Data protection and privacy policy

In brief

We collect and manage personal data in compliance with the legal regulations. We do not send DM letters without the recipient's explicit approval. We may send system messages without such approval. Data are stored in the safest possible manner. We do not disclose personal data to third parties without approval. We provide information to any person on the data we store about them, and they can also request the deletion of their data at any time by contacting us.

Introduction

K9-Sport Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (K9-Sport Limited Liability Company; address: Hungary, 2310 Szigetszentmiklós, Ipar utca 10-12., company registration number: 13-09-128686, tax number: 14762345-2-13) (hereinafter: Service Provider, data manager) shall comply with the statement below.

Section 20 (1) of Act CXII of 2011 on Informational Self-Determination and Freedom of Information ("Privacy Act") states that Prior to data processing being initiated the data subject (in this case the user of the webshop; hereinafter: user) shall be informed whether his consent is required or processing is mandatory

Before processing operations are carried out the data subject shall be clearly and elaborately informed of all aspects concerning the processing of his personal data, such as the purpose for which his data is required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of the proposed processing operation.

Pursuant to Section 6 (1) of the Privacy Act, the subject must also be informed that personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise to disproportionate costs, and the processing of personal data is necessary:

  • for compliance with a legal obligation pertaining to the data controller, or
  • for the purposes of the legitimate interests pursued by the controller or by a third party, and enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data.

Information shall also be provided on the data subject’s rights and remedies.

If the provision of personal information to the data subject proves impossible or would involve disproportionate costs (for example in this case of webshop users), the obligation of information may be satisfied by the public disclosure of the following:

  1. an indication of the fact that data is being collected
  2. the data subjects targeted
  3. the purpose of data collection
  4. the duration of the proposed processing operation
  5. the potential data controllers with the right of access
  6. the right of data subjects and remedies available relating to data processing; and
  7. where the processing operation has to be registered, the number assigned in the data protection register

This data protection statement shall regulate the data processing activities of the following websites: http://www.julius-k9.com and is based on the above content-related regulations. The statement is available at the following page: http://shop.julius-k9.com/en/data_protection or http://shop.julius-k9.com/pdf/data-protection-eng.pdf

Definitions (Section 3)

  1. data subject/User: any natural person identified or directly or indirectly identifiable by reference to specific personal data
  2. personal data: data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject
  3. special data:
    1. personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life
    2. personal data concerning health, pathological addictions, or criminal record
  4. the data subject’s consent: any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations
  5. the data subject’s objection: a declaration made by the data subject objecting to the processing of their personal data and requesting the termination of data processing, as well as the deletion of the data processed
  6. controller: natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a data processor
  7. data processing: any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans)
  8. data transfer: ensuring access to the data for a third party
  9. disclosure: ensuring open access to the data
  10. data deletion: making data unrecognisable in a way that it can never again be restored
  11. tagging data: marking data with a special ID tag to differentiate it
  12. blocking of data: marking data with a special ID tag to indefinitely or definitely restrict its further processing
  13. data destruction: complete physical destruction of the data carrier recording the data
  14. data processing: performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data
  15. data processor: any natural or legal person or organisation without legal personality processing the data on the grounds of a contract concluded with the data controller, including contracts concluded pursuant to legislative provisions
  16. data source: the body responsible for undertaking the public responsibility which generated the data of public interest that must be disclosed through electronic means, or during the course of operation in which this data was generated
  17. data disseminator: the body undertaking the public responsibility which uploads the data sent by the data source, provided that the data source itself has not published the data
  18. data set: all data processed in a single file
  19. hird party: any natural or legal person, or organisation without legal personality other than the data subject, the data controller or the data processor
  20. data protection incident: unlawful controlling or processing of personal data, specifically including unauthorized access, alteration, transfer, public disclosure, deletion or destruction, as well as damage and accidental loss
Legal basis of data processing (Sections 5-6)

  1. Personal data may be processed if
    • the data subject has given his consent, or
    • processing is necessary as decreed by law or by a local authority based on authorization conferred by law concerning specific data defined therein for the performance of a task carried out in the public interest
  2. Personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise to disproportionate costs, and the processing of personal data is necessary:
    1. for compliance with a legal obligation pertaining to the data controller, or
    2. for the purposes of the legitimate interests pursued by the controller or by a third party, and enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data
  3. If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time such reasons persist, to protect the vital interests of the data subject or of another person, or in order to prevent or avert an imminent danger posing a threat to the lives, physical integrity or property of persons.
  4. The statement of consent of minors over the age of sixteen shall be considered valid without the permission or subsequent approval of their legal representative.
  5. Where processing under consent is necessary for the performance of a contract with the controller in writing, the contract shall contain all information that is to be made available to the data subject under this Act in connection with the processing of personal data, such as the description of the data involved, the duration of the proposed processing operation, the purpose of processing, the transmission of data, the recipients and the use of a data processor. The contract must clearly indicate the data subject’s signature and explicit consent for having his data processed as stipulated in the contract.
  6. Where personal data is recorded under the data subject’s consent, the controller shall - unless otherwise provided for by law - be able to process the data recorded where this is necessary:
    1. for compliance with a legal obligation pertaining to the controller, or
    2. for the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data without the data subject’s further consent, or after the data subject having withdrawn his consent.
The principle of data processing being bound to purpose (Section 4 [1]-[2])

  1. Personal data may be processed only for specified and explicit purposes, where it is necessary for the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied in all stages of data processing operations; recording of personal data shall be done under the principle of lawfulness and fairness.
  2. The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.
Other principles of data processing (Section 4 [3]-[4])

In the course of data processing, the data in question shall be treated as personal as long as the data subject remains identifiable through it. The data subject shall - in particular – be considered identifiable if the data controller is in possession of the technical requirements which are necessary for identification.

The accuracy and completeness, and - if deemed necessary in the light of the aim of processing - the up-to-dateness of the data must be provided for throughout the processing operation, and shall be kept in a way to permit identification of the data subject for no longer than is necessary for the purposes for which the data were recorded.

Functional data processing

  1. Pursuant to Section 20 (1) of Act CXII of 2011 on Informational Self-Determination and Freedom of Information the following aspects shall be defined in the context of the functionality and operation of the webshop:
    1. an indication of the fact that data is being collected
    2. the data subjects targeted
    3. the purpose of data collection
    4. the duration of the proposed processing operation
    5. the potential data controllers with the right of access
    6. information of data subjects in terms of their rights related to data processing
  2. The fact that data is being collected and the data targeted: Password, first name and surname, gender, e-mail address, phone number, delivery address, delivery name, billing address, billing name, company name, tax number, amount payable, time of registration/purchase, IP address at the time of registration/purchase.
  3. The data subjects targeted: All registered users/shoppers of the webshop are data subjects.
  4. The purpose of data collection: The purpose of Service Provider's data collection and processing of Users' personal data is to allow for the full usage of website functionality, create a service contract, define and modify its content, monitor its fulfillment, bill the fees and enforce the claims arising from it as well as to send newsletters.
  5. The duration of data management, deadline for deletion of data: Immediately as of the deletion of registration. Except for accounting documents because, pursuant to Section 169 (2) of Act C of 2000 on Accounting, such data must be retained for 8 years.

  6. The accounting documents for direct or indirect support of bookkeeping records (including ledger accounts, analytical records and registers) shall be retained for minimum 8 years, shall be readable and accessible by code of reference indicated in the bookkeeping records.

  7. The potential data controllers with the right of access: Personal data may be controlled by the sales and marketing associates of the data controller with respect to the principles specified above.
  8. Information of data subjects in terms of their rights related to data processing: Data subject may initiate the deletion or modification of personal in the following manners:
    • by mail addressed 2310 Szigetszentmiklós, Ipar utca 10-12., Hungary
    • by e-mail at by e-mail at shop@julius-k9.com
  9. The data of the data processor (data storage provider) used in the course of the data controlling activity:

  10. Sigmanet Kft.
    1132 Budapest, Victor Hugo utca 18-22.
    Tel: +36 20 388 7038, +36 20 553 2217
    Fax: +36 1 700 1605
    info@sigmanet.hu

  11. Registration number for data processing: ...
  12. Legal basis of data processing: The consent of the User, Section 5 (1) of the Info Act and Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter: El-Com Act):

  13. The service provider may – for the purpose of providing the service – process personal data indispensable for providing the service for technical reasons. Should other conditions be identical, the service provider shall select and operate the means applied in the course of providing information society service at all times, so that personal data be processed only if it is absolutely indispensable for providing the service or achieving other objectives stipulated in this Act, and only to the required extent and duration.

Our principles related to functional data processing (Section 13/A of the El-Com Act)

  1. For the purpose of billing the charges arising under the contract for the information society service, the service provider may process personal data related to the use of such service, provided that such data are indispensable for establishing and billing the charge, thus, especially, the data regarding the time, duration and place of using the service.
  2. The service provider may – for the purpose of providing the service – process personal data indispensable for providing the service for technical reasons. Should other conditions be identical, the service provider shall select and operate the means applied in the course of providing information society service at all times, so that personal data be processed only if it is absolutely indispensable for providing the service or achieving other objectives stipulated in the El-Com Act, and only to the required extent and duration.
  3. The service provider may process data related to the use of the service for other purposes, thus, in particular, for the purposes of enhancing the efficiency of the service, forwarding of electronic advertisements or other direct communications addressed to the recipient of the service, or market surveys – only with the prior specification of the objective thereof and subject to the consent of the recipient of the service.
  4. Recipient of the services shall be allowed, at all times, prior to and during the course of using the information society service to prohibit the data processing.
  5. Data processed shall be deleted if the contract is not concluded, is terminated and after the billing. Data processed shall be deleted if the objective of data processing has ceased or upon the instruction of the recipient of the service to this effect. Unless provided otherwise by the Act on Accounting or other legal regulations, deletion of the data shall take place without delay.
  6. The service provider shall ensure that the recipient of the service of the information society service may, at any time prior to and in the course of using the service, get acquainted with the types of data processed by the service provider and the objective of processing such data, including the processing of data directly not associated with the recipient of the service.
The management of cookies

  1. Pursuant to Section 20 (1) of Act CXII of 2011 on Informational Self-Determination and Freedom of Information the following aspects shall be defined in the context of the functionality and operation of cookies of the webshop:
    1. an indication of the fact that data is being collected
    2. the data subjects targeted
    3. the purpose of data collection
    4. the duration of the proposed processing operation
    5. the potential data controllers with the right of access
    6. information of data subjects in terms of their rights related to data processing
  2. The cookies typically applied by webshops are the so-called password-protected session cookies, shopping cart cookies, and security cookies, the use of which does not require the prior consent of the data subjects.
  3. The fact that data is being processed and the data targeted: individual identification number, dates, times
  4. The data subjects targeted: All website visitors are data subjects.
  5. The purpose of data processing: to identify users, keep records of the "shopping cart" and to monitor visitors.
  6. The duration of data management, deadline for deletion of data: In the case of session cookies, the duration of data management is over when the visit of the websites is finished.
  7. The potential data controllers with the right of access: Data controllers do not process personal data by using cookies.
  8. Information of data subjects in terms of their rights related to data processing: Data subjects have the option to delete the cookies in the Tools/Setting menu option in their browsers, typically under the Data Protection option
  9. The legal basis of the processing operation: The consent of data subjects is not required provided that the exclusive purpose of the use of cookies is to transfer information via the electronic communication system or if such use is essential for the service provider to provide the service related to the information society and explicitly requested by the subscriber or user.
  10. Service Provider measures website traffic by using Google Analytics service. Data are transferred in the course of service. The transferred data are not suitable for the identification of the data subject. More information on Google's data protection and privacy policy: https://www.google.com/policies/technologies/ads/
Newsletters, DM activity

  1. Pursuant to Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, Users can give prior and express consent for Service Provider to contact Users with advertising offers or other messages at the contacts specified upon registration (e.g. electronic mail address or phone number).
  2. Furthermore, with respect to the provisions of this statement, Customers may give consent for Service Provider to process their personal data necessary for sending the advertising offers.
  3. Service Provider shall not send unsolicited advertising messages and Users may unsubscribe the direct mail service without limitation or explanation and free of charge, In such cases, Service Provider shall delete all of the User's personal data - necessary for sending advertising messages- from its database and shall discontinue contacting User with further advertising messages. Users may unsubscribe the advertisements by clicking on the link in the message.
  4. Pursuant to Section 20 (1) of Act CXII of 2011 on Informational Self-Determination and Freedom of Information the following aspects shall be defined in the context of the functionality and operation of newsletters:
    1. an indication of the fact that data is being collected
    2. the data subjects targeted
    3. the purpose of data collection
    4. the duration of the proposed processing operation
    5. the potential data controllers with the right of access
    6. information of data subjects in terms of their rights related to data processing
  5. The fact that data is being processed and the data targeted: name, e-mail address, (phone number) date, time.
  6. The data subjects targeted: All newsletter subscribers are data subjects.
  7. The purpose of data processing: Sending electronic messages with advertisement content (e-mail, sms, push message) to data subjects, providing information on current issues, products, special offers, new features, etc.
  8. The duration of data management, deadline for deletion of data: Data processing lasts until the revocation of consent, i.e. until unsubscription.
  9. The potential data controllers with the right of access: Personal data may be controlled by the associates of the data controller with respect to the principles specified above.
  10. Information of data subjects in terms of their rights related to data processing: Data subjects may, at any time, unsubscribe the newsletter free of charge.
  11. The legal basis of the processing operation: The consent of the data subject, Section 5 (1) of the Info Act and Section 6 (5) of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.

  12. Advertisers, advertising service providers and publishers of advertising shall maintain records on the personal data of persons who provided the statement of consent to the extent specified in the statement. The data contained in the aforesaid records - relating to the person to whom the advertisement is addressed - may be processed only for the purpose defined in the statement of consent, until withdrawn, and may be disclosed to third persons subject to the express prior consent of the person affected.

Social media sites

  1. Pursuant to Section 20 (1) of Act CXII of 2011 on Informational Self-Determination and Freedom of Information the following aspects shall be defined in the context of the functionality and operation of social media sites:
    1. an indication of the fact that data is being collected
    2. the data subjects targeted
    3. the purpose of data collection
    4. the duration of the proposed processing operation
    5. the potential data controllers with the right of access
    6. information of data subjects in terms of their rights related to data processing
  2. The fact that data is being collected and the data targeted: The registered user name and public photo on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc.
  3. The data subjects targeted: All users with registration on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc. who "liked" the website are data subjects.
  4. The purpose of data collection is: to share, "like" and promote the content elements, products, special offers on the website or the website itself in social media sites.
  5. The duration of data processing, deadline for deletion of data, the potential data controllers with the right of access, information of data subjects in terms of their rights related to data processing: Data subjects may find information on the data sources, their processing and/or the manner and legal basis of data transfer at the particular social media sites. Data processing shall be implemented by the social media sites, therefore duration, manner of data processing and data deletion and modification options are governed by the regulations of the particular social media site.
  6. The legal basis of the processing operation: the data subject's statement of consent to process their personal data on the social media sites.
Data transfer

  1. Pursuant to Section 20 (1) of Act CXII of 2011 on Informational Self-Determination and Freedom of Information the following aspects shall be defined in the context of the functionality and operation of data transfer of the webshop:
    1. an indication of the fact that data is being collected
    2. the data subjects targeted
    3. the purpose of data collection
    4. the duration of the proposed processing operation
    5. the potential data controllers with the right of access
    6. information of data subjects in terms of their rights related to data processing
  2. The fact that data is being processed and the data targeted:
    1. Data transferred in order to facilitate delivery: Delivery name, delivery address, phone number, amount payable.
    2. Data transferred in order to facilitate online payment: Billing name, billing address, amount payable.
  3. The data subjects targeted: All buyers requesting home delivery/online shopping are data subjects.
  4. The purpose of data processing: Home delivery of the ordered product/facilitation of online shopping.
  5. The duration of data management, deadline for deletion of data: It lasts until the home delivery/online payment is facilitated.
  6. The potential data controllers with the right of access: Personal data may be controlled by the above with respect to the principles specified above:

  7. DPD Hungária Kft.
    1158 Budapest, Késmárk utca 14/B
    dpd@dpd.hu
    Phone number +36 1 501 6200
    https://www.dpd.com/hu/home/siteutilities/adatvedelmi_nyilatkozat2

    GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.
    2351 Alsónémedi, Európa u. 2.
    info@gls-hungary.com
    Phone number +36 1 802 0265
    https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat

    FedEx Trade Networks Transport & Brokerage (Hungary) Kft.
    2220 Vecsés, Európa u. 2.
    Phone number +36 40 980 980
    http://www.fedex.com/hu/privacypolicy.html

    PayPal
    Mother company: eBay Incorporated
    Registered head office: San Jose, California, USA
    Contacts: https://www.paypal.com/hu
    Data protection and privacy policy: https://www.paypal.com/hu/cgi-bin/helpscr?cmd=p/gen/ua/policy_privacy-outside

  8. Information of data subjects in terms of their rights related to data processing: Data subjects may request the earliest possible deletion of their personal data from the company providing the home delivery/online payment service.
  9. The legal basis of data transfer: The consent of the User, Section 5 (1) of the Info Act and Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services.
Customer service and other data processing activities

  1. If data subjects have questions or perhaps concerns in the course of using our data processing services, they may contact the data processor in the manners indicated on the website (by phone, e-mail, social sites, etc.).
  2. The data processor shall, within 2 years subsequent to the provision of such data, delete the received e-mails, messages, data provided via phone, Facebook, etc., as well as all other voluntarily provided personal data.
  3. We shall inform users about any data processing activities not listed in this statement upon the submission of such data.
  4. Upon special request from the authorities and/or based on a legal regulation authorizing other organizations to request such information, Service Provider shall be obliged to provide information, hand over and communicate data and/or hand over documents.
  5. In such cases, Service Provider shall only provide personal data in the quantity and to the extent that is essential for the implementation of the objective of the request, provided that the requesting organization indicated the exact objective and the scope of data requested.
Data security (Section 7)

  1. Controllers shall make arrangements for and carry out data processing operations in a way so as to ensure full respect for the right to privacy of data subjects.
  2. Controllers must implement adequate safeguards and appropriate technical and organizational measures to protect personal data, as well as adequate procedural rules to enforce the provisions of this Act and other regulations concerning confidentiality and security of data processing.
    • unauthorized access
    • alteration
    • transmission
    • public disclosure
    • deletion or destruction
    • damage and accidental loss
    • and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique
  3. Data must be protected by means of suitable measures against, in particular
  4. Suitable technical solutions shall be introduced by the data controller to prevent the interconnection of data stored in filing systems and the identification of the data subjects
  5. Data controllers and processors shall implement measures designed to prevent the unauthorized access to, alteration of and unauthorized public disclosure or use of data by way of:
    • the development and operation of the appropriate information technology and technical environment
    • the controlled selection and supervision of their associates involved in providing the service
    • the issuance of detailed operation, risk management and service protocols
  6. Based on the above, the service provider that the data processed by service provider shall:
    • be available for the entitled party
    • be ensured its authenticity and authentication
    • have verifiable integrity
  7. The information technology system of the data controller and its storage space provider shall protect data from, among other things:
    • computer fraud
    • spying
    • computers viruses
    • spam
    • hacks
    • and other attacks
Rights of data subjects (Sections 14-19)

  1. The data subject may request from the data controller information on his personal data being processed, the rectification of his personal data, and the erasure or blocking of his personal data, save where processing is rendered mandatory.
  2. Upon the data subject’s request the data controller shall provide information concerning the data relating to him, including those processed by a data processor on its behalf or according to his/her notice, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and - if the personal data of the data subject is made available to others - the legal basis and the recipients.
  3. With a view to controlling the measures related to any data protection incidents and for the information of the data subject, the data controller shall, by way of an internal data protection commissioner provided that it has one, maintain a transmission log, showing the scope of the targeted personal data, the scope and number of data subjects targeted by the data protection incident, the date and time, the circumstances, the impact of the data protection incident and the measures taken to overcome it as well as other information prescribed by the relevant legislation on data processing.
  4. With a view to verifying legitimacy of data transfer and for the information of the data subject, the data controller shall maintain a transmission log, showing the date of time of transmission, the legal basis of transmission and the recipient, description of the personal data transmitted, and other information prescribed by the relevant legislation on data processing.
  5. Data controllers must comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the data subject’s request, within not more than thirty days The information is free of charge.
  6. Upon User's request, Service Provider shall provide information concerning the data relating to him, including those processed by a data processor on its behalf or according to his/her notice, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and - if the personal data of the data subject is made available to others - the legal basis and the recipients. Service Provider shall comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing within not more than thirty days. The information is free of charge.
  7. Where a personal data is deemed inaccurate, and the correct personal data is at the controller’s disposal, the data controller shall rectify the personal data in question.
  8. Personal data shall be blocked instead of erased if so requested by the data subject, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall only be processed as long as the particular purpose of data processing, which prevented the erasure of the personal data, exists.
  9. Personal data shall be erased if processed unlawfully; so requested by User; incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision of an act; the purpose of processing no longer exists or the legal time limit for storage has expired or it was so ordered by court or by the Hungarian Authority for Data Protection and the Freedom of Information.
  10. If the accuracy of an item of personal data is contested by the data subject and its accuracy or inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of referencing
  11. When a data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted for processing shall be notified. Notification is not required if it does not violate the rightful interest of the data subject in light of the purpose of processing.
  12. If the data controller refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within thirty days of receipt of the request. Where rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.
Legal remedy

  1. The data subject shall have the right to object to the processing of data relating to him:
    1. if processing or disclosure of personal data is carried out solely for the purpose of discharging the controller’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory
    2. if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
    3. in all other cases prescribed by law
  2. The controller shall investigate the cause of objection within the shortest possible time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of its decision. If, according to the findings of the controller, the data subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.
  3. If User disagrees with the decision taken by Service Provider, User shall have the right to turn to court within thirty days of the date of delivery of the decision. The court shall hear such cases in priority proceedings.
  4. In the event of a violation of rights committed by the data controller, you can submit your complaint to the Hungarian National Authority for Data Protection and Freedom of Information:

  5. Hungarian National Authority for Data Protection and Freedom of Information
    1125 Budapest, Szilágyi Erzsébet fasor 22/C.
    Mailing address: 1530 Budapest, PF: 5.
    Phone: +36 -1-391-1400
    Fax: +36-1-391-1410
    E-mail: ugyfelszolgalat@naih.hu

Judicial remedy (Section 22)

  1. The burden of proof to show compliance with the law lies with the data controller. The burden of proof concerning the lawfulness of transfer of data lies with the data recipient.
  2. The action shall be heard by the competent tribunal. If so requested by the data subject, the action may be brought before the tribunal in whose jurisdiction the data subject’s home address or temporary residence is located.
  3. Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such actions. The Authority may intervene in the action on the data subject’s behalf.
  4. When the court’s decision is in favour of the plaintiff, the court shall order the controller to provide the information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated data-processing systems, to respect the data subject’s objection, or to disclose the data requested by the data recipient.
  5. If the court rejects the petition filed by the data recipient, the controller shall be required to erase the data subject’s personal data within three days of delivery of the court ruling. The controller shall erase the data even if the data recipient does not file for court action within the defined time limit.
  6. The court may order publication of its decision, indicating the identification data of the controller as well, where this is deemed necessary for reasons of data protection or in connection with the rights of large numbers of data subjects.
Damages and compensation (Section 23)

  1. In the event of data controller infringing upon the data subject's personal rights by way of unlawful processing or breaching the requirements of data security, the data subject may claim compensation from the data controller.
  2. Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by any infringement of personal rights. The data controller shall also be liable for any damage caused by data processor acting on its behalf. The data controller may be exempted from liability for the damage and the payment of compensation if he proves that the damage or the infringement of personal rights was caused by reasons beyond his control.
  3. No damages shall be paid and no compensation may be claimed where the damage or the infringement of the personal rights was caused by intentional or serious negligent conduct on the part of the aggrieved party.
Conclusion

In drawing up the statement, we considered the following legal regulations:

  • Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Info Act)
  • Act CVIII of 2001 on certain issues of electronic commerce services and information society services (especially Section 13/A thereof)
  • Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers
  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (especially Section 6)
  • Act XC of 2005 on the freedom of electronic information
  • Act C of 2003 on electronic communication (specifically Section 155)
  • Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising

PDF version