DATA PROCESSING POLICY

(GENERAL DATA PROTECTION REGULATION)

 

Organization name:

FLORICULTOR Ltd.

Headquarters:

2310 Szigetszentmiklós, Leshegy utca 1/c Tax number: 26307297-2-13

Name of person(s) entitled to represent the company: Szilágyi Csaba

 

Review and maintenance of this policy

annually, depending on legislative changes.

Entry into force: 01.07.2018 Applicable from 01.07.2018

TABLE OF CONTENTS

I. PURPOSE OF THE CODE

II. SCOPE OF THE REGULATION Scope of application

Temporal scope

III. DEFINITIONS

IV. BASIC PRINCIPLES

V. LEGAL BASIS FOR PROCESSING

1. Consent of the data subject

2. Performance of the contract

3. To comply with a legal obligation to which the controller is subject or to protect the vital interests of the data subject or of another natural person

4. to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller, or to pursue the legitimate interests of the controller or of a third party.

VI. WHO IS ENTITLED TO ACCESS THE DATA

VII. RIGHTS OF THE PERSON AFFECTED Right to information

Right of access of the data subject

The data subject's right to rectification and erasure

3.1. Right to rectification

3.2 Right to erasure ("right to be forgotten")

4. Right to restriction of processing

5. Obligation to notify the rectification or erasure of personal data or restriction of processing

6. The right to data portability

7. The right to object

8. Right to exemption from automated decision-making

9. Right of the data subject to lodge a complaint and seek redress

9.1 Right to lodge a complaint with a supervisory authority.

9.2 Right to an effective judicial remedy against the supervisory authority

9.3 Right to an effective judicial remedy against the controller or processor

10. Restrictions

11. Information about the data breach

VIII. THE PROCEDURE TO BE FOLLOWED IN THE EVENT OF A REQUEST BY THE DATA SUBJECT

IX. PROCEDURE IN THE EVENT OF A PERSONAL DATA BREACH

X. THE DATA PROCESSING ACTIVITIES OF THE UNDERTAKING IN RELATION TO THE EMPLOYMENT RELATIONSHIP

1. Pre-employment processing

1.1. Processing of data in the context of the recruitment process

1.2. Processing of data during the assessment of suitability for the job

2. Data processing during the employment relationship

2.1. Data processing in the framework of the employment register

2.2 Monitoring the employee's conduct in the employment relationship

2.2.1. Processing of data related to the electronic surveillance system

2.2.2.2. Processing of data related to the use of an e-mail account provided by the Company to the employee

2.2.3. Control of the use of laptops, tablets and telephones provided to the employee

2.2.4. Monitoring employee internet use at work

2.2.5. Processing of employees on an ad hoc basis

2.2.6. Data processing in connection with the use of a navigation device (GPS)

XI. OTHER ACTIVITIES AND DATA SUBJECTS CONCERNED BY THE PROCESSING

1. Processing based on a legal obligation

1.1 Data processing related to the fulfilment of anti-money laundering obligations

1.2. Processing of data to fulfil accounting obligations

1.3. Data processing related to the fulfilment of tax and contribution obligations

1.4. Data processing obligations in relation to the establishment of an insurance relationship

1.5. Complaint handling data processing

1.6. Data processing during roadworthiness tests and authenticity checks of road vehicles

2. Processing of data in the course of requests for information, requests for proposals

3. Data processing in relation to the website operated by the Company

3.1. Information about visitors to the Company's website

3.2. Registration, newsletter subscription

3.3. Data processing in relation to direct marketing activities

3.4. Data management in connection with the webshop operated by the Company

3.5. Rules for presence on social networking sites

4. Data processing activities related to the performance of the contract

5. Data processing in connection with the prize draw

6. Data processing in connection with electronic access control

XII. RULES ON DATA PROCESSING

1. General rules on data processing

2. Data processing activities performed by the Company

XIII PROVISIONS ON DATA SECURITY Principles for the implementation of data security

Protection of the Company's IT records Protection of the Company's paper records

XIV. OTHER PROVISIONS

ANNEXEK

( the annexes will be made available with the assistance of the data processor )

 

THE REGISTER OF DATA PROCESSORS

DECLARATION OF CONSENT TO THE PROCESSING OF PERSONAL DATA

CONSENT TO DATA PROCESSING FOR DIRECT MARKETING PURPOSES

INFORMATION NOTICE FOR CONTRACTUAL DATA PROCESSING (IN THE CASE OF AN INDIVIDUAL CONTRACTING PARTNER)

INFORMATION ON THE USE OF AN ELECTRONIC MONITORING SYSTEM DATA PROCESSING CONTRACT

WEBSITE PRIVACY POLICY WORKPLACE PRIVACY POLICY

CONFIDENTIALITY STATEMENT FOR EMPLOYEES OF A DATA PROCESSOR RECORDS OF EMPLOYMENT-RELATED DATA PROCESSING RECORDS OF DATA PROCESSING FOR DIRECT MARKETING PURPOSES

RECORDS OF DATA MANAGEMENT RELATED TO REGISTRATION, NEWSLETTER SUBSCRIPTION RECORDS OF CUSTOMER DATA MANAGEMENT

DATA PROCESSING REGISTER DATA PROTECTION CLAUSE EMPLOYMENT CONTRACT DATA PROTECTION INCIDENT REGISTER DATA PROTECTION INCIDENT NOTIFICATION

A RECORD OF THE MEASURES TAKEN IN RELATION TO THE RIGHT OF ACCESS OF THE DATA SUBJECT

I. PURPOSE OF THE CODE

The purpose of this Policy is to set out the internal rules governing the data protection and data management policy of our Company, to ensure respect for the privacy of natural persons, to comply with Act CXII of 2011 on the right to information self-determination and freedom of information and Regulation (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 December 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) 95/46/EC. The Company shall ensure that the data subjects' right to the protection of their personal data is respected in all its activities and services, when processing or processing their personal data.

By adopting this Policy, the Company declares its compliance with the principles of personal data processing set out in Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "the Regulation").

II. SCOPE OF THE RULES

1. Personal scope

This Policy applies to the Company and the natural persons to whom its processing activities apply. The processing activities set out in this Policy are directed at the personal data of natural persons. This Policy does not cover the processing of personal data relating to legal persons or, in particular, to undertakings established as legal persons, including the name and form of the legal person and the contact details of the legal person. A legal person is an association, a partnership, a cooperative, an association and a foundation.

2. Temporal scope

These Rules shall remain in force from the date of their adoption until further notice or until the date of their withdrawal.

III. DEFINITIONS

1. data subject: a natural person identified or identifiable on the basis of any information;

1a. identifiable natural person: a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;

2. personal data: any information relating to the data subject;

3. special categories of personal data: any data that fall within special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons,

3a) Genetic data: any personal data relating to the inherited or acquired genetic characteristics of a natural person which contains specific information about the physiology or state of health of that person and which results primarily from the analysis of a biological sample taken from that natural person;

3b. biometric data: personal data relating to the physical, physiological or behavioural characteristics of a natural person obtained by means of specific technical procedures which allow or confirm the unique identification of the natural person, such as facial image or dactyloscopic data;

3c. health data: personal data relating to the physical or mental health of a natural person, including data relating to health services provided to a natural person which contain information about the health of the natural person;

(4) Consent: a freely given, explicit and properly informed indication of the data subject's wishes by which he or she signifies, by means of a statement or other conduct unambiguously expressing his or her wishes, his or her agreement to the processing of personal data relating to him or her;

5. controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements the decisions concerning the processing (including the means used) or implements them with the processor, within the limits set by law or by a legally binding act of the European Union;

5a. joint controller: a controller who, within the limits set by law or by a legally binding act of the European Union, determines the purposes and means of processing jointly with one or more other controllers, takes and implements or has implemented decisions on processing (including the means used) jointly with one or more other controllers and with the processor;

6. data processing: any operation or set of operations which is performed upon data, regardless of the procedure used, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of further use, taking of photographs, sound recordings or images and physical features which can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans);

7. transfer: making data available to a specified third party;

7a. indirect transfer: the transfer of personal data to a controller or processor in a third country or to a controller or processor in another third country or to a processor in an international organisation by transferring the personal data to the controller or processor in a third country or to a processor in an international organisation;

8. disclosure: making the data available to anyone;

9. erasure: rendering data unrecognisable in such a way that it is no longer possible to recover it;

10. restriction of processing: blocking of stored data by marking it for the purpose of restricting its further processing;

11. data destruction: the complete physical destruction of the data medium containing the data;

12. processing: the totality of processing operations carried out by a processor acting on behalf of or under the instructions of the controller;

13. data processor: a natural or legal person or unincorporated body which processes personal data on behalf of or under the instructions of the controller, within the limits and under the conditions laid down by law or by a legally binding act of the European Union;

14. dataset: the set of data managed in a single register;

(15) third party: a natural or legal person or unincorporated body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are carrying out operations relating to the processing of personal data;

16. data breach: a breach of data security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or transmission of, or access to, personal data transmitted, stored or otherwise processed;

17. profiling: any processing of personal data by automated means intended to evaluate, analyse or predict personal aspects relating to the data subject, in particular his or her performance at work, economic situation, state of health, personal preferences or interests, reliability, behaviour, location or movements;

18. recipient: the natural or legal person or unincorporated body to whom or to which personal data are disclosed by the controller or processor;

19. pseudonymisation: the processing of personal data in a way that makes it impossible to identify the data subject without further information, stored separately from the personal data, and ensures, by technical and organisational measures, that the personal data cannot be linked to an identified or identifiable natural person;

20. enterprise: any natural or legal person, regardless of its legal form, engaged in an economic activity, including partnerships and associations engaged in a regular economic activity.

Regulation 21: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016.

22. data management system: the means used for data management.

IV. BASIC PRINCIPLES

Personal data may only be processed for specified purposes, for the exercise of rights and the performance of obligations.

At all stages of processing, the purpose of the processing must be fulfilled and the collection and processing of data must be fair and lawful. Only personal data that is necessary for the purpose of the processing and is adequate for the purpose shall be processed.

Personal data may only be processed to the extent and for the duration necessary for the purpose.

The Company records that the personal data it processes is stored at its headquarters in the form of electronic files and paper documents, while respecting the legal requirements on data security. This provision shall apply to all processing and data processing activities carried out by the Company.

V. LEGAL BASIS FOR PROCESSING

1. Consent of the data subject

(1) The lawfulness of the processing of personal data must be based on the consent of the data subject or on some other lawful basis laid down by law.

(2) In the case of processing based on the data subject's consent, the data subject may give his or her consent to the processing of his or her personal data in the following form:

a) in writing, in the form of a declaration of consent to personal data processing,

(b) electronically, by express conduct on the Company's website, by ticking a box or by making technical settings when using information society services, or by any other statement or action which, in the relevant context, clearly indicates the data subject's consent to the intended processing of his or her personal data.

(3) Silence, ticking a box or inaction shall therefore not constitute consent.

(4) Consent shall cover all processing activities carried out for the same purpose or purposes.

(5) Where the processing is intended for more than one purpose, consent must be given for all the purposes for which the processing is intended. Where the data subject gives his or her consent following an electronic request, the request shall be clear and concise and shall not unnecessarily impede the use of the service for which consent is sought.

(6) The data subject shall have the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. The data subject shall be informed before consent is given. The withdrawal of consent shall be made possible in the same simple manner as the giving of consent. In the case of processing based on the consent of the data subject, the duration of the processing should be limited to the time until the purpose of the processing is fulfilled,

or until the consent is withdrawn or until a judicial or administrative decision ordering the erasure of the data is enforced.

2. Performance of the contract

Processing is lawful where it is necessary for the performance of a contract to which the data subject is a party or for the purposes of taking steps at the request of the data subject prior to entering into the contract.

The consent of the data subject to the processing of personal data not necessary for the performance of the contract shall not be a condition for the conclusion of the contract.

3. To comply with a legal obligation to which the controller is subject or to protect the vital interests of the data subject or of another natural person

The legal basis for processing is determined by law in the case of the performance of a legal obligation, so the data subject's consent is not required for the processing of their personal data.

The controller shall inform the data subject of the purposes, legal basis, duration, identity of the controller, the data subject's rights and remedies.

The controller is entitled to process the data necessary for compliance with a legal obligation to which the data subject is subject, after the withdrawal of the data subject's consent.

4. to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller, or to pursue the legitimate interests of the controller or of a third party.

The legitimate interests of the controller, including the controller with whom the personal data may be shared, or of a third party may constitute a legal ground for processing, provided that the interests, fundamental rights and freedoms of the data subject do not override the legitimate interests of the data subject, taking into account the data subject's reasonable expectations on the basis of his or her relationship with the controller. Such legitimate interest may, for example, be the case where there is a relevant and appropriate relationship between the data subject and the controller, such as where the data subject is a client of the controller or is employed by the controller.

In order to establish the existence of a legitimate interest, it is necessary to carefully assess, inter alia, whether the data subject could reasonably expect, at the time and in the context of the collection of personal data, that processing for the purposes in question would take place.

The interests and fundamental rights of the data subject may prevail over the interests of the controller if the personal data are processed in circumstances in which the data subjects do not expect further processing.

VI. WHO IS ENTITLED TO ACCESS THE DATA

The personal data may be accessed by employees of the Company with access rights related to the relevant data management purpose, and by persons and organisations performing data processing activities for the Company on the basis of service contracts, to the extent and to the extent necessary for the performance of their activities.

The list of data processors is set out in Annex 1 to these rules.

VII. RIGHTS OF THE DATA SUBJECT

Right to information

(1) The data subject shall have the right to be informed of the information relating to the processing of his or her data before the processing of the data is started.

(2) Information to be made available where personal data are collected from the data subject: the identity and contact details of the controller and, where applicable, of the controller's representative; the contact details of the Data Protection Officer, where applicable;

the purposes for which the personal data are intended to be processed and the legal basis for the processing;

in the case of processing based on Article 6(1)(f) of the Regulation, the legitimate interests of the controller or a third party;

where applicable, the recipients of the personal data and the categories of recipients, if any;

where applicable, the fact that the controller intends to transfer the personal data to a third country or an international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of a transfer referred to in Article 46, Article 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and adequate safeguards and a reference to the means of obtaining a copy or the availability of a copy.

(3) In addition to the information referred to in paragraph 1, the controller shall, at the time of obtaining the personal data, in order to ensure fair and transparent processing, provide the data subject with the following additional information:

the duration of the storage of personal data or, where this is not possible, the criteria for determining that duration;

the right of the data subject to request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data, and the right to data portability;

in the case of processing based on Article 6(1)(a) or Article 9(2)(a) of the Regulation, the right to withdraw consent at any time, without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal;

the right to lodge a complaint with a supervisory authority;

whether the provision of the personal data is based on a legal or contractual obligation or is a precondition for the conclusion of a contract, whether the data subject is under an obligation to provide the personal data and the possible consequences of not providing the data;

the fact of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the Regulation, and, at least in those cases, clear information on the logic used and the significance of such processing and its likely consequences for the data subject.

(4) Where the personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

the identity and contact details of the controller and, if any, the controller's representative; the contact details of the Data Protection Officer, if any;

the purposes for which the personal data are intended to be processed and the legal basis for the processing; the categories of personal data concerned;

the recipients of the personal data or categories of recipients, if any;

where applicable, the fact that the controller intends to transfer the personal data to a recipient in a third country or to an international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of a transfer referred to in Article 46, Article 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy or their availability.

(5) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing for the data subject:

the duration of the storage of personal data or, where this is not possible, the criteria for determining that duration;

where the processing is based on Article 6(1)(f) of the Regulation, the legitimate interests of the controller or a third party;

the data subject's right to request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of personal data, and the data subject's right to data portability;

in the case of processing based on Article 6(1)(a) or Article 9(2)(a) of the Regulation, the right to withdraw consent at any time, without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal;

the right to lodge a complaint with a supervisory authority;

the source of the personal data and, where applicable, whether the data originate from publicly available sources; and

the fact of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.

(6) Where the controller intends to further process personal data for a purpose other than that for which they were obtained, the controller shall inform the data subject of that other purpose and of any relevant additional information referred to in paragraph 2 before further processing.

(7) Paragraphs (1) to (3) do not apply if and to the extent that:

the data subject already has the information;

the provision of the information in question proves impossible or would involve a disproportionate effort, in particular in the case of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, taking into account the conditions and guarantees referred to in Article 89(1), or where the obligation referred to in paragraph 1 of this Article would be likely to render impossible or seriously impair the achievement of the purposes of such processing. In such cases, the controller shall take appropriate measures, including making the information publicly available, to protect the rights, freedoms and legitimate interests of the data subject;

the acquisition or disclosure of the data is expressly required by Union or Member State law applicable to the controller, which provides for appropriate measures to protect the data subject's legitimate interests; or

the personal data must remain confidential under an obligation of professional secrecy imposed by EU or Member State law, including a legal obligation of secrecy.

Right of access of the data subject

(1) The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the following information:

the purposes of the processing;

the categories of personal data concerned;

the recipients or categories of recipients to whom or with whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;

where applicable, the envisaged period of storage of the personal data or, if this is not possible, the criteria for determining that period;

the right of the data subject to obtain from the controller the rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data;

the right to lodge a complaint with a supervisory authority;

where the data have not been collected from the data subject, any available information concerning their source; the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including the

profiling, and, at least in these cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.

(2) Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer in accordance with Article 46.

(3) The data controller shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.

3. The data subject's right to rectification and erasure

3.1. Right to rectification

(1) The data subject shall have the right to obtain, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Taking into account the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.

(2) In order to exercise the right of rectification, the controller shall, where personal data processed by the controller or by a processor acting on its behalf or at its instructions are inaccurate, incorrect or incomplete, without undue delay, in particular at the request of the data subject, rectify or correct them or, where compatible with the purposes of the processing, supplement them with additional personal data provided by the data subject or with a declaration by the data subject on the personal data processed.

(3) A controller shall be exempted from the obligation set out in paragraph (2) if.

(a) the accurate, correct or complete personal data are not available to it and are not provided by the data subject; or

b) the authenticity of the personal data provided by the data subject cannot be established beyond reasonable doubt.

3.2 Right to erasure ("right to be forgotten")

(1) The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay at his or her request and the controller shall be obliged to erase personal data relating to him or her without undue delay where one of the following grounds applies:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

the data subject withdraws his or her consent pursuant to Article 6(1)(a) of the Regulation (consent to the processing of personal data) or Article 9(2)(a) of the Regulation (explicit consent) and there is no other legal basis for the processing;

the data subject objects to the processing on the basis of Article 21(1) of the Regulation (right to object) and there is no overriding legitimate ground for the processing, or the data subject objects to the processing on the basis of Article 21(2) of the Regulation (objection to processing for commercial purposes);

the personal data have been unlawfully processed;

the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;

personal data have been collected in connection with the provision of information society services referred to in Article 8(1).

(2) Where a controller has disclosed personal data and is required to erase it at the request of the data subject, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the deletion of the links to or copies or replicas of the personal data in question.

(3) Paragraphs 1 and 2 shall not apply where the processing is necessary for the exercise of the right to freedom of expression and information;

for the purposes of complying with an obligation under Union or Member State law to which the controller is subject to which the processing of personal data is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

on grounds of public interest in the field of public health pursuant to Article 9(2)(h) and (i) of the Regulation and Article 9(3) of the Regulation;

for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, where the right referred to in paragraph 1 would be likely to render such processing impossible or seriously impair it; or

to bring, enforce or defend legal claims.

4. Right to restriction of processing

(1) The data subject shall have the right to obtain, at his or her request, restriction of processing by the controller if one of the following conditions is met:

the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the controller to verify the accuracy of the personal data;

the data processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;

the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or

the data subject has objected to the processing pursuant to Article 21(1) of the Regulation; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the controller override those of the data subject.

(2) Where processing is restricted pursuant to paragraph 1, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

(3) The controller shall inform the data subject at whose request the processing has been restricted pursuant to paragraph (1) in advance of the lifting of the restriction.

5. Obligation to notify the rectification or erasure of personal data or restriction of processing

(1) The controller shall inform each recipient to whom or with which the personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort.

(2) At the request of the data subject, the controller shall inform the data subject of these recipients.

6. The right to data portability

(1) The data subject shall have the right to receive personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, if:

the processing is based on consent pursuant to Article 6(1)(a) of the Regulation (consent to the processing of personal data) or Article 9(2)(a) of the Regulation (explicit consent to processing) or on a contract pursuant to Article 6(1)(b); and

the processing is carried out by automated means.

(2) In exercising the right to data portability pursuant to paragraph (1), the data subject shall have the right to request, where technically feasible, the direct transfer of personal data between controllers.

(3) The exercise of the right referred to in paragraph (1) of this Article shall be without prejudice to Article 17 of the Regulation. That right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

(4) The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

7. The right to object

(1) The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data carried out in the exercise of his or her official authority or in the public interest or to processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party (processing based on Article 6(1)(e) or (f) of the Regulation), including profiling based on those provisions. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

(2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.

(3) Where the data subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for those purposes.

(4) The right referred to in paragraphs (1) and (2) shall be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the information shall be clearly displayed separately from any other information.

(5) In the context of the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may exercise the right to object by automated means based on technical specifications.

(6) Where personal data are processed for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8. Right to exemption from automated decision-making

(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

(2) Paragraph (1) shall not apply where the decision:

necessary for the conclusion or performance of a contract between the data subject and the controller;

is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or

is based on the explicit consent of the data subject.

(3) In the cases referred to in points (a) and (c) of paragraph 2, the controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.

(4) The decisions referred to in paragraph (2) shall not be based on the special categories of personal data referred to in Article 9(1) of the Regulation, unless the decisions referred to in Article 9(2)(a) or (b) of the Regulation are based on the

(g) applies and appropriate measures have been taken to safeguard the rights, freedoms and legitimate interests of the data subject.

9. Right of the data subject to lodge a complaint and seek redress

9.1 Right to lodge a complaint with a supervisory authority.

(1) The data subject shall have the right to lodge a complaint with the supervisory authority pursuant to Article 77 of the Regulation if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

(2) The data subject may exercise his or her right to lodge a complaint by contacting:

Hungarian National Authority for Data Protection and Freedom of Information, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., phone: +36 (1) 391-1400; fax: +36 (1) 391-1410 www: http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu

(3) The supervisory authority with which the complaint has been lodged shall inform the client of the procedural developments concerning the complaint and of the outcome thereof, including the right of the client to seek judicial remedy pursuant to Article 78 of the Regulation.

9.2 Right to an effective judicial remedy against the supervisory authority

(1) Without prejudice to any other administrative or non-judicial remedy, any natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning that person.

(2) Without prejudice to other administrative or non-judicial remedies, any person concerned shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the person concerned within three months of the procedural developments concerning the complaint lodged pursuant to Article 77 of the Regulation or of the outcome of the complaint.

(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

(4) If proceedings are brought against a decision of a supervisory authority on which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority shall send that opinion or decision to the court.

9.3 Right to an effective judicial remedy against the controller or processor

(1) Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with a supervisory authority under Article 77, any data subject shall have an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.

(2) Proceedings against a controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in its exercise of official authority.

10. Restrictions

(1) Union or Member State law applicable to a controller or processor may, by legislative measures, limit the scope of the rights and obligations set out in Article 5 in respect of its provisions in Articles 12 to 22 and Article 34 and in accordance with the rights and obligations set out in Articles 12 to 22, if the limitation respects the essential content of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to protect them:

national security;

defence; public security;

the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security;

other important objectives of general interest of the Union or of a Member State, in particular important economic or financial interests of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;

the independence of the judiciary and the protection of judicial procedures;

prevent, investigate, detect and prosecute ethical violations in regulated professions;

in the cases referred to in points (a) to (e) and (g), even occasionally, control, inspection or regulatory activities connected with the exercise of official authority;

to protect the rights and freedoms of data subjects or others; to pursue civil claims.

(2) The legislative measures referred to in paragraph 1 shall contain, where appropriate, at least detailed provisions:

the purposes or categories of processing, categories of personal data,

the scope of the restrictions imposed,

safeguards to prevent misuse or unauthorised access or disclosure,

to define the controller or to define categories of controllers,

the duration of storage and the applicable safeguards, taking into account the nature, scope and purposes of the processing or categories of processing,

the risks to the rights and freedoms of data subjects, and

the data subjects' right to be informed of the restriction, unless this might undermine the purpose of the restriction.

11. Information about the data breach

(1) Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay.

(2) The information referred to in paragraph 1 provided to the data subject shall clearly and prominently describe the nature of the personal data breach and shall include at least the name and contact details of the data protection officer or other contact person who will provide further information, the likely consequences of the personal data breach, the information to be provided by the controller to the data subject, the

the measures taken or envisaged to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.

(3) The data subject need not be informed as referred to in paragraph 1 if any of the following conditions are met:

the data controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;

the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph 1 is no longer likely to materialise;

information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly disclosed information or by a similar measure which ensures that the data subjects are informed in an equally effective manner.

(4) Where the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after having considered whether the personal data breach is likely to present a high risk, order the data subject to be informed or determine that one of the conditions referred to in paragraph 3 is met.

VIII. THE PROCEDURE TO BE FOLLOWED IN THE EVENT OF A REQUEST BY THE DATA SUBJECT

(1) The Company shall facilitate the exercise of the data subject's rights and shall not refuse to comply with a request to exercise the data subject's rights set out in this Policy, unless it proves that it is not possible to identify the data subject.

(2) The Company shall inform the person concerned of the measures taken in response to the request without undue delay and in any event within a maximum of 25 days of receipt of the request.

(3) If the data subject has submitted the request by electronic means, the information shall be provided by electronic means, where possible, unless the data subject requests otherwise.

(4) If the Company fails to take action on the request of the data subject, it shall inform the data subject without delay, but at the latest within 25 days of receipt of the request, of the reasons for the failure to take action and of the possibility for the data subject to lodge a complaint with the supervisory authority and to exercise his or her right of judicial remedy.

(5) The Company shall provide the data subject free of charge with the information pursuant to Articles 13 and 14 of the Regulation, as detailed in Chapter VI, point 1 of these Rules, and with the information and measures pursuant to Articles 15 to 22 and 34 of the Regulation (feedback on the processing of personal data, access to processed data, rectification, integration, erasure, restriction of processing, portability, objection to processing, notification of a personal data breach).

(6) Where the request of the data subject is manifestly unfounded or excessive, in particular because of its repetitive nature, the controller shall, subject to the provision of the information or information requested or the

administrative costs of taking action: charge a fee of HUF 5,000 or refuse to take action on the application.

(7) The burden of proving that the request is manifestly unfounded or excessive shall lie with the controller.

(8) Without prejudice to Article 11 of the Regulation, where the controller has reasonable doubts as to the identity of the natural person making a request pursuant to Articles 15 to 21 of the Regulation, it may request the provision of further information necessary to confirm the identity of the data subject.

(9) If the data subject's request for rectification, erasure or restriction of the processing of personal data processed by the controller or by a processor acting on his or her behalf or at his or her instructions is rejected by the controller, the controller shall inform the data subject in writing without delay.

a) the fact of the refusal, the legal and factual grounds for the refusal, and

(b) the rights of the data subject under this Act and the means of exercising them, in particular the right to rectification, erasure or restriction of the processing of personal data processed by the controller or by a processor acting on his or her behalf or under his or her instructions, with the assistance of the Authority.

(10) Where the controller rectifies, erases or restricts the processing of personal data processed by it or by a processor acting on its behalf or at its instructions, the controller shall notify the fact and the content of that measure to the controllers and processors to which the data were transmitted before that measure was taken, in order to enable them to implement the rectification, erasure or restriction of processing in respect of their own processing.

(11) In order to enforce the right to erasure, the controller shall promptly erase the personal data of the data subject where.

(a) the processing is unlawful, in particular where the processing is

- is contrary to the principles set out in these Rules,

- the purpose of the processing has ceased or the further processing of the data is no longer necessary for the purpose of the processing,

- the period laid down by law, an international treaty or a legally binding act of the European Union has expired, or

- the legal basis for processing the data has ceased and there is no other legal basis for processing the data,

(b) the data subject withdraws his or her consent to the processing or requests the erasure of his or her personal data, unless the processing is based on a legal authorisation or on the protection of the vital interests of the data subject or of others.

c) the erasure of the data has been ordered by law, an EU act, the Authority or a court; or

(d) the period of the data subject's legitimate interest not to have his or her data erased has expired or the period of retention required to comply with the documentation obligation in case of international data flows has expired.

IX. PROCEDURE IN THE EVENT OF A PERSONAL DATA BREACH

(1) A personal data breach is a breach of security within the meaning of the Regulation that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

(2) The loss or theft of a device (laptop, mobile phone) containing personal data, as well as the loss or loss of the decryption code used by the data controller to decrypt encrypted files, or the loss of access to such data, shall be considered a data protection incident, infection by ransomware (ransomware virus) which renders the data processed by the controller inaccessible until the payment of the ransom, attack on the IT system, disclosure of an e-mail or address list containing erroneous personal data, etc.

(3) In case of detection of a data breach, the Company's representative shall promptly conduct an investigation to identify the data breach and its possible consequences. The necessary measures shall be taken to remedy the damage.

(4) The data protection incident shall be notified to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it must be accompanied by the reasons justifying the delay.

(5) The processor shall notify the controller of the personal data breach without undue delay after becoming aware of it.

(6) The notification referred to in paragraph 3 shall include at least:

describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data subjects affected by the breach;

the name and contact details of the Data Protection Officer or other contact person who can provide further information;

explain the likely consequences of the data breach;

describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.

(7) If and to the extent that it is not possible to communicate the information at the same time, it may be communicated in instalments at a later date without further undue delay.

(8) The controller shall keep a record of the personal data breaches, indicating the facts relating to the personal data breach, its effects and the measures taken to remedy it. This record shall enable the supervisory authority to verify compliance with the requirements of Article 33 of the Regulation.

X. THE DATA PROCESSING ACTIVITIES OF THE UNDERTAKING IN RELATION TO THE EMPLOYMENT RELATIONSHIP

The Company does not currently have any employees, and this section of the Code will be added to the Code when it is reviewed if an employment relationship is established.

XI. OTHER ACTIVITIES AND DATA SUBJECTS CONCERNED BY THE PROCESSING

1. Processing based on a legal obligation

1.1 Data processing related to the fulfilment of anti-money laundering obligations

(1) Pursuant to Article 6 (1) of Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing, the Company shall be obliged to identify and verify the identity of the natural person acting on behalf of or on behalf of the customer upon the establishment of a business relationship, in the event of the emergence of data, facts or circumstances indicating money laundering or terrorist financing, if the customer due diligence has not yet been carried out; and if there is doubt as to the authenticity or adequacy of the customer identification data previously recorded.

(2) The Company shall record the following data for the purpose of identification: the natural person acting on behalf of or on behalf of the client

surname and forename; maiden surname and forename; nationality;

place and date of birth; mother's maiden name;

your address or, failing that, your place of residence; the type and number of your identity document.

(3) Data subjects: natural persons acting on behalf of or on behalf of the client.

(4) The manager or employee of the Company designated for customer due diligence is entitled to access the personal data. The Company shall be entitled to process personal data recorded during the customer due diligence for a period of 8 years from the termination of the contract (business relationship).

1.2. Processing of data to fulfil accounting obligations

(1) The legal basis for the processing of the data of the Company's natural person customers, buyers, suppliers is the fulfilment of legal obligations (Act CXXVII of 2007, § 159 (1)), the purpose of the use of the data is to determine the mandatory data content of invoices, issue invoices, and perform related accounting tasks.

(2) Data subjects: the Company's natural person clients, customers, suppliers.

(3) Data processed: the names, addresses, tax numbers of the Company's natural person customers, customers, suppliers

(4) The managers and employees who issue invoices as part of their job duties and the managers and employees who perform accounting activities shall be entitled to access personal data. The Company shall be entitled to process personal data recorded in the course of the performance of the legal obligation referred to above for a period of 8 years from the termination of the contract (business relationship).

1.3. Data processing related to the fulfilment of tax and contribution obligations

(1) Pursuant to Article 50 (1) of Act CL of 2017 on the Rules of Taxation, the Company shall submit monthly, by the twelfth day of the month following the month concerned, an electronic return of all taxes, contributions and/or data specified in paragraph (2) related to payments and benefits made to natural persons resulting in tax and/or social security obligations.

(2) Data subjects: the Company's manager, employees and their family members.

(3) Data processed: the manager of the Company, its employees, their family members Art. 50, paragraph (2), highlighting the natural person's natural person identification data (including previous name and title), gender, nationality, tax identification number of the natural person, social security number.

(4) Recipients: employees of the Company performing accounting and payroll activities as their job duties, data processors.

(5) The Company shall be entitled to process personal data recorded in the course of the performance of the legal obligation referred to above for a period of 8 years from the termination of the legal relationship. Employment records containing data on the insurance and contributions of employees may not be discarded.

1.4. Data processing obligations in relation to the establishment of an insurance relationship

(1) Pursuant to point 3 of Annex 1 to Act CL of 2017, the employer shall, upon the establishment of an insurance relationship, notify the State Tax and Customs Authority of the data of the person concerned as detailed below.

(2) Data subjects: natural persons who have an insurance relationship (employment relationship, agency relationship) with the Company.

(3) The following data are processed: the surname and forename, tax identification number, date of birth, start, code, termination of the insurance relationship, duration of the interruption of the insurance, weekly working hours, FEOR number, social security number, education, vocational training, vocational qualification of the insured person, as well as the name of the institution issuing the certificate and the number of the certificate. If the insured person does not have a tax identification number, the surname and forename at birth, the place of birth, the surname and forename at birth of the mother and the nationality of the insured person must also be provided.

(4) Recipients: employees of the Company performing accounting and payroll activities as their job duties, data processors.

(5) Purpose of processing: to comply with a legal obligation.

Duration of data processing: 5 years after the termination of the legal relationship, except for employment records containing data on insurance and contributions of employees, which cannot be discarded.

1.5. Complaint handling data processing

In order to facilitate the enforcement of consumer rights, the Company shall inform the data subject of its registered office, the place of complaint handling and the method of complaint handling, the mailing address of the customer service pursuant to Article 17/A (1) of Act CLV of 1997.

(2) Data subjects: any natural person who asserts a consumer right against the Company.

(3) Data processed: name, address, place, time, manner of complaint, description of the complaint, complaint identifier.

(4) Recipients: the employees of the Company performing customer service tasks on the basis of their job function, the head of the Company.

(5) Purpose of processing: to comply with a legal obligation.

(6) The undertaking shall keep the record of the complaint and a copy of the reply for five years and shall submit it to the supervisory authorities upon request.

2. Processing of data in the course of requests for information, requests for proposals

(1) In connection with the services provided or products sold by the Company, the Company shall provide third parties with the opportunity to request information or to request a quotation.

(2) The legal basis for data processing is the consent of the data subject in the case of a request for information or a request for a proposal.

(3) In the case of a request for information or a request for a quotation, the group of data subjects is: any natural person who requests information or a quotation in connection with the Company's services or products and provides personal data.

(4) Data processed: name, address, telephone number, e-mail address.

(5) Purpose of processing in case of a request for information: identification, contact

(6) The purpose of data processing in the case of a request for a proposal: to make a proposal, to maintain contact.

(7) The recipients of the data (who may have access to the data) in case of a request for information or a request for a proposal are the head of the Company, the employee performing customer relationship tasks.

(8) Duration of data processing in the case of a request for information or a request for an offer: the Company shall delete the personal data 30 days after the information has been provided or the offer has been made.

3. Data processing in relation to the website operated by the Company

3.1. Information about visitors to the Company's website

(1) During the visits to the Company's website, one or more cookies - small packets of information sent by the server to the browser and returned by the browser to the server for each request directed to the server - are sent to the computer of the person visiting the website, through which his/her browser(s) will be uniquely identified, provided that the person visiting the website has given his/her explicit (active) consent to this by continuing to browse the website after being clearly and unambiguously informed.

(2) Cookies are used solely to improve the user experience and to automate the login process. The cookies used on the website do not store personally identifiable information and the Company does not process personal data in this context.

3.2. Registration, newsletter subscription

(1) The legal basis for data processing is the data subject's consent in the case of registration or newsletter subscription, which the data subject gives on the Company's website by ticking the box next to the words "registration" or "newsletter subscription" after being informed about the processing of his/her data.

(2) The data subject in case of registration, newsletter subscription: any natural person who subscribes to the Company's newsletter or registers on the website and gives consent to the processing of his/her personal data.

(3) Data processed in the case of newsletter subscriptions: name, e-mail address.

(4) The data processed in case of registration: name, address, e-mail address, telephone number, password.

(5) The purpose of data processing in the case of newsletter subscription: to inform the data subject about the Company's services, products, changes in them, news and events.

(6) The purpose of data processing in the case of registration: contacting for the purpose of preparing a contract, providing the data subject with services available free of charge on the website, access to non-public content of the website.

(7) The recipients of the data (who may know the data) in case of newsletter subscription, registration: the Company's manager, customer contact staff, data processor's staff responsible for the operation of the Company's website.

(8) Duration of data processing in case of newsletter subscription, registration: until the consent is withdrawn. In the case of newsletter subscription: until unsubscription, in the case of registration: until cancellation at the request of the data subject.

(9) The data subject may unsubscribe from the newsletter at any time or request the deletion of his/her registration (personal data). The unsubscription can be done by clicking on the unsubscribe link in the footer of the e-mails sent to the data subject or by postal letter sent to the registered office of the Company.

3.3. Data processing in relation to direct marketing activities

(1) The legal basis for the Company's processing of data for direct marketing purposes is the data subject's consent, which is clear and explicit. The data subject shall give his or her unambiguous, explicit prior consent by ticking the box next to the text "Consent to direct marketing request" on the Company's website, following the information on the processing of his or her data.

(2) The data subject may also give his or her consent on paper by filling in the form in Annex 2 to these Rules.

(3) The data subject is any natural person who gives his or her unambiguous and explicit consent to the processing of his or her personal data by the Company for direct marketing purposes.

(4) The purposes of data processing are: to contact you in connection with the provision of services, the sale of products, to send you advertisements, offers, notifications of promotions, by electronic means or by post.

(5) Recipients of personal data: the head of the Company, employees performing customer service and marketing tasks based on their job function.

(6) Personal data processed: name, address, telephone number, e-mail address.

(7) Duration of processing: until the data subject withdraws the processing of personal data for direct marketing purposes (objection)

3.4. Data management in connection with the webshop operated by the Company

(1) The provisions of sections 3.1, 3.2 and 3.3 apply to the data management activities related to the registration in the webshop, the subscription to the newsletter and the information of visitors.

(2) Online, electronic contracting (purchases) on the Company's website are subject to Act CVIII of 2001 (Eker tv.), therefore the purpose of data processing is, in addition to the above, to prove the fulfilment of the service provider's obligation to provide information to consumers as required by law, to prove the conclusion of the contract, to establish the contract, to determine its content, to modify it, to monitor its performance, to invoice the resulting fee(s) and to enforce the claims related thereto.

(3) In the case of purchases in the online store, the legal basis for data processing is the performance of the contract, the fulfilment of a legal obligation.

(4) The categories of data concerned by the processing: customers' name, address, telephone number, access password, bank account number.

(5) Categories of persons concerned by the processing: any natural person who registers in the Company's webshop, subscribes to newsletters, purchases.

(6) The categories of data addressees are: the head of the Company, employees performing customer relations and sales-related tasks, employees of the data processor performing the operation of the Company's website, employees performing accounting tasks for the Company, employees of the data processor performing these tasks.

(7) The place of processing of data shall be the registered office of the Company in accordance with the provisions of point IV.

(8) Duration of processing: 5 years from the termination of the contract.

3.5. Rules for presence on social networking sites

(1) The Company is present on the following social networking sites: Facebook, Twitter.

(2) Categories of data subjects: natural persons who follow the Company's social networking site.

(3) The legal basis for data processing is the voluntary consent of the data subject when following the Company's social networking site.

(4) The categories of data concerned by the processing: the Company does not process the data posted on the social networking site by visitors and persons sharing its content, the purpose of the social presence is to share and promote the content related to the Company's products and services on the social networking site, and to communicate with followers on the above subject. The Company processes the names of its followers, other data posted by followers on the social networking site are not processed by the Company and are subject to the provisions of the data management policy of the social networking site.

(5) The categories of recipients of the data: the employee who manages the Company's social networking site on the basis of his/her job title, the Company's manager.

(6) Duration of processing: until the withdrawal of the data subject's consent.

4. Data processing activities related to the performance of the contract

(1) The Company shall process the personal data of natural persons contracting with it - customers, buyers, suppliers - in connection with the contractual relationship. The data subject shall be informed of the processing of personal data.

(2) Data subjects: all natural persons who enter into a contractual relationship with the Company, the contact persons of legal persons who have a contractual relationship with the Company.

(3) The legal basis for data processing is the performance of a contract, the purpose of data processing is to maintain contact, enforce claims arising from the contract, and ensure compliance with contractual obligations.

(4) Recipients of personal data: the head of the Company, employees of the Company performing customer service and accounting tasks on the basis of their job function, data processors.

(5) The personal data processed include: name, address, telephone number, e-mail address, bank account number, entrepreneur's identity card number, farmer's identity card number, contact name, e-mail address, telephone number.

(6) Duration of processing: 5 years from the termination of the contract.

5. Data processing in connection with the prize draw

(1) In the event of the organisation of an ad hoc prize draw, the Company is entitled to process the personal data of the participants, subject to their consent, for the purposes of contacting the winner and delivering the prize.

(2) The legal basis for processing is the consent of the data subject.

(3) Data subjects: all natural persons who participate in a prize draw organised by the Company and who consent to the processing of their personal data for the purposes set out above.

(4) Personal data processed: name, date of birth, address, e-mail, telephone number.

(5) Recipients of personal data: employees of the Company performing customer service tasks, couriers performing data processing tasks.

(6) Duration of data processing: 30 days after the result of the competition is established.

XII. RULES ON DATA PROCESSING

1. General rules on data processing

(1) The Company shall use an external data processor entrusted with the processing of personal data processed by the Company for the following tasks:

- operation and maintenance of an internet website,

- meeting tax and accounting obligations,

- delivery of ordered products to customers.

The list of the data processor(s) is set out in Annex 1 to this Policy.

(2) The rights and obligations of the processor in relation to the processing of personal data shall be determined by the controller within the limits of the law and the specific laws applicable to the processing.

(3) The Company declares that in the course of its activities, the data processor is not competent to make any substantive decision on the processing of personal data, may process personal data that come to its knowledge only in accordance with the provisions of the controller, may not process personal data for its own purposes, and shall store and retain personal data in accordance with the provisions of the controller.

(4) The Company shall be responsible for the lawfulness of the instructions given to the processor in relation to the processing operations.

(5) The Company shall be obliged to inform the data subjects about the identity of the data processor and the place of processing.

(6) The Company shall not authorise the data processor to use any other data processor.

(7) The contract for the processing of data must be in writing. The processing shall not be entrusted to an entity which is engaged in a business activity involving the processing of personal data.

Data processing activities performed by the Company

(1) The Company shall undertake or provide appropriate guarantees to ensure that the processing activities it carries out as a data processor comply with the requirements of the Regulation and that appropriate technical and organisational measures are implemented to ensure the protection of the rights of data subjects.

(2) The Company, as a processor, shall inform the controller without undue delay if it considers that any of its instructions is in breach of the Regulation or of national or Union data protection provisions.

(3) The Company shall process the data on the instructions of the Data Controller in accordance with the data protection rules and principles and shall take into account the contractual obligations of the Data Controller known to the Data Processor.

(4) The Company shall not modify, delete, copy, link the data to other databases, use the data provided by the data controller for any purpose other than the present Contract or for its own purposes, nor disclose the data to third parties, except for the following purposes

to the extent expressly required by the controller and necessary for the purposes of the processing.

(5) The Company shall not be entitled to represent the controller or to make any legal declaration on behalf of the controller, unless expressly authorised to do so by an agreement with the controller or other instrument.

(6) The Company shall stipulate that the controller shall have the exclusive right to determine the purposes and means of the processing of the data made available to the processor.

(7) The Company, as a data processor, shall ensure the security of the data, shall take all technical and organisational measures necessary to enforce the data protection rules, and shall take appropriate measures against unauthorised access to the data, unauthorised alteration, transmission, disclosure, deletion, destruction of the data. It must also take appropriate measures against accidental destruction or damage and against inaccessibility resulting from technical changes.

(8) The Company undertakes to comply fully with the provisions of this Policy on data security in its data processing activities, and the provisions of this Policy shall also apply to its data processing activities.

(9) The Company, as a data processor, shall provide access to the data only to those employees who need it in order to carry out the processing activity and shall inform those employees who have access of the obligation to comply with security requirements and confidentiality.

(10) The Company, as a data processor, undertakes to cooperate with the data controller in order to enable the data controller to comply with its legal obligations. Such cooperation shall cover in particular the following areas.

(11) The Company as a data processor undertakes to modify, supplement, correct, block or delete the data processed by it in accordance with the instructions of the data controller.

(12) The Company shall promptly notify the data controller of any event or risk affecting the security of the data, take measures in relation thereto and cooperate fully with the data controller.

(13) The Company undertakes to cooperate fully with the data controller and its agents in the course of any audit or inspection of its systems, records, data, information and procedures relating to data processing, including by ensuring that the person entitled to carry out the audit has full access to the records relating to data processing, the data files stored therein and the procedures used in the course of data processing.

(14) Data processing activities carried out by the Company: 6920 Accounting, auditing and tax consultancy activities.

(15) The Company as a data processor may use an additional data processor only if the data controller has given prior authorisation to use an additional data processor in a public or private document with full probative value, on a case-by-case or general basis.

(16) Where the processor uses the additional processor on the basis of a general authorisation by the controller, the processor shall inform the controller of the identity of the additional processor and the tasks envisaged to be carried out by the additional processor before using the additional processor. If, on the basis of that information, the controller objects to the use of the additional processor, the additional processor shall be entitled to use the additional processor only if the conditions specified in the objection are met.

XIII. PROVISIONS ON DATA SECURITY

1. Principles for implementing data security.

(1) The Company may process personal data only in accordance with the activities set out in this Policy and for the purposes for which they are processed.

(2) The Company shall ensure the security of the data, and in this context undertakes to take all technical and organisational measures that are indispensable to enforce the legal provisions on data security, data protection and confidentiality rules, and to establish the procedural rules necessary for the enforcement of the above-mentioned legal provisions.

(3) The technical and organisational measures to be implemented by the Company shall be aimed at:

pseudonymisation and encryption of personal data;

ensuring the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data;

in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;

the use of a procedure to regularly test, assess and evaluate the effectiveness of the technical and organisational measures taken to ensure the security of processing,

(4) In determining the appropriate level of security, explicit account should be taken of the risks arising from the processing, in particular from accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

(5) The Company shall take appropriate measures to protect the data against unauthorised access, alteration, disclosure, transmission, publication, deletion or destruction, accidental destruction or damage, and against inaccessibility due to changes in the technology used. The Company shall ensure that:

- deny unauthorised persons access to the means used for data management (data management system),

- prevent the unauthorised reading, copying, modification or removal of data media,

- preventing the unauthorised input of personal data into the processing system and the unauthorised access, modification or deletion of personal data stored in the processing system,

- prevent unauthorised access to, copying, modification or deletion of personal data during transmission or transport of the data carrier,

(6) The Company shall keep records of the data processed by it in accordance with the applicable laws, ensuring that the data may only be accessed by employees and other persons acting in the interest of the Company who need to know it in order to perform their job or task.

(7) The Company shall store personal data provided in the course of each processing activity separately from other data, with the understanding that, in accordance with the above provision, the separate data files may only be accessed by employees with appropriate access rights.

(8) The Company's managers and employees shall not disclose personal data to third parties, and shall take the necessary measures to prevent unauthorised access.

(9) The Company shall grant access to personal data to those employees of the Company who have agreed to the obligation to comply with data security rules by signing a confidentiality statement in relation to the personal data processed. (The confidentiality statement is part of the data protection employment contract clause in Annex 14 to these Regulations.)

The Company warrants that:

- persons authorised to use the system have access only to the personal data specified in the access authorisation,

- it is possible to verify and establish a posteriori which personal data were entered into the system by whom, at what time,

- it must be possible to verify and establish to which recipient the personal data have been or may be transmitted or made available by means of a data transmission installation,

(10) When determining and applying measures for data security, the Company shall take into account the state of the art and, in the event of several possible data processing solutions, shall choose the solution that ensures a higher level of protection of personal data, unless this would imply a disproportionate level of difficulty.

2. Protection of the Company's IT records

(1) The Company shall take the following measures necessary to ensure the security of its IT records:

provide the data files it manages with permanent protection against computer viruses (using real-time virus protection software);

ensure the physical protection of the IT system hardware, including protection against elementary damage;

ensure that the IT system is protected against unauthorised access, both in terms of software and hardware;

take all measures necessary for the recovery of the data files, perform regular backups and implement separate, secure management of backups.

(2) The Company shall ensure that:

- the data management system can be restored in the event of a breakdown, and

- the data management system is operational, any errors in its operation are reported and the personal data stored cannot be altered by the system's malfunction.

3. Protecting the Company's paper records

(1) The Company shall take the necessary measures to protect paper records, in particular with regard to physical security and fire protection.

(2) The Company's managers, employees and other persons acting in the interest of the Company shall keep secure all data media containing personal data which they use or have in their possession, regardless of the way in which the data are recorded, and shall protect them against unauthorised access, alteration, disclosure, disclosure, deletion or destruction, as well as against accidental destruction or damage.

XIV. OTHER PROVISIONS

(1) The Managing Director of the Company shall inform all employees of the Company of the provisions of this Code.

(2) The Company is not obliged to appoint a Data Protection Officer.

(3) The Managing Director of the Company shall ensure that all employees of the Company comply with the provisions of this Code. For the purpose of implementing this obligation, the Company's manager shall require that the employment contracts with the Company's employees be amended to include a declaration of the employee's commitment to comply with and enforce these Regulations.

(4) The Company, as the data controller, shall transmit data to the authorities in the case of requests from public authorities for information and disclosure of data, indicating the purpose of use and precisely corresponding to it, to the extent necessary to achieve the purpose of the request.

(5) At least every three years from the start of the processing, the Company shall review whether the processing of personal data processed by it or by a processor acting on its behalf or under its instructions is necessary for the purposes of the processing. The controller shall document the circumstances and the results of this review, which shall be

for a period of ten years after the completion of the work and shall make it available to the Authority upon request.

(6) The establishment and amendment of these Rules shall be the responsibility of the Head of the Company.

Done at Szigetszentmiklós, 30 June 2018.