were not collected from the data subject, all available information about their source;
the fact that automated decision-making, including profiling, as referred to in Article 22 (1) and (4) of the Regulation, as well as at least in these cases the logic used and understandable information on the significance of such data management and the data subject are expected consequences.
2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate guarantees concerning transfers under Article 46. \ t

3. The controller shall make available to the data subject a copy of the personal data which are the subject of the data processing. The controller may charge a reasonable fee based on administrative costs for additional copies requested by the data subject. If the data subject has submitted the application by electronic means, the information shall be made available in a widely used electronic format, unless otherwise requested by the data subject.

Right of correction and deletion of the data subject

Right to rectification

1. The data subject shall have the right, at his request, to rectify the inaccurate personal data relating to him without undue delay. Taking into account the purpose of data management, the data subject is entitled to request the supplementation of incomplete personal data, including by means of a supplementary declaration.

Right to delete (“the right to forget”)

1. The data subject shall have the right, at his request, to delete personal data relating to him without undue delay, and the controller shall delete personal data relating to the data subject without undue delay if one of the following grounds exists: \ t

personal data are no longer needed for the purpose for which they were collected or otherwise processed;
the data subject withdraws the consent of the data subject under Article 6 (1) (a) of the Regulation (contribution to the processing of personal data) or Article 9 (2) (a) of the Regulation (explicit consent) and the data processing is not other legal basis;
the data subject, in accordance with Article 21 (1) of the Regulation (right of objection), objects to the processing of the data and there is no legal reason for the processing of the data or the data subject under Article 21 (2) of the Regulation (personal data processing protests against data processing;
personal data has been unlawfully treated;
personal data must be deleted in order to fulfill a legal obligation under EU or Member State law applicable to the controller;
personal data were collected in connection with the provision of information society services referred to in Article 8 (1).
2. If the controller has disclosed personal data and has to cancel it at the request of the data subject, he shall take reasonable steps, including technical measures, to inform the controllers managing the data, taking into account the costs of available technology and implementation. worth

has requested them to delete the relevant personal data links or a copy or duplicate of such personal data.

3. Paragraphs 1 and 2 shall not apply where the processing is necessary: \ t

to exercise the right to freedom of expression and information;
the fulfillment of an obligation under EU or Member State law which governs the processing of personal data, or for the performance of a task carried out in the public interest or in the exercise of public authority conferred on the controller;
in accordance with Article 9 (2) (h) and (i) of the Regulation and the public interest in the field of public health, in accordance with Article 9 (3) of the Regulation;
in accordance with Article 89 (1) of the Regulation for archiving in the public interest, for scientific and historical research purposes or for statistical purposes, where the right referred to in paragraph 1 is likely to prevent or seriously jeopardize such processing; or
legal claims.

Right to restrict data management

1. The data subject may, at his request, be restricted by the data controller if one of the following conditions is met: \ t

the person concerned disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the controller to verify the accuracy of the personal data;
data processing is unlawful and the data subject is against the deletion of the data and instead requests a restriction on their use;
the data controller no longer needs personal data for data management purposes, but the data subject requests them for the submission, validation or protection of legal claims; or
the data subject has objected to the processing in accordance with Article 21 (1) of the Regulation; in this case, the limitation shall apply for the period until it is established whether the legitimate reasons of the controller prevail over the legitimate reasons of the data subject.

2. Where data processing is subject to a restriction pursuant to paragraph 1, such personal data shall, with the exception of storage, only with the consent of the data subject or for the submission, validation or protection of legal claims or the protection of the rights of another natural or legal person, or of the Union. or in the public interest of a Member State.

3. The controller shall inform the data subject at whose request the processing of data has been restricted pursuant to paragraph 1, in advance of the lifting of the restriction on data management.

Notification obligation related to rectification or deletion of personal data or limitation of data management

1. The controller shall inform any consignee of the rectification, erasure or limitation of the processing to which the personal data have been communicated, unless this proves impossible or requires a disproportionate effort.

2. At the request of the data subject, the controller shall inform those addressees.

Right to data storage

1. The data subject shall have the right to receive personal data concerning him or her from a data controller, in a distributed, widely used, machine-readable format, and shall be entitled to forward such data to another data controller without being prevented from doing so. data controller to whom you have provided personal data when:

data processing is a contribution under Article 6 (1) (a) of the Regulation (consent of the data subject to the processing of personal data) or Article 9 (2) (a) (explicit consent of the data subject to the processing of the data) or Article 6 Based on a contract under paragraph 1 (b); and
data management is automated.

2. When exercising the right to carry the data pursuant to paragraph 1, the data subject shall have the right to request, where technically feasible, the direct transmission of personal data between controllers.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of the Regulation. That right shall not apply where the processing is necessary for the performance of a task carried out in the exercise of public authority or in the exercise of official authority conferred on the controller.

4. The rights referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Right to protest

(1) The data subject may, at any time, object to the processing of his or her personal data in connection with the exercise of his or her personal data in the framework of the exercise of a public or public authority license or for the purpose of enforcing the legitimate interests of the controller or a third party (Article 6 (1) of the Regulation). (e) or (f)), including profiling based on those provisions. In this case, the controller may not further process the personal data unless the controller proves that it is

data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject or which are related to the bringing, enforcing or defense of legal claims.

2. Where personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to the processing of personal data concerning him for that purpose, including profiling, where this is related to direct marketing.

(3) If the data subject objects to the handling of personal data for the purpose of direct marketing, personal data may no longer be processed for that purpose.

4. The right referred to in paragraphs 1 and 2 shall be brought to the attention of the person concerned at the latest at the time of first contact with the data subject and shall be clearly and separately distinguished from any other information.

5. By way of derogation from Directive 2002/58 / EC relating to the use of information society services, the data subject may exercise the right of objection by automated means based on technical specifications.

6. Where the processing of personal data is carried out for scientific and historical research purposes or for statistical purposes in accordance with Article 89 (1) of the Regulation, the data subject shall have the right to object to the processing of personal data concerning him or her for reasons other than his own, except for: if the processing is necessary for the performance of a task carried out for reasons of public interest.

Exemption from automated decision-making

1. The data subject shall have the right not to be subject to a decision based solely on automated data management, including profiling, which would have legal effect on him or would equally be significantly affected by it.

(2) Paragraph 1 shall not apply if the decision: \ t

necessary for the conclusion or performance of a contract between the data subject and the controller;
EU law or Member State law, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
based on the explicit consent of the data subject.
3. In the cases referred to in paragraph 2 (a) and (c), the controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to seek the intervention of the data controller, \ t express and object to the decision.

4. The decisions referred to in paragraph 2 may not be based on the specific categories of personal data referred to in Article 9 (1) of the Regulation, except where Article 9 (2) (a) or (g) applies and the data subject is not involved. In order to protect their rights, freedoms and legitimate interests, appropriate measures have been taken.

Right to complain and remedy

Right to complain to the supervisory authority.

1. The data subject shall be entitled to lodge a complaint with the supervisory authority pursuant to Article 77 of the Regulation if the data subject considers that the processing of personal data relating to him is in breach of this Regulation.

(2) The person concerned may exercise his right to complain at the following contacts:

National Authority for Data Protection and Freedom of Information Address: 1125 Budapest, Szilágyi Erzsébet fasor 22 / c Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410 www: http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu

3. The supervisory authority to which the complaint has been lodged shall inform the client of the procedural developments and the outcome of the complaint, including the right of the client to seek judicial remedy under Article 78 of the Regulation.

Right to effective judicial redress against the supervisory authority

1. Without prejudice to other administrative or non-judicial remedies, any natural or legal person shall be entitled to effective judicial remedy against a legally binding decision of the supervisory authority.

2. Without prejudice to other administrative or non-judicial remedies, any person concerned shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the person concerned of the complaint submitted under Article 77 of the Regulation within three months. procedural developments or their outcome.

3. Proceedings against the supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its registered office.

4. Where proceedings are brought against a decision of the supervisory authority in respect of which the Board has previously issued an opinion or a decision under the Unity Mechanism, the supervisory authority shall send that opinion or decision to the court.

Right to effective judicial redress against the controller or the processor

1. Without prejudice to the available administrative or non-judicial remedies, including the right to lodge a complaint with the supervisory authority, Article 77 shall be open to effective judicial review if it considers that its personal data have not been processed in accordance with this Regulation. their rights under this Regulation.

2. Proceedings against the controller or the processor shall be brought before the courts of the Member State where the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject is habitually resident, unless the controller or the processor is a public authority of a Member State acting in the exercise of public authority.

limitations

1. Union or national law applicable to the controller or processor shall limit the scope of Articles 12 to 22 by legislative measures. Articles 34 and 34 and Articles 12 to 22. In so far as it respects the essential content of fundamental rights and freedoms and the necessary and proportionate measures to protect the following in a democratic society, the scope of the rights and obligations contained in Article 5 shall be subject to the provisions of this Article in accordance with the rights and obligations laid down in Article 5: \ t

national security;
defense;
public safety;
the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including protection against and prevention of threats to public security;
other overriding public interest objectives of the Union or of a Member State, in particular of major economic or financial interest to the Union or a Member State, including monetary, fiscal and fiscal matters, public health and social security;
the independence of the judiciary and the protection of court proceedings;
in the case of regulated professions, the prevention, investigation, detection and conduct of ethical misconduct;
in the cases referred to in (a) to (e) and (g), even occasionally, control, inspection or regulatory activities relating to the exercise of official authority;
the protection of the data subject or the protection of the rights and freedoms of others;
enforcement of civil claims.
2. The legislative measures referred to in paragraph 1 shall, where appropriate, contain detailed provisions at least: \ t

for data management purposes or categories of data management,
categories of personal data,
the scope of the restrictions introduced,
guarantees for abuse or unauthorized access or transmission,
to define the controller or to define categories of controllers,
the duration of the data storage and the applicable guarantees, taking into account the nature, scope and objectives of the data processing or data management categories,
the risks to the rights and freedoms of those concerned, and
the right of those concerned to be informed of the restriction, unless this may adversely affect the purpose of the restriction.
Information about the privacy incident

1. Where a data protection incident is likely to involve a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the data protection incident without undue delay.

2. The information referred to in paragraph 1, provided to the data subject, shall set out clearly and comprehensibly the nature of the data protection incident and shall include at least the following:

the name and contact details of the data protection officer or other contact person providing further information, the likely consequences of the data protection incident, the measures taken or planned by the controller to remedy the data protection incident, including, where appropriate, measures to mitigate any adverse consequences arising from the data protection incident.

3. The data subject shall not be informed as referred to in paragraph 1 if any of the following conditions is met: \ t

a similar measure should be taken to ensure that information is equally effective for those concerned.
4. If the data controller has not yet notified the data subject of the data protection incident, the supervisory authority may, after considering whether the data protection incident is likely to present a high risk, order the information of the data subject or determine whether one of the conditions referred to in paragraph 3 has been met.

PROCEDURE TO BE APPLIED IN THE CASE OF THE INTERESTED PARTY
(1) The Company shall facilitate the exercise of the rights of the data subject, and may not refuse to execute the request for the exercise of his / her rights specified in this Data Management Information unless he / she proves that he / she is unable to identify.

2. The Company shall inform the data subject of the action taken on the request without undue delay, and in any event within one month of receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by a further two months. The controller shall inform the data subject of the extension of the deadline by indicating the reasons for the delay within one month of receiving the request.

3. Where the data subject has submitted the application by electronic means, the information shall, as far as possible, be provided by electronic means, unless otherwise requested by the data subject.

4. If the Company does not take action following a request by the data subject, it shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking the action and of submitting the complaint to the supervisory authority. right of appeal.

(5) The Company shall provide the following information and measures free of charge to the data subject: feedback on the processing of personal data, access to managed data, rectification, supplementation, deletion of data, restriction of data management, data storage, protest against data management, information about a data protection incident.

(6) If the data subject’s request is manifestly unfounded or, in particular due to its repetitive nature, the data controller may charge a fee of HUF 5000. or may refuse the application, subject to the administrative costs of providing the requested information or information or taking the requested action. action under this Regulation.

(7) The data controller shall bear the burden of proving that the application is manifestly unfounded or excessive.

(8) Without prejudice to Article 11 of the Regulation, where the controller has reasonable doubts as to the application of Articles 15 to 21 of the Regulation. may require the provision of further information necessary to confirm the identity of the data subject.

PROCEDURE TO BE APPLIED IN THE CASE OF AN INCIDENT (PERSONAL DATA BREACH)
(1) A data protection incident is a breach of security under the Regulation that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data transmitted, stored or otherwise handled.

(2) Loss or theft of a device containing personal data (laptop, mobile phone) is considered a data protection incident, or is considered to be the loss, unavailability of the code for decrypting the data encrypted by the data controller, infection by ransomware (blackmail virus). Until the ransom is paid, the data managed by the data controller, the attack of the IT system, the e-mail containing incorrectly sent personal data, the publication of the address list, etc. are made unavailable.

(3) In the event of a data protection incident being detected, the representative of the Enterprise shall immediately investigate the identification and possible consequences of the data protection incident. The necessary measures must be taken to prevent damage.

4. The data protection incident shall be reported to the competent supervisory authority without undue delay and, if possible, not later than 72 hours after the data protection incident has come to its knowledge, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. for. If the notification is not made within 72 hours, it shall be accompanied by the reasons justifying the delay.

5. The data processor shall notify the data controller without undue delay after becoming aware of the data protection incident.

6. In the notification referred to in paragraph 3, at least: \ t

the likely consequences of a data protection incident must be explained;
the measures taken or planned by the controller to remedy the data protection incident, including, where appropriate, measures to mitigate any adverse consequences arising from the data protection incident.
7. If and when it is not possible to communicate the information at the same time, they may be communicated in installments without further undue delay.

8. The controller shall keep records of the data protection incidents, indicating the facts, effects and actions taken to remedy the data protection incident. This register allows the supervisory authority to verify compliance with the requirements of Article 33 of the Regulation.

VI. WEBSITE CONTACT DATA MANAGEMENT
Information on the visitor’s details of the Company’s website

(1) One or more cookies, a small package of information that the server sends to the browser, is sent to the web site during visits to the web site, and the browser returns to the server at any request directed to the server – sent to the computer of the person visiting the web site (s) ), its browser will be uniquely identifiable, provided that the person visiting the website has given his explicit (active) consent to his / her further browsing behavior following clear and unambiguous information.

(2) Cookies only work to improve the user experience and automate the login process. Cookies used on the website do not store personally identifiable information; the Company does not conduct personal data processing in this area.

VII. DATA MANAGEMENT ACTIVITY RELATED TO THE CONTRACT PERFORMANCE

(1) The Company shall manage the personal data of its natural persons – customers, customers, suppliers – in the context of the contractual relationship. The data subject must be informed about the processing of personal data.

(2) Stakeholders: all natural persons who establish a contractual relationship with the Company.

(3) The legal basis for data management is the performance of a contract, the purpose of data management is to maintain contact, to enforce claims arising from the contract, and to ensure compliance with contractual obligations.

(4) Addressees of the personal data: the head of the Enterprise, the employees of the Enterprise, the employees of the Company, and the data processors who perform their accounting tasks.

(5) The scope of personal data handled: name, address, registered office, telephone number, e-mail address, tax number, bank account number, business ID number, primary producer ID number.

(6) Duration of data processing: 5 years from the date of termination of the contract.

PROVISIONS CONCERNING DATA SECURITY
(1) The Company may process personal data only in accordance with the activities specified in these Rules, according to the purpose of data management.

(2) The Company shall ensure the security of the data, and hereby undertake to take all technical and organizational measures necessary for the enforcement of data security laws, data and secrecy rules, and to establish the necessary procedural rules for the enforcement of the above specified legislation. .

(3) The Company shall protect the data by appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as unavailability due to accidental destruction and damage to the technology used.

(4) The technical and organizational measures to be implemented by the Enterprise for the purpose of data security are set out in the Company’s Privacy Policy.

(5) The Company shall take into account the state of the art in the definition and application of data security measures, and in the case of several possible data management solutions, opt for a higher level of protection of personal data, unless it would be disproportionate.

RULES RELATING TO DATA PROCESSING
General rules for data processing
(1) The data controller shall determine the rights and obligations of the data processor in connection with the processing of personal data within the framework of the law and the separate laws on data management.

(2) The Enterprise declares that it has no competence to make a substantive decision on data management in the course of its data processing activities; store and preserve.

(3) The Company shall be responsible for the legality of the instructions given to the data processor in relation to data processing operations.

(4) Obligation of the Contractor for the data subject on the data subject, the data

information on the place of processing.

(5) The Enterprise shall not authorize the data processor to use any additional data processor.

6. The contract for the processing of data shall be made in writing. Data processing does not allow an organization that is interested in doing business in the use of the personal data to be processed.

WEBSITE DATA MANAGEMENT INFORMATION

TOM APARTMANS (GÁBOR GÁBOR, BALATON TAMÁS) – hereinafter referred to as the “Enterprise” – by publishing this Privacy Notice, complies with the obligation of prior information of the persons concerned regarding the processing of personal data as provided for in REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. which requires that each item of information contained in the relevant Articles of the Regulation be made available to the data subjects in a clear, comprehensible and easily accessible form, in a clear and comprehensible form.

NAME OF DATA MANAGER

The Company informs the data subject that it is a data controller for the management of your personal data.

TOM APARTMENT (GÁBOR GÁBOR TAMÁS BALATON):

Siofok 8600 Aradi Vértanuk út 35.

Tax number: 79166434-1-34

PHONE: +3630 331 4559

REPRESENTATIVE NAME: Gábor Tamás Balaton

E-MAIL: tomapartmans@gmail.com

WEBSITE: www.tomapartmans.eu

NAME OF THE DATA PROCESSOR (K)

(1) The Enterprise shall not use an external data processor entrusted with personal data managed on the basis of its voluntary contribution for the purpose of operating and maintaining its website.

III. DEFINITIONS

“Limitation of data management” means the marking of stored personal data in order to limit their future treatment;

‘Record-keeping system’ means a set of personal data in any way – centralized, decentralized or functionally or geographically – accessible based on specified criteria;

‘Data processor’ means any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

‘Recipient’ means any natural or legal person, public authority, agency or any other body with which personal data are communicated, whether or not a third party is involved. Public authorities which have access to personal data in the framework of a specific investigation in accordance with EU or Member State law shall not be obliged to

addressed to the recipient; the management of such data by these public authorities must be in accordance with the applicable data protection rules in accordance with the purposes of the data processing;

“Undertaking” means any natural or legal person pursuing an economic activity, regardless of its legal form, including partnerships and associations carrying out regular economic activities.

(2) In the case of data processing under the consent of the data subject, the data subject may give his / her consent to the processing of his / her personal data in the following form:

Contract performance

Compliance with the legal obligation of the controller or the protection of the vital interests of the data subject or other natural person

Execution of a task carried out in the public interest or in the exercise of a public authority delegated to the controller, to enforce the legitimate interests of the controller or a third party.

he’s in it.
In order to establish the existence of a legitimate interest, it is necessary to examine carefully, inter alia, whether the data subject can reasonably expect to be able to handle the data for that purpose at the time and in the context of the collection of personal data.
The interests and fundamental rights of the data subject may take precedence over the interests of the data controller if personal data are handled in circumstances in which the data subjects do not expect further processing.

Detailed information on affected rights

Right to information

1. The data subject shall have the right to be informed of information relating to data management prior to the commencement of activities for the processing of his data.

(2) Information to be provided when personal data are collected from the data subject:

the identity and contact details of the controller and, if any, of the controller;
contact details of the DPO, if any;
the purpose of the intended management of personal data and the legal basis for data management;
in the case of data processing based on Article 6 (1) (f) of the Regulation, the legitimate interests of the controller or of a third party;
where applicable, the recipients of the personal data or categories of recipients, if any;
where applicable, the fact that the controller wishes to transfer personal data to a third country or an international organization, as well as the existence or absence of a Commission conformity decision, or Article 46, Article 47 or Article 49 (1) of the Regulation. in the case of the transmission referred to in the second subparagraph of paragraph 1, an indication of the appropriate and appropriate safeguards and the means of obtaining a copy or a copy thereof.

4. Where personal data have not been obtained from the data subject, the controller shall make the following information available to the data subject: \ t

the controller and, if any, the a

the identity and contact details of the data controller representative;
contact details of the DPO, if any;
the purpose of the intended management of personal data and the legal basis for data management;
the categories of personal data involved;
the recipients of the personal data and the categories of recipients, if any;
where applicable, the fact that the controller wishes to transfer personal data to a third country recipient or to an international organization, as well as to the existence or absence of a Commission conformity decision or to Article 46, Article 47 of the Regulation or Article 49 ( In the case of the transmission referred to in the second subparagraph of paragraph 1, indication of appropriate and suitable guarantees, as well as a reference to the means of obtaining such copies or their availability.

4. Paragraphs 1 to 3 shall not apply where and to the extent that: \ t

the data subject already has the information;
the provision of such information would be impossible or would involve a disproportionate effort, in particular for archiving in the public interest, for scientific and historical research purposes or for statistical purposes, taking into account the conditions and guarantees in Article 89 (1), or the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously jeopardize the achievement of the purposes of this data management. In such cases, the controller shall take appropriate measures, including public disclosure of the information, to protect the rights, freedoms and legitimate interests of the data subject;
the acquisition or communication of data is expressly provided for by Union or Member State law applicable to the controller which provides for appropriate measures to protect the data subject’s legitimate interests; or
personal data must be kept confidential by virtue of professional secrecy imposed by EU or Member State law, including statutory confidentiality obligations.
Right of access of the data subject

and the automated decision making referred to in paragraphs 1 and 4, including profiling, and at least in these cases the logic used and understandable information on the significance of such data management and the expected consequences for the data subject.
2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate guarantees concerning transfers under Article 46. \ t

Right of correction and deletion of the data subject

Right to rectification

Right to delete (“the right to forget”)

3. Paragraphs 1 and 2 shall not apply where the processing is necessary: \ t

Right to restrict data management

1. The data subject may, at his request, be restricted by the data controller if one of the following conditions is met: \ t

en the limitation applies to the period until it is established whether the legitimate reasons of the controller prevail over the legitimate reasons of the data subject.

3. The controller shall inform the data subject at whose request the processing of data has been restricted pursuant to paragraph 1, in advance of the lifting of the restriction on data management.

Notification obligation related to rectification or deletion of personal data or limitation of data management

2. At the request of the data subject, the controller shall inform those addressees.

Right to data storage

4. The rights referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Right to protest

(3) If the data subject objects to the handling of personal data for the purpose of direct marketing, personal data may no longer be processed for that purpose.

Exemption from automated decision-making

1. The data subject shall have the right not to be subject to a decision based solely on automated data processing, including profiling, which would have legal effect on him or similarly.

would be significantly affected.

(2) Paragraph 1 shall not apply if the decision: \ t

Right to complain and remedy

Right to complain to the supervisory authority.

(2) The person concerned may exercise his right to complain at the following contacts:

Right to effective judicial redress against the supervisory authority

3. Proceedings against the supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its registered office.

Right to effective judicial redress against the controller or the processor

limitations

monetary, fiscal and fiscal issues, public health and social security;
the independence of the judiciary and the protection of court proceedings;
in the case of regulated professions, the prevention, investigation, detection and conduct of ethical misconduct;
in the cases referred to in (a) to (e) and (g), even occasionally, control, inspection or regulatory activities relating to the exercise of official authority;
the protection of the data subject or the protection of the rights and freedoms of others;
enforcement of civil claims.
2. The legislative measures referred to in paragraph 1 shall, where appropriate, contain detailed provisions at least: \ t

3. The data subject shall not be informed as referred to in paragraph 1 if any of the following conditions is met: \ t

the data controller has implemented appropriate technical and organizational protection measures, and these measures have been applied to the data affected by the data protection incident, in particular the measures such as the use of encryption, which make the access to personal data inexplicable data;
the data controller, after the data protection incident, has taken additional measures to ensure that the high risk referred to in paragraph 1 is reported to be unlikely to materialize;
information would require a disproportionate effort. In such cases, the persons concerned shall be informed by means of publicly available information or a similar measure shall be taken to ensure that the persons concerned are equally informed.
4. If the data controller has not yet notified the data subject of the data protection incident, the supervisory authority may, after considering whether the data protection incident is likely to present a high risk, order the information of the data subject or determine whether one of the conditions referred to in paragraph 3 has been met.

(5) The Company shall provide the following information and measures free of charge to the data subject:

feedback on the processing of personal data, access to managed data, correction, supplementation, deletion of data, restriction of data management, data storage, protest against data management, information about a data protection incident.

(7) The data controller shall bear the burden of proving that the application is manifestly unfounded or excessive.

5. The data processor shall notify the data controller without undue delay after becoming aware of the data protection incident.

6. In the notification referred to in paragraph 3, at least: \ t

the nature of the data protection incident, including, if possible, the categories and approximate number of data subjects and the categories and approximate number of data affected by the incident shall be described;
the name and contact details of the DPO or other contact person providing further information shall be communicated;
the likely consequences of a data protection incident must be explained;
the measures taken or planned by the controller to remedy the data protection incident, including, where appropriate, measures to mitigate any adverse consequences arising from the data protection incident.
7. If and when it is not possible to communicate the information at the same time, they may be communicated in installments without further undue delay.

VI. WEBSITE CONTACT DATA MANAGEMENT
Information on the visitor’s details of the Company’s website

VII. DATA MANAGEMENT ACTIVITY RELATED TO THE CONTRACT PERFORMANCE

(1) The Enterprise is the natural person (s), customers, customer (s) of the Contractor

– treat your personal data in the context of a contractual relationship. The data subject must be informed about the processing of personal data.