Data protection

Data Protection and Data Security Policy

Information for the job applicants

Data protection information for the contractual partners

Interest assessment test for the contractual partners

Cookie interest assessment test

Information on the data processed on the website

The details and the contact details of the data controller are as follows:

Name of the data controller: Nyíregyházi Állatpark Nonprofit Kft.

Company registration number of the data controller: 15-09-073695

Tax number of the data controller: 18800489-2-15

Registered office of the data controller: 4431 Nyíregyháza, lot no. 15010/2.

E-mail address of the data controller: info@sostozoo.hu

Representative of the data controller: Managing Director GAJDOS László

Data protection officer: HOK József

Email address of the data protection officer: j.hok@sostozoo.hu

Telephone number of the data protection officer: +36 20 480 3214

I. GENERAL PROVISIONS

Nyíregyházi Állatpark Nonprofit Kft. (4431 Nyíregyháza, lot no. 15010/2.) as the operator of the website https://www.sostozoo.hu guarantees, in any case, the legality and the expediency of data management with regard to the personal data it manages. The purpose of this information is that our guests can receive adequate information, even before providing their personal data, about the terms and conditions and the guarantees, as well as its duration. Our company adheres to the contents of this information in all cases, which involve personal data management, we consider the provisions described here mandatory for ourselves.

At the same time, we reserve the right to change the provisions described here in a unilateral legal declaration, in which case we will inform the affected parties in advance. Please write to us if you have any questions about the contents of this information.

The legal basis for our data management is primarily the General Data Protection Regulation, Article 6, paragraph (1)

• point a) (data management based on consent),

• point b) (data processing necessary to fulfil the contract),

• point c) (data processing necessary to fulfil a legal obligation)

• point e) (data processing is in the public interest or is necessary for the execution of a task

performed in the context of the exercise of public authority granted to the data controller);

• point f) (data processing necessary to assert a legitimate interest)

Our data management practice complies with the relevant legislation, in particular the following:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter „GDPR”)

• Act CXII of 2011 on the right to information self-determination and freedom of information. ("Info Act").

II. CONCEPTS

‘data processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘data processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an

online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"IP address": the IP address is a series of numbers with which the computers and mobile devices of the users accessing the Internet can be clearly identified. The IP addresses can even be used to locate the visitor using a given computer geographically. The address of the visited websites, or the date and the time data are not suitable for the identification of the data subject in themselves, however, when combined with other data (e.g. provided during the registration), they are suitable for drawing conclusions about the user.

III. BASIC PRINCIPLES

Nyíregyházi Állatpark Nonprofit Kft., as a data controller, is responsible for complying with the following provisions:

• to process the personal data lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

• to collect the personal data for specified, explicit and legitimate purposes and not process them further in a manner that is incompatible with those purposes (‘purpose limitation’);

• the processed personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

• to ensure that personal data shall be accurate and, where necessary, kept up to date; takes every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or corrected without delay (‘accuracy’);

• to keep the personal data in a form which permits the identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);

• to process the personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

IV. THE SCOPE OF THE PROCESSED DATA, THE PURPOSE AND THE LEGAL BASIS OF THE DATA MANAGEMENT AND THE PERIOD OF THE DATA STORAGE

1. WEBSITE USE (SERVER LOGGING)

If a visitor of the website https://www.sostozoo.hu/ views the website, information (which may even include personal data, e.g. IP address) is exchanged between the visitor's equipment (e.g. desktop computer, laptop and other technical devices, together: equipment) and between the company's server. The process of data recording is as follows: all accesses to the website by the user, i.e. for each file download or file download attempt, the data belonging to the given process are stored in a protocol file (log file).

The scope of information managed by downloading the website (in the form of a log file) is as follows:

IP address, browser type, time and date of the visit, address of the visited website, characteristics of the operating system of the equipment used for browsing (for example: type, set language), and the address of the previously visited website.

The purpose of the data processing of personal data managed through the use of the website:

Safe operation of certain pages of the website, protection against overload attacks that cause the website to become unavailable.

The legal basis for the data management of the data processed through the use of the website:

GDPR Article 6, paragraph (1) point f), i.e. the legitimate interest of the company.

The data processing recipients / groups of recipients of the data managed by the use of the website:

Alfabrand Kft. (4400 Nyíregyháza, Dózsa Gy. u. 3. 1st floor) - storage service, IT services

The storage period of the data management realized through the use of the website:

The data is stored for a period of 30 days; after this period, the data is automatically deleted.

The Data Controller has performed an interest assessment test to support its legitimate

interests, it can be established on its basis that the rights and freedoms of the data subjects are not disproportionately restricted, and the data processing is necessary and proportionate.

2. COOKIE MANAGEMENT

The purpose of the data processing:

The safe operation of the website https://www.sostozoo.hu/, web analytics measurements for statistical purposes, personalized service.

Recipients of the data transfer:

Alfabrand Kft. (4400 Nyíregyháza, Dózsa Gy. u. 3. 1st floor) - storage service, IT service

Data subjects: the visitors of the https://www.sostozoo.hu/ website

The managed data: Cookies the support the basic functionality. These cookies ensure the proper functioning of the Website, facilitate its use, and collect information about its use without identifying the visitors. The cookies used by most companies are the so-called session cookies, which are deleted from your computer when you close your browser. In addition, there are some cookies with longer lives that help the website recognize its visitors.

The user can delete the cookies from their computer or disable the use of cookies in their browser. The cookies can usually be managed in the Tools/Settings menu of the browsers under the cookie(s) or tracking in the Data protection/History/Personal settings menu.

Profiling: is not performed

The legal basis for the data processing: GDPR Article 6, paragraph (1) point f), the legitimate interest of the company

Data transfer to a third country: is not performed

Duration of the data management:

Session cookies: until the end of the visitor’s session,

Cookies to facilitate the use: for 3 months

The Data Controller has performed an interest assessment test to support its legitimate interests, it can be established on its basis that the rights and freedoms of the data subjects are not disproportionately restricted, and the data processing is necessary and proportionate.

3. MAKING CONTACT

The purpose of data management: Processing the inquiry in a meaningful manner, answering

questions, providing information. You can contact us using any of our contact details (by e-mail, Facebook, phone, post). In such cases, we assume your consent to the management of the personal data shared with us.

Data subjects: All natural persons who contact the Company using the contact details provided by the data controller.

The managed data: name, address, e-mail address, contact details, other voluntarily provided personal data

Profiling: is not performed

Legal basis for the data management: Since you are contacting us, the legal basis for the data management is your (presumed) voluntary consent. (GDPR Article 6, paragraph (1), point a)). You can withdraw your consent at any time, however, in this case, we will not be able to respond to your inquiry. The withdrawal does not affect the legitimate data management that has preceded it.

Recipients of the data transfer:

Alfabrand Kft. 4400 Nyíregyháza, Dózsa Gy. u. 3. 1^st floor (storage service, IT services)

If proceedings have been initiated before a court or other authority, and, within its framework, it becomes necessary to transfer personal data to the court or the authority, the court or the authority may also access the personal data.

Data transfer to a third country: is not performed

Duration of the data management: The messages and the personal data received in this way are deleted after the given request or question has been answered. However, if, due to the nature of the correspondence, such data is necessary for tax or accounting purposes, or perhaps to protect the rights and interests of the Company or the inquiring person, it will be archived and stored for the necessary period of time, which is examined individually in each case.

4. DATA MANAGEMENT CONNECTED TO COMPLAINT HANDLING

The purpose of data management: The consumer may communicate their complaint about the behaviour, the activities or the omissions of the company, or the person acting in the interests or for the benefit of the company, which is directly connected to the distribution or the sale of the goods to consumers, verbally or in writing to the

company. The verbal complaint should be investigated immediately and remedied, as necessary. If the consumer does not agree with the handling of the complaint, or the immediate investigation of the complaint is not possible, the company is obliged to record the complaint and its position in a report immediately, and a copy of it

a) should be hand over to the consumer on the spot, in the event of a personally communicated oral complaint,

b) in the case of a verbal complaint communicated by telephone or using other electronic communication services, the substantive answer should be sent to the consumer within thirty days after the receipt of the complaint at the latest.

Data subjects: All natural persons who make a complaint about the company's activities.

The managed data: the consumer's name, address, place, time and method of making the complaint, detailed description of the consumer's complaint, list of documents, documents and other evidence presented by the consumer, the company's statement on its position regarding the consumer's complaint, if it is possible to investigate the complaint immediately, the signature of the person writing the report and – with the exception of verbal complaints communicated by telephone or other electronic communication services – the signature of the consumer, the place and date of writing the report, and in the case of oral complaints communicated by telephone or other electronic communication services, the unique identification number of the complaint.

Profiling: is not performed

The legal basis for the data processing: fulfilment of the legal obligation of the Data Controller (GDPR Article 6, paragraph (1) point c), in view of the provisions of Act CLV of 1997 on consumer protection.

Recipients of the data transfer:

Alfabrand Kft. 4400 Nyíregyháza, Dózsa Gy. u. 3. 1^st floor (storage service, IT services)

Data transfer to a third country: is not performed

Duration of the data processing: The company is obliged to keep the record of the complaint and a copy of the response for five years and to present it to the inspection authorities at their request.

5. DATA MANAGEMENT RELATED TO ONLINE TICKET PURCHASE

Nyíregyházi Állatpark Nonprofit Kft., which sells tickets, provides the Buyers with the option to buy their tickets to Nyíregyháza Zoo via the website https://ticketbase.eu. Accordingly, the contract is concluded between Nyíregyházi Állatpark Nonprofit Kft. and the user who buys the ticket.

Purpose of data management: Ensuring the provision of the ticket-selling service on the website https://ticketbase.eu/, documenting the purchase and the payment, fulfilling the accounting obligations. Furthermore, the purpose of the data management is the identification of the User as a ticket buyer, as well as the provision of the ordered service, the option to issue an invoice, make a payment, and to register and distinguish the customers from each other.

Data subjects: The users who buy tickets online

The managed data: Surname, First name; E-mail address, Postal code, City, Street, House number, order number, date, information about the purchased/ordered tickets, the date of use

Duration of data management:

until the contract is carried out (see also the section about the Data managed for the purpose of the enforcement of legal claims)

Legal basis for the data management: The processing of the personal data provided for the purpose of buying tickets is performed solely for the purpose of entering into a contract with the User and carrying out this contract.

(GDPR Article 6, paragraph (1) point b).

Recipients of the data transfer:

NAGYFEŐ Gábor 4400 Nyíregyháza, Bocskai utca 7. (operation of the online ticket sales system)

Forpsi - BlazeArts Kft. 6090 Kunszentmiklós, Damjanich J. u. 36. 1/8. (hosting provider)

Novitax Kft. 1105 Budapest, Gitár utca 4. (accounting software)

SZOLEX Kft. 4400 Nyíregyháza, Dózsa Gy. u. 47. (administrative services)

szamlazz.hu, KBOSS.hu Kft. 1031 Budapest, Záhony utca 7. (online invoicing)

Profiling: is not performed

Data transfer to a third country: is not performed

Possible consequences of failure to provide the data: failure of the sales transaction.

6. DATA PROCESSED FOR THE PURPOSE OF THE ENFORCEMENT OF LEGAL CLAIMS

Purpose of data management: to enforce legal claims in connection with the Contract, to defend oneself against legal claims, to defend oneself in possible official and court proceedings, the provision of data

Data subjects: Management of the data of natural persons who enter into a contract with the data controller

The managed data: Surname, first name, invoicing address,

The legal basis for the data management: GDPR Article 6, paragraph (1) point f), the legitimate interest of the company

Recipients of the data transfer:

Novitax Kft. 1105 Budapest, Gitár utca 4. (accounting software)

SZOLEX Kft. 4400 Nyíregyháza, Dózsa Gy. u. 47. (administrative services)

szamlazz.hu, KBOSS.hu Kft. 1031 Budapest, Záhony utca 7. (online invoicing)

Profiling: is not performed

Data transfer to a third country: is not performed

Duration of the data management: The data will be deleted within 5 years after the fulfilment of the order.

7. INVOICING

The purpose of data management: Issuing an invoice for the purchase price and sending it to the Data Subject, as well as fulfilling certain tax and accounting legal obligations of the Data Controller connected to the invoicing.

Data subjects: the persons to whom the Data Controller issues an invoice in connection with the execution of the contract

Managed data: invoicing name, invoicing address, order identification number, details of the ordered tickets

Profiling: is not performed

The legal basis for the data management: the fulfilment of the legal obligation of the Data Controller (GDPR Article 6, paragraph (1) point c)

Recipients of the data transfer:

Novitax Kft. 1105 Budapest, Gitár utca 4. (accounting software)

SZOLEX Kft. 4400 Nyíregyháza, Dózsa Gy. u. 47. (administrative services)

szamlazz.hu, KBOSS.hu Kft. 1031 Budapest, Záhony utca 7. (online invoicing)

Data transfer to a third country: is not performed

Duration of data management: pursuant to Section § 169, paragraph (2) of the Accountancy Act: 8 years.

8. BANK CARD PAYMENT DURING ONLINE THE TICKET PURCHASE

The purpose of data management: The online bank card payments are made through the Barion's system. Barion Payment Zrt., which provides the service, is an institution under the supervision of the Hungarian National Bank, license number: H-EN-I-1064/2013. The Data Controller only receives the transaction identification number and feedback on the success as data; it does not process any bank card data. The purpose of the data management is to facilitate the financial performance on the part of the data subject. When using the Barion Smart Gateway, the system navigates the customer from the ticket seller's site to the Barion’s payment site. After entering the bank card details, the customer has the option to pay the price of the ordered product.

In this case, the Data Controller only processes personal data in connection with credits made on its account managed by Unicredit Bank Zrt. The management and the identification of the bank

card data and the debiting of the card and thus the connected bank account are carried out by the given bank based on its own data management and data protection policies, as well as its business and other regulations.

Data subjects: All natural persons who pay by bank card when buying tickets online

Managed data: surname and first name, bank account number, order ID, value of the ordered product, time and date of the transfer.

Recipients of the data transfer:

Account-managing bank of the data controller: Unicredit Bank Zrt.- (head office: 1054 Budapest, Szabadság tér 5-6.; tax number: 10325737-4-44; company registration number: 01-10-041348; website: https://www.unicreditbank.hu/; e-mail: info@unicreditgrop.hu)

Barion Payment Zrt. (head office: H-1117, Budapest, Infopark sétány 1; company registration number: 01-10-041348; honlap: https://www.barion.com/; Helpdesk: +36 1 464 70 99)

Profiling: is not performed

The legal basis for the data processing: to carry out the contract. (GDPR Article 6, paragraph (1) point b).

Data transfer to a third country: is not performed

Duration of the data management: for the purposes to fulfil the obligation to store the accounting documents (Section § 169, paragraph (2) of the Accountancy Act): 8 years.

9. BANK CARD PAYMENT TO ENTER THE ZOO

Data subjects: All natural persons who wish to pay by a bank card to enter the Zoo

The purpose of the data management: The data controller enables the data subject to pay the price of the services with a bank card when entering the Zoo. The Data Controller only receives the transaction identification number and feedback on the success, as data, it does not process any bank card data. Payment by bank card is based on voluntary consent.

The purpose of data management is to facilitate the financial performance on the part of the data subject. The Data Controller only processes personal data in connection with the crediting of amounts on its bank account managed by its bank. The management and the identification of the bank card data and the debiting of the card, and thus the connected bank account are carried

out by the given bank based on its own data management and data protection policies, as well as its business and other regulations.

Processed data: payer's ID, amount, date and time of the transaction

Recipients of the data transfer:

Account-managing bank of the data controller: OTP Bank Nyrt. (head office: 1051 Budapest, Nádor u. 16.; tax number: 10537914-4-44; company registration number: 01-10-041585; website: http://www.otpbank.hu; e-mail: adatvedelem@otpbank.hu), independent data controller

Profiling: is not performed

The legal basis for the data processing: to carry out the contract. (GDPR Article 6, paragraph (1) point b).

Data transfer to a third country: is not performed

Duration of the data management: for the purposes to fulfil the obligation to store the accounting documents (Section § 169, paragraph (2) of the Accountancy Act): 8 years.

10. CAMERA SURVEILLANCE SYSTEM IN THE AREA OF THE NYÍREGYHÁZA ZOO

Data subjects: The guests entering the area of the Zoo

The purpose of the data management:

Cameras are being operated in the area of the Nyíregyháza Zoo for the personal and property security of the Guests. The purpose of surveillance by cameras is the protection of property, i.e. the protection of assets representing significant values, as well as the personal values of the Guests, given that the detection of crimes, the prosecution of the perpetrators, and the prevention of such illegal acts is not possible in any other way, and their proof cannot be achieved by any other method.

Processed data: The image and the actions of the guests visible on the recordings. The operated camera system does not record any sounds.

Profiling: is not performed

The legal basis for the data processing: the legitimate interest of the company (GDPR Article 6, paragraph (1) point f),

Recipients of the data transfer:

No data transfer takes place.

Data transfer to a third country: is not performed

Duration of the data management:

The electronic surveillance system operates 24 hours a day, every day of the week, and the recordings are stored for 3 days on the server located in the server room in the Company's head office. If they are not used, the made recordings will be deleted by the data controller after 3 days.

In order for the Data Controller to disturb the private sphere of the data subjects as little as possible, only specific persons can access the recordings made with the electronic surveillance system.

11. OTHER DATA MANAGEMENT

We will provide information on data management, not listed in this information, at the time the data is collected. We inform our customers that certain authorities, bodies that perform public duties, and courts may contact our company for the purpose of requesting personal data. If the relevant body has specified the exact purpose and the scope of the data, our company will give these bodies only as much personal data and only to the extent that is absolutely necessary to fulfil the purpose of the request, when the fulfilment of the request is required by law.

The visitors of the Nyíregyháza Zoo can take photographs and make videos in the public areas of the Nyíregyháza Zoo for private purposes.

Due to the increased risk of accidents, it is strictly forbidden for the visitors to fly drones in the area of the Nyíregyháza Zoo and its air, or to make any recordings with a recording device installed on it, or to reaching into the animals' enclosure using any equipment (e.g. selfie stick) to make recordings or take pictures.

The non-private, especially the commercial and business use of the pictures taken and the

recordings made in the area of the Zoo is only possible with the written permission of the Zoo.

As part of the Zoo's own documentation work, as well as during media work taking place in the area of the Zoo, with the Zoo's permission, pictures may be taken and video recordings may be made in which the visitors to the Zoo may also appear. As for such pictures and recordings, the Visitor accepts the fact, by buying the entry ticket or, in the case of free entry, by accepting the free ticket, that if they are in the picture or recording together with at least two other people, then it is considered a mass picture or recording, and that if in the picture, apart from the Visitor, any zoo animal, plant, or zoo building or facility also appears in a recognisable manner, the recording is no longer considered to be a portrait, but a zoo panorama, any no claims can be made regarding its creation and use based on the right to portraits.

In the case of the visitors who do not wish to appear in the pictures or recordings, even in the case of mass photos and zoo panoramas in a recognizable manner, the Zoo will not make such recordings or take such pictures if the Visitor indicates this request separately at the main entrance, at the beginning of the visit.

VI. PROVISIONS FOR DATA SECURITY

The Company may process personal data only in accordance with the activities set out in these regulations and in harmony with the purpose of data management.

The Company ensures the security of the data, and, in this scope, it undertakes to take all the technical and organizational measures that are absolutely necessary for the enforcement of the laws on data security, the data protection and the confidentiality rules, and to establish the procedural rules necessary for the enforcement of the above-defined provisions of law.

The Company chooses and operates the IT equipment used for the management of personal data while providing the service in such a way that the managed data:

a. will be accessible to those authorized to do so (availability);

b. its authenticity and authentication are ensured (authenticity of data management);

c. its immutability can be verified (data integrity);

d. is protected against unauthorized access (data confidentiality).

The Company uses appropriate measures to protect the data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as against becoming inaccessible due to changes in the used technology.

The Company registers the data it manages in accordance with the applicable laws, ensuring that only the employees and other persons acting in the interests of the Company who need them in order to perform their duties and responsibilities are able to see the data.

The Company stores the personal data provided during each data management activity separately from other data, with the provision that - in accordance with the above provision - the separated data files can only be seen by the employees with the appropriate access rights.

While determining and applying measures serving the data security, the Company takes into account the state of the art at all times, and, in the case of several potential data management solutions, will choose a solution that ensures a higher level of protection of the personal data, unless it would represent a disproportionate difficulty.

VII. RIGHTS OF THE DATA SUBJECTS

The data subject may request information about the processing of their personal data, and may request the correction of their personal data, or - with the exception of mandatory data processing – their deletion or withdrawal, and may exercise their right to data portability and protest in the manner indicated when the data was collected, or at the above contact details of the data controller.

1. Right to information

Regarding the processing of personal data, the company takes appropriate measures in order to provide the data subjects with all the information referred to in the GDPR, Articles 13 and 14, and to provide each piece of information in a concise, transparent, comprehensible and easily accessible form, clearly and comprehensibly, and precisely worded pursuant to Articles 15-22 and Article 34.

The right to information can be exercised in writing using the contact details provided in the regulations.

2. The data subject's right of access

The data subject has the right to receive feedback from the data controller as to whether their personal data is being processed. If personal data is being processed, the data subject is entitled to access the personal data and the following, below-listed information.

• the purposes of data management;

• the categories of the affected personal data;

• the recipients or the categories of recipients to whom or to which the personal data has been or will be disclosed, including, in particular, recipients from third countries (outside the European Union) and the international organizations;

• the planned period of the storage of personal data;

• the right to correction, deletion or restriction of the data management and the right to protest;

• the right to submit a complaint to the supervisory authority;

• information about data sources; the fact of automated decision-making, including profiling, as well as understandable information about the applied logic and the significance of such data management and the expected consequences for the data subject.

In addition to the above, if personal data is transferred to a third country or to an international organization, the data subject is entitled to receive information about the appropriate guarantees regarding the transfer.

3. The data subject's right to correction and deletion

3.1. Right to correction

The data subject has the right to request that the data controller correct any inaccurate personal data relating to them without undue delay. Taking into account the purpose of the data management, the data subject is entitled to request the completion of any incomplete personal data, even by means of a supplementary statement.

3.2. The right to deletion ("the right to be forgotten")

If one of the following reasons exists, the data subject has the right to have their personal data deleted without undue delay, on request:

a. personal data are no longer needed for the purpose for which they were collected or otherwise processed;

b. the data subject withdraws their consent that forms the basis of the data management, and there is no other legal basis for the data management;

c. the data subject objects to the data management and there is no priority legal reason for the data management;

d. unlawful management of the personal data can be established;

e. the personal data must be deleted in order to fulfil the legal obligation prescribed by the EU or the law of a Member State applicable to the data controller;

f. the collection of personal data was performed in connection with the offering of the services connected to the information society.

The deletion of data cannot be initiated if the data management is necessary for the following purposes:

a. for the purpose of exercising the right to freedom of opinion and information;

b. for the purpose of fulfilling the obligation under the EU or any law of a Member State applicable to the data controller requiring the processing of personal data, or for the execution of a task performed in the public interest or to exercise public authority conferred on the data controller;

c. affecting the field of public health, or for archiving, scientific and historical research purposes or for statistical purposes, based on public interest;

d. or to submit, assert or defend legal claims.

4. The right to restrict the data management

The data subject has the right to demand that the data controller restrict the data management at their request if one of the following conditions is met:

a. the data subject disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the data controller to check the accuracy of the personal data;

b. the data management is unlawful and the data subject opposes the deletion of the data and instead requests the restriction of their use;

c. the data controller no longer needs the personal data for the purpose of data management, however, the data subject requires them to present, enforce or defend legal claims; or

d. the data subject has objected to the data management in accordance with Article 21, paragraph (1) of the Regulation; in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.

If data management is subject to restrictions, such personal data may only be processed with the consent of the data subject, with the exception of storage, or to submit, enforce or defend legal claims, or to protect the rights of other natural or legal person, or in the important public interest of the European Union or a member state.

The data controller informs the data subject, at whose request the data management was restricted, of the lifting of the data management restriction in advance.

5. The notification obligation connected to the correction or the deletion of personal data, or the limitation of data management

The data controller shall inform all the recipients of the correction, the deletion or the limitation of data management to whom or to which the personal data was communicated, unless this proves to be impossible or requires a disproportionately large effort. At the request of the data subject, the data controller informs them about these recipients.

6. The right to data portability

The data subject has the right to receive the personal data concerning them and provided to the data controller, in a segmented, widely used, computer-readable format, and to forward this data to another data controller. The data controller can fulfil such a request of the data subject in a word or excel format.

7. Right to oppose

If personal data is processed for direct marketing, the data subject has the right to oppose, at any time, the processing of personal data, concerning

them, for this purpose, including profiling, if it is related to direct marketing. In the event of opposition to the processing of personal data for the purpose of direct marketing, the data must not be processed for this purpose.

8. Right to exemption from automated decision-making

The data subject has the right not to be covered by the scope of a decision based solely on automated data management, including profiling, which would have a legal effect on them or affect them to a similar extent. The above authorization must not be applied if the data management

a. is necessary for the conclusion or fulfilment of the contract between the data subject and the data controller;

b. the decision-making is made possible by an EU or Member State law applicable to the data controller, which protects the rights and the freedoms and legitimate interests of the data subject

c. also establishes appropriate measures for its protection; or

d. is based on the express consent of the data subject.

9. Right of withdrawal

The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the legitimate data management performed prior to the withdrawal.

10. Compensation and damages

Any person who has suffered material or non-material damage as a result of a violation of the data protection regulation is entitled to compensation from the data controller or the data processor for the damage suffered. The data processor is only liable for damages caused by the data management if it has not complied with the obligations specified in the law, which are specifically imposed on the data processors, or if it has ignored the legal instructions of the data controller or acted contrary to them. If several data controllers or several data processors, or both the data controller and the data processor are involved in the same data management and are liable for the damages caused by the data management, each data manager or data

processor is jointly and severally liable for the entire damage.

The data controller or the data processor is exempted from the liability if it proves that it is not responsible in any way for the event that has caused the damage.

11. The data subject's right to complaint and legal remedy

11.1. The right to lodge complaint to the supervisory authority.

You can lodge a complaint to the Hungarian National Authority for Data Protection and Freedom of Information.

address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Phone: +36 (1) 391-1400;

Fax: +36 (1) 391-1410

www: http://www.naih.hu

e-mail: ugyfelszolgalat@naih.hu

11.2 Right to go to court

In the event of a violation of their rights, the data subject may apply to the court against the data controller. The court will act in the case out of turn.