iTineris
IT in agriculture

1029 Budapest, Birsalma utca 5.
+36 20 491 9204
support@itineris.eu
Info@itineris.eu

DATA PROCESSING INFORMATION - itineris.eu

1. INTRODUCTION

ITineris Kft. (hereinafter ITineris Ltd., service provider, data controller, Company), as a data controller, acknowledges the content of this legal notice as binding upon itself. The Company undertakes that all of its data processing related to its activities shall comply with the requirements set out in this policy and in the applicable legislation. ITineris Ltd. is the operator of the websites https://www.itineris.hu, itineris.eu, wayquest.pl, wayquest.cz, wayquest.sk. wayquest.hu, utdijfizeto.hu, utdijfiz.hu.

ITineris Ltd. reserves the right to change this information notice at any time. Naturally, it will notify its audience of any changes in due time.

ITineris Ltd. is committed to protecting the personal data of its clients and partners, and considers it of utmost importance to respect its clients' right to informational self-determination. The Data Controller handles personal data confidentially and takes all security, technical, and organizational measures that guarantee the security of the data. ITineris Ltd. describes its data processing principles below, presenting the expectations it has formulated and adheres to for itself as a data controller. Its data processing principles are in accordance with the current legislation on data protection, in particular with the following:

Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information
Act V of 2013 - on the Civil Code (Ptk.);
Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities (Grt.).
Act CVIII of 2001 (Ekertv.) on certain issues of electronic commerce services and services related to the information society;
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: "GDPR")

2. DEFINITIONS

data subject: any specified natural person identified or identifiable, directly or indirectly, on the basis of personal data;
personal data: data that can be associated with the data subject, in particular the name, identification mark, and one or more pieces of information characteristic of their physical, physiological, mental, economic, cultural or social identity, as well as the conclusion that can be drawn from the data concerning the data subject;
consent: a voluntary and explicit expression of the data subject's will, based on adequate information, by which they give their unambiguous consent to the processing of personal data concerning them, either in full or for specific operations;
data controller: the natural or legal person, or organization without legal personality, who independently or jointly with others determines the purpose of the processing of data, makes and implements decisions concerning data processing (including the means used), or has them implemented by a data processor;
data processing: any operation or set of operations performed on the data, regardless of the procedure used, such as collection, recording, fixation, structuring, storage, alteration, use, retrieval, transmission, disclosure, coordination or combination, restriction, erasure or destruction, as well as preventing further use of the data, taking photographs, sound or video recordings, and recording physical characteristics suitable for identifying a person (e.g., fingerprint or palm print, DNA sample, iris scan);
data transfer: making the data accessible to a specified third party;
disclosure: making the data accessible to anyone;
data erasure: making data unrecognizable in such a way that their restoration is no longer possible;
data processing (technical): performing technical tasks related to data processing operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
data processor: a natural or legal person, or an organization without legal personality, who processes data on the basis of a contract, including a contract concluded under a provision of law.

3. COMPANY DETAILS

Our company's details and contact information are as follows:

Name:	ITineris Informatikai Kft.
Mailing address:	1029 Budapest, Birsalma utca 5.
Company registration number:	01-09-739921
Tax number:	13527316-2-41
Phone number:	+36 20 491 9204
E-mail:	info@itineris.eu
Data controller's representative:	Szilágyi Gábor - managing director

4. SCOPE OF PERSONAL DATA, PURPOSE, LEGAL BASIS AND DURATION OF DATA PROCESSING

We draw the attention of data providers to ITineris Ltd. that if they do not provide their own personal data, it is the duty of the data provider to obtain the consent of the data subject. The data controller is not obliged to verify their existence. The data controller warns the partner that if this obligation is not fulfilled, and the data subject asserts a claim against the data controller, the asserted claim or the amount of the related damage may be passed on to the partner by the data controller. We provide the following information regarding our individual data processing activities.

4.1. Request for quotation, inquiry by direct contact

Inquirers have the opportunity to make a direct inquiry to our Company by e-mail sent to the Company's address (info@itineris.eu) or by telephone.

Purpose of data processing: To maintain contact to promote communication between the data subject and our Company and for the closest and most effective cooperation possible.
Legal basis for data processing: legitimate interest - Article 6(1)(f) of the GDPR.
Scope of personal data processed: Name of the inquirer/contact person; e-mail address, phone number and other information provided by the data subject,
Duration of data processing: until the validity period of the offer expires or until the data subject's objection.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the data processor(s) indicated in section 7. The recorded data can only be accessed by the employees of the Data Controller and the designated colleagues of the data processor(s).
Designation of legitimate interest: Our company's legitimate interest is the processing of the data subject's data for direct marketing.
Scope of data subjects: Partners and data subjects who inquire directly about the Company's services (e.g., by e-mail, telephone).

4.2. Data processing related to the follow-up of a request for quotation

Purpose of data processing: the data controller's legitimate interest in keeping records of the data subject's data beyond the offer validity period for direct marketing purposes.
Legal basis for data processing: legitimate interest of the data controller, Article 6(1)(f) of the GDPR.
Scope of personal data processed: Contact person's last name and first name; phone number; e-mail address.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the data processor(s) indicated in section 7. The recorded data can only be accessed by the employees of the Data Controller and the designated colleagues of the data processor(s).
Duration of data processing: until the data subject's objection.
Designation of legitimate interest: Establishing business relationships with partners and inquirers, providing accurate information and guidance to data subjects. Our company's legitimate interest is the processing of the data subject's data for direct marketing.
Scope of data subjects: The addressees of offers previously issued by the Company and the contact person(s) mentioned therein.

4.3. Processing of client contact data in client contracts (in case of a legal person as contracting party)

Purpose of data processing: processing of contact data in contracts concluded with the client; to facilitate fast, accurate and effective communication with the client.
Legal basis for data processing: legitimate interest - Article 6(1)(f) of the GDPR.
Scope of personal data processed: contact person's name, company e-mail address, phone number.
Duration of data processing: for 8 years following the existence of the contract.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the designated data processor(s). The recorded data can only be accessed by the employees of the Data Controller, the designated colleagues of the data processor(s), and the contractual client and its employees.
Designation of legitimate interest: It is in our Company's legitimate interest to process the data subject's data (name, company e-mail address, phone number) in the client contract. The client can use the specified channels to communicate with the contact person as necessary for the performance of the contract.
Scope of data subjects: Data subjects included in the contract concluded between the Company and the client.

4.4. Processing of client data in client contracts in the case of a sole proprietor client

Purpose of data processing: processing of contact data in contracts concluded with the client, to ensure the company's successful receivables management process.
Legal basis for data processing: legitimate interest - GDPR Article 6(1)(f).
Scope of personal data processed: sole proprietor: -Mother's name, -Birth name, -Place of birth, -Date of birth.
Duration of data processing: for 8 years following the existence of the contract.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the designated data processor(s). The recorded data can only be accessed by the employees of the Data Controller, the designated colleagues of the data processor(s), and the contractual client and its employees.
Designation of legitimate interest: It is in our Company's legitimate interest to process the data subject's data in the client contract (sole proprietor: -Mother's name, -Birth name, -Place of birth, -Date of birth). In the case of a sole proprietor client, it is necessary to provide the above-mentioned data for the submission of any payment orders.
Scope of data subjects: Data subjects included in the contract concluded between the Company and the client (sole proprietors only).

4.5. Cattle breeder registration

Purpose of data processing: registration of a cattle breeder in the official system.
Legal basis for data processing: performance of a contract / order, GDPR Article 6(1)(b), and by law GDPR Article 6(1)(c).
Scope of personal data processed: Animal keeper's name, contact details; contact person's name and contact details (for legal entities); Billing address; Invoice amount; Purchased products, invoiced services.
Duration of data processing: for the period specified in the Accounting Act.
Possible consequences of failure to provide data: Provision of data is mandatory.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the data processor(s) indicated in section 7. The recorded data can only be accessed by the employees of the Data Controller and the designated colleagues of the data processor(s).
Scope of data subjects: Data subjects with whom the Company has a contractual relationship (cattle registration).

4.6. CATTLE BREEDER AND FATTENER system registration (Beef)

Contracted partners have the opportunity to register on the electronic platform operated by the Company. The use of the webshop requires registration. During registration, the data subject creates an account. The purpose of data processing is to register and differentiate between customers.

Legal basis for data processing: voluntary consent, GDPR Article 6(1)(a). By checking the checkbox on the website, you give your voluntary consent to the processing of your personal data, and performance of a contract, GDPR Article 6(1)(b).
Scope of personal data processed: The registrant's (data subject) username (provided by the user), name, e-mail address.
Duration of data processing: until the withdrawal of consent, the deletion of the data subject's account, or the existence of the contract.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the data processor(s) indicated in section 7. The recorded data can only be accessed by the employees of the Data Controller and the designated colleagues of the data processor(s).
Possible consequences of failure to provide data: If the data is not provided, the User will not be able to use their client account. Providing the data is a prerequisite for using the service.
Scope of data subjects: Data subjects who create an account in the system (Beef) operated by the Data Controller.

4.7. Data processing related to the Beef client account

Purpose of data processing: Data processing related to the client account, assigning a user.
Legal basis for data processing: performance of a contract / order, GDPR Article 6(1)(b).
Scope of personal data processed: User's name, e-mail address.
Duration of data processing: Until the contract exists or until the user profile / client account is deleted by the data subject.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the data processor(s) indicated in section 8. The recorded data can only be accessed by the employees of the Data Controller and the designated colleagues of the data processor(s).
Possible consequences of failure to provide data: If the data is not provided, the User will not be able to use their client account. Providing the data is a prerequisite for using the service.
Scope of data subjects: Data subjects who use the account registration, who are contracted partners of the Data Controller.

4.8. On-board unit installation

Purpose of data processing: Data processing of documents created during the installation of the on-board unit.

Legal basis for data processing: performance of a contract / order - GDPR Article 6(1)(b).
Scope of personal data processed: Name of the customer (invoice payer), installation location, name and signature of the installer, signature of the recipient, vehicle license plate number, on-board unit data.
Duration of data processing: + 8 years following the completion of the order.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the data processor(s) indicated in section 7. The recorded data can only be accessed by the employees of the Data Controller and the designated colleagues of the data processor(s).
Possible consequences of failure to provide data: The contract conclusion and product installation between the data subject and our Company is not possible. Providing the data is a prerequisite for the completion of the service.
Scope of data subjects: Partners and data subjects involved (present) in the on-board unit installation performed by ITineris Kft. (or its agent).

4.9. Invoicing (for natural person data subjects)

Purpose of data processing: issuing an invoice to the invoice payer, compliance with legal requirements.
Legal basis for data processing: as per legislation - Act C of 2000, § 166 (1).
Scope of personal data processed: Invoice payer's name, Billing address, Invoice amount, Purchased products, invoiced services.
Duration of data processing: for the period specified in the Accounting Act - Act C of 2000, § 169 (2).
Possible consequences of failure to provide data: Provision of data is mandatory.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the data processor(s) indicated in section 7. The recorded data can only be accessed by the employees of the Data Controller and the designated colleagues of the data processor(s).
Scope of data subjects: Data subjects for whom the data controller issues an invoice.

4.10. Complaint and warranty handling

Purpose of data processing: Complaint investigation, fulfillment, warranty administration in case of a complaint report.
Legal basis for data processing: legal obligation, GDPR Article 6(1)(c), fulfillment of obligations prescribed in the Consumer Protection Act and the Ptk.
Scope of personal data processed: complainant's name, signature (in case of paper-based report), personal data provided during the complaint/report.
Duration of data processing: Based on the Consumer Protection Act, the Data Controller is obliged to keep the data and the related complaint letters for 5 years following the complaint handling.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the data processor(s) indicated in section 7. The recorded data can only be accessed by the employees of the Data Controller and the designated colleagues of the data processor(s).
Possible consequences of failure to provide data: If the data is not provided, the data controller cannot handle the data subject's complaints; providing data is mandatory.
Scope of data subjects: Data subjects who file a complaint with the data controller.

4.11. Telephone customer service

Purpose of data processing: To enable telephone communication with the Data Controller for the User. Recording of conversations held at the customer service in case of communication, orders, error and complaint reports.
Legal basis for data processing: the data subject's voluntary consent, GDPR Article 6(1)(a). After the telephone line is connected, the data controller informs the data subject/caller about the recording of the conversation, the availability of the data processing information (www.itineris.hu) and the call's data protection identification number. If the caller does not end the call, they give their voluntary consent to the call recording.
Scope of personal data processed: complainant's name, personal data provided during the complaint/report/conversation, time of call, caller's phone number.
Duration of data processing: The Data Controller stores the data until the end of the year following the year of the call initiation or until the data subject's consent is withdrawn.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the data processor(s) indicated in section 7. The recorded data can only be accessed by the employees of the Data Controller and the designated colleagues of the data processor(s).
Possible consequences of failure to provide data: If the data is not provided, the data controller cannot receive the data subject's phone calls.
Scope of data subjects: Data subjects who make a telephone inquiry to the data controller.

4.12. Newsletter registration

Purpose of data processing: sending e-mail newsletters containing commercial advertising to inquirers, providing information on current topics.
Legal basis for data processing: the data subject's prior, voluntary consent, GDPR Article 6(1)(a). By checking the checkbox on the website, you give your voluntary consent to the processing of your personal data, if the newsletter subscription is recorded via the website. In the case of paper-based consent, the data subject gives their voluntary consent by approving the "Consent Declaration".
Scope of personal data processed: name, e-mail address, signature (only for paper-based consent).
Duration of data processing: until the voluntary consent is withdrawn, or until unsubscribing from the newsletter.

Our company processes the data provided by the data subject until the consent is withdrawn. Based on the withdrawal of consent, the processed data will be deleted from our newsletter database within 7 days at the latest, and we will not send you newsletters thereafter.

Recipients of personal data: The data controller will not transfer the data to third parties, except for the data processor(s) indicated in section 7. The recorded data can only be accessed by the employees of the Data Controller and the designated colleagues of the data processor(s).

You can unsubscribe from the newsletter at any time by sending a letter to our Company at hirlevel@itineris.eu, by a recorded phone call, or by clicking the unsubscribe icon in the newsletter.

Scope of data subjects: Partners and data subjects who subscribe to the Company's electronic newsletter.

4.13. Newsletter data (for newsletters registered before 2021.06.01)

Purpose of data processing: sending e-mail newsletters containing commercial advertising to inquirers, providing information on current topics.
Legal basis for data processing: legitimate interest of the data controller, GDPR Article 6(1)(f).
Scope of personal data processed: name, e-mail address.
Duration of data processing: until the data subject's objection.
Designation of legitimate interest: Providing information containing commercial advertising and business offers to data subjects who subscribe to the newsletter. Our company's legitimate interest is the processing of the data subject's data for direct marketing.
Recipients of personal data: The data controller will not transfer the data to third parties, except for the data processor(s) indicated in section 7. The recorded data can only be accessed by the employees of the Data Controller and the designated colleagues of the data processor(s).

You can unsubscribe from the newsletter at any time by sending a letter to our Company at hirlevel@itineris.hu or by clicking the unsubscribe icon in the newsletter.

Scope of data subjects: Partners and data subjects who subscribed to the Company's electronic newsletter before 2021.06.01.

5. OTHER DATA PROCESSING

We provide information on data processing not listed in this notice at the time of data collection. We inform our clients that certain authorities, public bodies, and courts may contact our company to request personal data. Our company will only disclose personal data to these bodies to the extent and in the amount that is essential for the purpose of the request, provided that the requesting body has specified the exact purpose and scope of the data, and if the fulfillment of the request is required by law.

6. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION

Our company does not transfer your personal data mentioned above to any third country or international organization.

7. INFORMATION ON THE USE OF DATA PROCESSORS

During data processing, the data controller transfers the data to data processor(s) contracted for the performance of the contract. The categories of recipients are: IT support service provider, server hosting, web hosting service provider, sales/marketing/regional representative service providers, business management system developer service provider, external newsletter management service provider. The register containing the contact details of the data processors is located at the company's headquarters.

8. CHILDREN

Our services are not intended for persons under the age of 16, and we request that persons under the age of 16 do not provide personal data to the Data Controller. If we become aware that we have collected personal data from a child under the age of 16 - with the exception of data processing based on legal requirements - we will take the necessary steps to delete the data as soon as possible.

9. AUTOMATED DECISION-MAKING

Our company does not use automated decision-making in its data processing procedures and data collection.

10. METHOD OF STORING PERSONAL DATA, SECURITY OF DATA PROCESSING

The Company's IT systems and other data storage locations are located at its headquarters and on servers provided by the data processor. Our company selects and operates the IT tools used for processing personal data during the provision of the service in such a way that the processed data is:

a) accessible to those authorized to access it (availability);
b) its authenticity and authentication are ensured (authenticity of data processing);
c) its integrity can be verified (data integrity);
d) protected against unauthorized access (data confidentiality).

We pay special attention to the security of data, and we also take the technical and organizational measures and establish the procedural rules necessary to enforce the guarantees under the GDPR. We protect the data with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, erasure or destruction, as well as against accidental destruction, damage, and becoming inaccessible due to changes in the technology used. Our company's and our partners' IT systems and networks are both protected against computer-assisted fraud, computer viruses, computer intrusions, and denial-of-service attacks. The operator also ensures security through server-level and application-level security procedures. Daily data backup is resolved. To prevent data protection incidents, our company takes all possible measures, and in the event of such an incident, we act immediately in accordance with our incident management policy to minimize risks and remedy damages.

11. RIGHTS OF DATA SUBJECTS, LEGAL REMEDIES

The data subject may request information about the processing of their personal data, and may request the rectification of their personal data, or, with the exception of mandatory data processing, its erasure or withdrawal, and may exercise their right to data portability and object in the manner indicated at the time of data collection, or at the above contact details of the data controller.

The rights and legal remedies of the data subject are defined and communicated to the data subjects based on Act CXII of 2011 and EU Regulation 2016/679 as follows.

The right to information, or the data subject's right of access

At the request of the data subject, the Data Controller shall provide information based on Act CXII of 2011 and Article 15 of EU Regulation 2016/679 on:

the data it processes and the categories of personal data,
the purpose of the data processing,
the legal basis for the data processing,
the duration of the data processing,
where applicable, the criteria used to determine that period,
where the personal data are not collected from the data subject, any available information as to their source,
the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject, [cite: 132, 133]
the data of the data processor, if a data processor has been used, i. the circumstances and effects of the data protection incident and the measures taken to remedy it, and
in the case of the transfer of the data subject's personal data, the legal basis, purpose and recipient of the data transfer.

The information is free of charge if the person requesting the information has not yet submitted a request for information to the Data Controller for the same set of data in the current year. In other cases, a fee may be charged. The fee already paid must be refunded if the data was processed unlawfully or the request for information led to a correction.

The Data Controller informs the data subjects that the provision of information shall be denied based on Act CXII of 2011,

a. if the Data Controller receives personal data under a law, an international treaty or a binding legal act of the European Union, in such a way that the transferring data controller indicates at the time of the data transfer a restriction of the data subject's rights under the said Act, or other restrictions on its processing.
b. for the purpose of external and internal security of the state, such as national defense, national security, prevention or prosecution of criminal offenses, security of penal execution, as well as for state or municipal economic or financial interests, for significant economic or financial interests of the European Union, and for the prevention and detection of disciplinary and ethical offenses related to the exercise of professions, breaches of labor and occupational safety obligations - including in all cases inspection and supervision - and also for the protection of the rights of the data subject or others.

The Data Controller is obliged to notify the National Authority for Data Protection and Freedom of Information of the rejected requests for information annually by January 31 of the year following the year in question.

The right to rectification

The data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. However, if the personal data does not correspond to reality, and the correct personal data is available to the Data Controller, the Data Controller is obliged to correct the personal data, even without the data subject's request.

The right to erasure, or the "right to be forgotten"

The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay, and the Data Controller shall have the obligation to erase personal data without undue delay where this is not precluded by mandatory data processing.

In addition to the above, the Data Controller is obliged to erase the data under Act CXII of 2011 and Regulation (EU) 2016/679 of the European Parliament and of the Council if:

the processing of the data is unlawful;
the data is incomplete or incorrect - and this situation cannot be lawfully remedied, provided that erasure is not excluded by law;
the purpose of the data processing has ceased, or the statutory period for storing the data has expired,
it has been ordered by a court or the Authority.
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of Regulation (EU) 2016/679, offered directly to children.

Where the Data Controller has made the personal data public for any reason and is obliged to erase it as described above, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The Data Controller draws the attention of data subjects to the limitations of the "right to erasure or to be forgotten" arising from the EU regulation, which are as follows:

a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or
c) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
d) for reasons of public interest in the area of public health;
e) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of Regulation (EU) 2016/679, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
f) for the establishment, exercise or defense of legal claims.

The right to restriction of processing, or blocking

The data subject shall have the right to obtain from the Data Controller restriction of processing. If, based on the available information, it can be assumed that erasure would harm the legitimate interests of the data subject, the data must be blocked. Personal data blocked in this way may only be processed as long as the data processing purpose that excluded the erasure of the personal data exists. If the data subject disputes the accuracy of the personal data, but the inaccuracy or incorrectness of the disputed personal data cannot be clearly established, the data will be blocked. In this case, the restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data. According to the EU regulation, data must be blocked if:

a) the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead;
b) the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
c) the data subject has objected to processing; in which case the restriction applies for the period until it is verified whether the legitimate grounds of the Data Controller override those of the data subject.

Where processing has been restricted (blocked), such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The Data Controller hereby specifically draws the attention of data subjects to the fact that the data subject's right to rectification, erasure, or blocking may be restricted by law for reasons of external and internal security of the state, such as national defense, national security, prevention or prosecution of criminal offenses, security of penal execution, as well as for state or municipal economic or financial interests, for significant economic or financial interests of the European Union, and for the prevention and detection of disciplinary and ethical offenses related to the exercise of professions, breaches of labor and occupational safety obligations - including in all cases inspection and supervision - and also for the protection of the rights of the data subject or others.

The Data Controller shall, without undue delay, and at the latest within 30 days of receipt of the request, inform the data subject of the measures taken in response to their request, and/or rectify the data, and/or erase and/or restrict (block) the data, or take other steps in accordance with the request, if there is no reason to exclude it.

The Data Controller shall inform the data subject in writing of the rectification, erasure, or restriction of processing, as well as all those to whom the data was previously transferred for the purpose of data processing. At the request of the data subject, the Data Controller shall inform them of these recipients. Notification may be omitted if this does not harm the legitimate interest of the data subject, taking into account the purpose of the data processing, or if the notification proves to be impossible or would involve a disproportionate effort.

The Data Controller is also obliged to inform the data subject in writing if the exercise of the data subject's rights cannot be realized for any reason, and is obliged to state the precise factual and legal reason, as well as the legal remedies available to the data subject: the possibility of turning to the court and the National Authority for Data Protection and Freedom of Information.

The right to data portability

The data subject has the right to:

a) receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format, and has the right to
b) transmit those data to another data controller without hindrance from the controller to which the personal data have been provided, where: the processing is based on consent; and the processing is carried out by automated means.

During the exercise of the right to data portability, the data subject has the right to request the direct transfer of personal data between data controllers, if this is technically feasible.

Given the data processing carried out by the Data Controller, the conditions for exercising the right to data portability are not met (there is no automated data processing), therefore the data subject cannot exercise this right.

The right to object

The data subject may object to the processing of his or her personal data - including profiling - if:

the processing (transfer) of personal data is necessary exclusively for the enforcement of the right or legitimate interest of the Data Controller or the data recipient, except in the case of mandatory data processing;
the use or transfer of personal data is for direct marketing, public opinion polling or scientific research purposes;
the exercise of the right to object is otherwise permitted by law.

The data subject may also object to the processing of personal data for direct marketing purposes under Article 21(3) of Regulation (EU) 2016/679, in which case the personal data may no longer be processed for this purpose.

Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The Data Controller shall examine the objection as soon as possible, but no later than 30 days from the submission of the request, while suspending the data processing, and shall inform the applicant in writing of the result. If the applicant's objection is justified, the Data Controller shall terminate the data processing, including further data collection and data transfer, and shall block the data, and shall notify all those to whom the personal data affected by the objection was previously transferred, and who are obliged to take measures to enforce the right to object. If the data subject disagrees with the Data Controller's decision, or if the Data Controller fails to meet the deadline, the data subject is entitled to turn to a court within 30 days of the notification.

The data subject has the right to object in relation to automated decision-making.

Judicial remedy

The data subject may appeal to a court if his or her rights are violated. The court will handle the case out of turn. The Data Controller is obliged to prove that the data processing complies with the provisions of the law.

In case of violation of your right to informational self-determination, you can file a report or complaint with:

National Authority for Data Protection and Freedom of Information
www: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu