Kulcspatikák Zártkörűen Működő Részvénytársaság
General Data Protection Notice

This document also available as pdf download by clicking here

1. Introduction

This general data protection notice (hereinafter the “Notice”) contains the information provided by

Kulcspatikák Zártkörűen Működő Részvénytársaság

Registered Office: 1117 Budapest, Alíz street 3. 1^st floor

Telephone: +36 1 444 9090

Email address: dpo@kulcspatika.hu

Website: www.kulcspatikak.hu

Represented by: dr. Kőhalmi Ákos and Kiss-Leizer György members of the Board

(hereinafter the “Data Controller”) regarding its processing of personal data, in accordance with Act CXII of 2011 on the Right of Informational Self-Determination and on the Freedom of Information, as well as Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter: the “GDPR”).

The purpose of this Notice is to set out the data protection and data processing policy applied by the Data Controller and to provide the information specified in Sections 16 (1)–(2) of Act CXII of 2011 and in Article 13 of the GDPR to the data subjects at the latest at the time their personal data are obtained. The Notice aims to ensure that data subjects are adequately informed - prior to any processing - about the Data Controller’s data processing practices, purposes, legal bases, and principles, thereby safeguarding their right to prior information.

The Data Controller is committed to ensuring full compliance with all legal requirements applicable to the processing of personal data in the course of its activities. In this spirit, the Data Controller acknowledges the data processing rules set out in this Notice as binding upon itself and carries out all data processing activities in accordance with these rules.

All persons whose personal data are processed by the Data Controller—including, in particular, visitors to the website www.kulcspatikak.hu, loyalty program members, users of any other services, and contractual partners (hereinafter collectively: the “Data Subject”)—are required to familiarise themselves with this Notice and to acknowledge its provisions.

Where personal data are provided to the Data Controller by the Data Subject, or where personal data are transferred to the Data Controller by any other party (i.e., the personal data are not provided directly by the Data Subject), the responsibility for the authenticity and accuracy of such personal data lies solely with the Data Subject or with the person supplying the personal data. The Data Subject and/or the person providing the personal data shall be responsible for ensuring that the data are kept up to date. Where the personal data do not originate from the Data Subject, the person supplying the personal data warrants that they are duly authorised and entitled to provide the personal data to the Data Controller. The Data Controller shall not be liable for any deficiencies, inaccuracies, or consequences arising from the data supplied, and expressly excludes all liability in this regard.

This Notice is continuously available for review on the website www.kulcspatikak.hu and in hard copy at the registered seat of the Data Controller.

As the circumstances of data processing may change from time to time, and as the Data Controller may decide at any time to supplement its ongoing data processing activities with new processing purposes, the Data Controller reserves the right to amend this Notice at any time. The Data Controller shall inform Data Subjects of any amendments to this Notice primarily through its website.

When establishing its data processing practices, the Data Controller has taken into account, in addition to the above-mentioned legislation, particular regard to

• the Fundamental Law of Hungary;
• Act V of 2013 on the Civil Code (Civil Code);
• Act No VI of 1998 on the promulgation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, done at Strasbourg on 28 January 1981;

2. Data Protection Officer

The Data Protection Officer (DPO) provides the Data Controller with professional advice regarding data protection, monitors data processing activities, and assists the Data Controller in its dealings with the competent authority and with Data Subjects.

Name and contact details of the Data Protection Officer:

Name: Török Gyula Law Firm

Registered seat: 1081 Budapest, II. János Pál pápa square 3., 3rd floor

Telephone: +36 1 631 1417

Email: dpo@kulcspatikak.hu

Data Subjects may contact the Data Protection Officer regarding any questions related to the processing of their personal data and the exercise of their rights. The Data Protection Officer is bound by confidentiality obligations regarding the secure handling of data in connection with the performance of their duties.

3. Definitions used in the Notice

Data processing: the performance of technical tasks related to data processing operations.

Processing of data: any operation or set of operations which is performed upon data, regardless of the procedure used, in particular collection, recording, recording, organisation, storage, alteration, use, consultation, disclosure, transmission, alignment or combination, blocking, erasure and destruction, as well as prevention of further use of the data, taking of photographs, audio or video recordings. 

Data Controller: a natural or legal person or a company with legal personality who, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements decisions regarding the processing (including the means used) or implements them through a processor on whose behalf the data are processed.

Transfer of data: making data available to a specified third party.

Data erasure: the rendering of data unrecognisable in such a way that it cannot be recovered.

Personal Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Pseudonymisation: processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relate without further information, provided that such further information is kept separately and technical and organisational measures are taken to ensure that no association with an identified or identifiable natural person is possible.

eDM (electronic Direct Mail): a direct marketing tool, letter advertising, marketing message. Following the Data Subject's prior consent, the Data Controller sends advertising and marketing messages by e-mail to the Data Subject's e-mail inbox. The Data Controller's offer is received by the Data Subject in a personalised form.

Health data: personal data relating to the physical or mental health of a natural person, including data relating to health services provided to a natural person which contain information about the health of the natural person.

Data subject: the natural person whose personal data are affected by the processing.

Third party: a natural or legal person or any other body other than the Data Subject, the Data Controller, the data processor or the persons who, under the direct authority of the Data Controller or the Data Processor, are authorised to process personal data.

Consent: a voluntary and explicit expression of the data subject's wishes, based on appropriate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, either in full or in relation to specific operations.

Joint processing: where the purposes and means of processing are jointly determined by two or more data controllers, they are considered joint controllers.

Personal data: data that can be associated with a specific natural person, in particular his or her name, identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and any inference that can be drawn from the data concerning that person, which is not in the public interest or in the public domain. Personal data include, among others, name, address and e-mail address.

Objection: a statement by the Data Subject objecting to the processing of his or her personal data and requesting the cessation of processing or the erasure of the processed data.

Trade secret: According to the Act V of 2013 on the Civil Code, a trade secret is any fact, information, other data and any compilation thereof relating to an economic activity which is not publicly known or not easily accessible to the persons performing the economic activity concerned, the acquisition, use, disclosure or disclosure of which by unauthorised persons would harm or jeopardise the legitimate financial, economic or market interests of the rightholder, provided that the rightholder who is lawfully entitled to it is not culpable for the protection of the secret.

Terms used in this Notice that are not defined in this section shall, in the absence of a specific definition to the contrary, be interpreted in accordance with the definitions set out in the GDPR.

4. Data Processing Principles and Lawfulness of Data Processing

The processing carried out by the Data Controller complies with the data processing principles of the GDPR, which are:

The principles of lawfulness, fairness and transparency: Personal data shall be processed lawfully and fairly and in a transparent manner for the data subject.

Purpose limitation principle: Personal data shall be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes.

Data minimisation principle: Personal data shall be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Principle of accuracy: Personal data shall be accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without undue delay.

Principle of storage limitation: Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed.

Principle of integrity and confidentiality: Personal data shall be processed in a way that ensures adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures.

Principle of accountability: The Data Controller is responsible for compliance with the principles and shall be able to demonstrate such compliance.

In addition to the principles of data processing, the requirement of adequate information can be identified as a common requirement, as the Data Controller shall inform Data Subjects of the processing in the case of any legal basis for processing.

The Data Controller may process the personal data of a Data Subject only on the basis of one of the following legal grounds:

a) Consent – pursuant to Article 6(1)(a) of the GDPR, the Data Subject has given their freely given, specific, informed, and unambiguous consent to the processing of their personal data;

b) Performance of a Contract – pursuant to Article 6(1)(b) of the GDPR, the processing is necessary for the performance of a contract to which the Data Subject is a party;

c) Legal Obligation – pursuant to Article 6(1)(c) of the GDPR, the processing is necessary for compliance with a legal obligation to which the Data Controller is subject (e.g., accounting or bookkeeping obligations);

d) Vital Interests – pursuant to Article 6(1)(d) of the GDPR, the processing is necessary to protect the vital interests of the Data Subject or of another natural person;

e) Public Task – pursuant to Article 6(1)(e) of the GDPR, the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;

f) Legitimate Interests – pursuant to Article 6(1)(f) of the GDPR, the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.

5. Processing Activities, Categories of Personal Data Processed, Legal Basis, Purpose and Retention Period

The Data Controller hereby states that it does not collect or process special categories of personal data under any circumstances. In particular, the Data Controller does not process data revealing racial or ethnic origin, membership of national or ethnic minorities, political opinions or party affiliation, religious or philosophical beliefs, trade-union membership, health data, data concerning pathological addictions, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions and offences.

5.1. Getting in contact

The Data Controller provides various central contact points on its website through which the Data Subject may initiate communication by email or telephone. When the Data Subject contacts the Data Controller, the Data Controller may acquire certain personal data depending on the specific method and content of the communication.

Scope of data processed	the full name, telephone number and email address of the Data Subject and any other personal data voluntarily provided by the Data Subject
Purpose of data processing	establishing contact between the Data Subject and the Data Controller
Legal basis for processing	Consent
Duration of data processing	until the withdrawal of the Data Subject’s consent

 

5.2. Newletter services

The Data Subject has the possibility to subscribe to the Data Controller’s newsletter through the website operated by the Data Controller at www.kulcspatikak.hu. The purpose of the newsletter subscription is to provide the Data Subjects with regular information regarding the activities and events of the Data Controller, as well as current promotions, offers and sweepstakes, while simultaneously promoting the Data Controller’s services and activities. For newsletter subscribers, the Data Controller may provide special birthday promotions or coupons; therefore, it is necessary for the Data Subject to provide their month and day of birth.

Scope of data processed	the full name, email address, birth month and day of the Data Subject
Purpose of data processing	to inform the Data Subject about current promotions and offers and about the prize draws
Legal basis for processing	Consent
Duration of data processing	until the withdrawal of the Data Subject’s consent   If the Data Subject no longer wishes to receive the newsletter, they may unsubscribe at any time and may also request the erasure of their personal data. In the event of an unsubscribe request or a request for erasure, the processing of the relevant personal data shall be terminated.

 

5.3. Prize draws

Data Subjects have the opportunity to participate in various prize draws organised by the Data Controller on social media platforms, the website, or in promotional leaflets. Participation in the prize draws organised by the Data Controller is entirely voluntary. The processing of personal data is necessary, on the one hand, for the identification of the participant and, on the other hand, where applicable, for notifying the winner and delivering the prize. The names of the winners (typically until the announcement of the next prize draw) may be published by the Data Controller on its website. By registering to participate in the prize draw, the participant expressly acknowledges this and gives their consent to such publication.

Scope of data processed	the full name, address, telephone number and email address of the Data Subject
Purpose of data processing	the Data Subject’s participation in the prize draw, the notification of winners, and the delivery of their prizes
Legal basis for processing	Consent
Duration of data processing	The personal data provided shall be processed until the successful delivery of the prizes, as in the event that the Data Controller is unable to contact the winner or the prize cannot be delivered, an alternate winner is generally selected. For the purpose of selecting such alternate winners, the personal data of all participants must remain available. If the Data Subject is the winner of the prize draw, their full name shall continue to be processed until the end of the period during which the winners’ names are published on the website, typically until the announcement of the next prize draw.

 

5.4. Participation in loyalty programs

The loyalty program announced by the Data Controller is a system in which participants may receive immediate percentage-based discounts on certain products when making purchases at the Kulcspatikák member pharmacies or at the Data Controller’s partner entities. The Data Controller hereby declares that it does not obtain any information regarding the specific products purchased by the Data Subject at the member pharmacies; therefore, it does not process any health data relating to the Data Subject.

The loyalty program currently operates through the use of so-called Key Cards (basic / gold tiers). Participation in the loyalty program is governed by a separate set of terms and conditions, the acknowledgement and acceptance of which is a prerequisite for participating in the program.

Registration for the loyalty program may be completed either via the Data Controller’s website or in person at the participating pharmacies; however, the categories of personal data to be provided are the same in both cases.

Scope of data processed	Mandatory data: the Data Subject’s full name, email address, date of birth, gender and postal code Optional data: the Data Subject’s telephone number, place of birth, and address details beyond the postal code.
Purpose of data processing	ensuring the Data Subject’s participation in the loyalty programs
Legal basis for processing	Consent
Duration of data processing	until the withdrawal of the Data Subject’s consent

 

5.5. Data Processing Related to the Mobile Application

By using the “KULCS” mobile application, the Data Subject can obtain information about promotions announced by the Data Controller, as well as the Kulcspatika location nearest to their current location. The Data Controller may also provide additional coupons through the mobile application that are not otherwise available to the Data Subject. Use of the mobile application requires participation in the loyalty program; therefore, the categories of personal data processed are largely identical to those processed for the loyalty program.

Scope of data processed	Mandatory data: the Data Subject’s full name, email address, date of birth, gender and postal code, current location Optional data: the Data Subject’s telephone number, place of birth, and address details beyond the postal code.
Purpose of data processing	ensuring the Data Subject’s participation in the loyalty programs
Legal basis for processing	Consent
Duration of data processing	until the withdrawal of the Data Subject’s consent

 

5.6. Social Media presence

The Data Controller also seeks to establish contact with Data Subjects through various social media platforms, while simultaneously promoting its activities and informing Data Subjects about current promotions, offers, and prize draws. During certain events or occasions organised by the Data Controller (e.g., opening ceremonies), photographs of the Data Subjects may be taken, primarily in the form of group photos, which the Data Controller may, at its discretion, upload to its social media platforms.

The Data Controller operates the following social media pages:

• the Kulcs Pharmacies page on Facebook;
• the Kulcs Pharmacies page on Instagram;
• the Kulcs Pharmacies page on LinkedIn

Scope of data processed	the full name and image of the Data Subject
Purpose of data processing	providing information on current updates and news related to the Data Controller, including certain events or occasions organised by the Data Controller
Legal basis for processing	Consent
Duration of data processing	until the withdrawal of the Data Subject’s consent   The Data Subject may voluntarily unfollow the social media pages or, using the settings available on the respective platform, remove unwanted posts or updates appearing on their news feed.

 

5.7. Data processing during concluding and performing a contract

The Data Controller notes that its contractual partners are primarily legal entities, in respect of which the processing of personal data does not occur. Accordingly, this Notice only refers to natural persons listed as contact persons in contracts with the partners, and their contact details, which constitute personal data.

Scope of data processed	the full name, position, telephone number and email address of the Data Subject
Purpose of data processing	communication with contractual partners and the fulfilment of obligations stipulated in contracts
Legal basis for processing	Performance of a Contract
Duration of data processing	Since the processing is carried out for the purpose of performing a contract, personal data shall be retained until the expiry of the statutory limitation period for rights and obligations arising from the underlying contractual relationship, or until the end of the retention period prescribed by applicable legislation.

 

5.8. Data Processing Related to Payment Transactions

In order to ensure proper accounting for the services provided to the Data Subject (specifically, the issuance of invoices by the Data Controller), the Data Controller processes the personal data specified below.

Scope of data processed	billing name, billing address, telephone number, email address
Purpose of data processing	to execute payment transactions under the contract and to enable proper accounting
Legal basis for processing	Legal obligation
Duration of data processing	The Data Controller shall retain the relevant personal data for 8 years as accounting records in accordance with Section 169 of Act C of 2000 on Accounting.

 

5.9. Processing of Complaints and Legal Disputes

If a complaint or inquiry is submitted to the Data Controller, it is obliged to handle and respond to it, which requires the processing of certain personal data. Similarly, if a legal dispute arises between the Data Controller and the Data Subject, the processing of certain personal data becomes necessary to resolve the dispute.

Scope of data processed	full name and address of the complainant/inquirer; contact details provided by the complainant, typically email address and telephone number; other data provided during the complaint/inquiry; personal data obtained during the investigation	full name, address, telephone number, email address, place and date of birth, mother’s name of the Data Subject
Purpose of data processing	investigation, response, and resolution of the complaint/inquiry; fulfilment of complaint-handling obligations	resolution of a legal dispute, including identification of the Data Subject and communication with them
Legal basis for processing	Legal obligation	Legitimate Interest
Duration of data processing	until the complaint/inquiry has been reviewed and resolved	until the legal dispute is finally resolved and closed

 

5.10. Processing of employee’s personal data

Pre-employment data processing (recruitment) and storage of unsuccessful applications

The Data Controller reserves the right to periodically announce various positions for which anyone may freely apply. One of the prerequisites for applying for these positions is the acknowledgement and acceptance of this Notice. Prospective applicants are therefore kindly requested to carefully review the content of this Notice. By submitting an application for a position announced by the Data Controller, the applicant is deemed to have accepted the terms set out in this Notice.

Applicants are requested to provide only the personal data necessary for the evaluation of their application. If an applicant provides personal data that is not required for the assessment of the application, the Data Controller shall, to the extent reasonably possible, promptly delete such data.

The Data Controller processes the application materials received solely in relation to the specific position applied for.

If an applicant is unsuccessful but wishes the Data Controller to retain their application for potential future positions, they must notify the Data Controller of this no later than after receiving feedback regarding the outcome of their application.

Applications submitted in the absence of an advertised position are, as a general rule, promptly deleted by the Data Controller.

Scope of data processed	full name, address, telephone number, email address, languages spoken, educational background and qualifications, previous employment of the Data Subject as well as any personal data voluntarily provided in the CV
Purpose of data processing	submission of an application for a position announced by the Data Controller and the evaluation of such application by the Data Controller; and, at the explicit request of the applicant, the storage of the application after an unsuccessful application and its use for applying to any potential future positions.
Legal basis for processing	Consent
Duration of data processing	Until the evaluation of applications for the position announced by the Data Controller; in the case of an unsuccessful application, with the applicant’s consent, until the withdrawal of the Data Subject’s consent.

 

The processing of personal data related to the employment of individuals employed by the Data Controller is governed by a separate data protection notice.

5.11. Personal and Property Security

The processing of personal data arising from potential video surveillance carried out by the Data Controller is governed by a separate data protection notice, with the underlying rules of such processing set out in this Notice.

5.12. Data Processing Related to the Franchise System

The processing of personal data within the franchise system operated by the Data Controller is governed by a separate data protection notice.

6. Data Processors and Data Transfers

As a general rule, the Data Controller does not transfer personal data in its possession to any third party without the prior consent of the Data Subject. However, the Data Controller may transfer data, in particular, to data processors or authorities.

In the context of data transfers to authorities, the Data Controller is entitled and obliged to provide all properly stored data to the competent authorities. Such data transfers are based on statutory requirements or final binding decisions of the authorities, and the Data Controller shall not be held liable for any consequences arising from such transfers.

Where the Data Controller engages a data processor in the course of data processing, personal data relating to Data Subjects may be transferred to the data processor solely for the purpose of achieving the objectives of processing, and the Data Controller ensures that the data processor processes such personal data only for the purposes described in Section 5. The activities of data processors related to data processing are limited to providing technical support. Data processors are not authorised to make substantive decisions regarding data processing; they may process personal data only in accordance with the instructions of the Data Controller, may not process personal data for their own purposes, and must store and retain personal data in accordance with the instructions of the Data Controller.

The Data Controller engages the following data processors in the course of personal data processing:

 

The Data Controller also draws attention to the fact that certain data it processes may be transferred to third countries for data processing purposes. The data processors listed below are exclusively companies based in the United States whose standard contractual clauses guarantee compliance with the data protection requirements set forth in the GDPR within the European Union.

Data processors in third countries:

Microsoft (Redmond, Washington, United States)

In addition, access to personal data may be granted to the following persons:

• Persons engaged by or employed by the Data Controller;
• The legal representative of the Data Controller.

Data processors identified in this section may, in the event of fulfilling statutory obligations, act as independent data controllers to the extent and in the manner specified by law.

The Data Controller also draws the attention of Data Subjects to the fact that, when using various social media platforms, personal data transmitted may be processed by the respective platform in accordance with applicable laws and the platform’s own privacy policies.

Furthermore, the Data Controller’s website may, in certain cases, contain links to websites operated by third parties or to services provided by third parties. In such cases, the data protection rules established by the third party apply. Data Subjects are encouraged to carefully read both the relevant terms of service and the applicable privacy policies before using such services or providing personal data to the third party. Since the conditions, operation, and content of such third-party websites are beyond the control of the Data Controller, the Data Controller assumes no responsibility for them.

The Data Controller’s member pharmacies have access exclusively to the data collected by that particular member pharmacy, which typically consists of personal data provided during customer registration and as defined in Section 5.4 of this Notice. The contact details of the member pharmacies, as data processors, can be found at www.kulcspatikak.hu/patikakereso.

5.  

6.          

7. Data Security

The Data Controller undertakes to ensure the security of personal data in accordance with the GDPR and Act CXII of 2011., taking into account the rights of the Data Subjects. As part of this commitment, the Data Controller shall take all necessary measures to ensure the secure and intact handling of personal data and to establish and operate the required data management systems. The Data Controller shall ensure that unauthorized persons cannot access, disclose, transmit, modify, or delete the data.

The personal data referred to above are stored at the Data Controller’s registered office, within its own IT system, and on the servers of data processors responsible for hosting services.

Access to personal data shall be granted only to those persons acting under the authority of the Data Controller—particularly contractors and employees—who require such access to perform their duties and who are aware of and understand their obligations regarding data processing.

Furthermore, the Data Controller undertakes to use the most advanced and appropriate equipment and security rules to ensure the security of personal data, with particular attention to preventing unauthorized access, unlawful disclosure, deletion, or destruction of the data. The Data Controller shall take all reasonable measures to prevent accidental damage or loss of personal data. The above obligations shall also apply to all employees involved in the Data Controller’s data processing activities.

Any event in which personal data is accessed, modified, lost, or disclosed without authorization—whether accidentally or intentionally—shall be considered a data protection breach.

The Data Controller shall investigate all data protection breach and maintain records thereof in accordance with legal requirements. If a data protection breach is likely to pose a risk to the rights and freedoms of data subjects, the Data Controller shall notify the supervisory authority within 72 hours of becoming aware of the breach, and in cases of higher risk, shall also inform the affected data subjects.

8. Rights of the Data Subject in Relation to Data Processing

The rights of the Data Subject regarding their personal data constitute fundamental rights that must be upheld throughout the entire data processing activity.

The Data Controller draws the attention of Data Subjects to the fact that, unless restricted by law, the exercise of their rights can be carried out by submitting a statement to the following email address: dpo@kulcspatikak.hu. The Data Controller shall examine and respond to the statement as soon as possible, but no later than 30 days from receipt, and shall take the necessary measures in accordance with the statement, this Notice, and applicable legal provisions.

The Data Controller may charge a reasonable fee for providing information on Data Subject requests only if the request is clearly unfounded or excessive, particularly due to its repetitive nature. In such cases, the Data Controller may refuse to act on the request.

If a Data Subject wishes to exercise their rights, the Data Controller must verify their identity. If there is reasonable doubt regarding the legitimacy of the request, including the identity of the Data Subject, the Data Controller may request additional information to confirm the Data Subject’s identity. The Data Controller may refuse to act on the request if it is unable to reliably verify the identity of the Data Subject.

If the Data Controller refuses to fulfill the Data Subject’s request, it shall provide information on the reasons for the refusal and on the available remedies for the Data Subject.

During the period of data processing, the Data Subject is entitled to the following rights:

Right to Information

The Data Controller shall provide appropriate, easily understandable, and accessible information (online or offline) regarding the essential aspects of data processing. This information shall be provided at the time of data collection or, upon request, subsequently. The Data Subject is entitled to receive the Notice.

In addition, the Data Subject may at any time request information about whether their personal data is being processed, and if so, the categories of personal data processed, their source, the purposes and legal basis of processing, the duration of processing, the names and addresses of any data processors, related processing activities, and in the case of data transfers, the recipients and purposes of such transfers.

Right of Access

Upon request, the Data Controller shall provide access to the personal data being processed and related information as detailed in this Notice. The Data Controller shall provide a copy of the personal data upon request. Additional copies may be subject to a reasonable administrative fee. If the request is made electronically, the information shall be provided in a commonly used electronic format unless otherwise requested by the Data Subject. 

Right to Erasure (“Right to be Forgotten”)

The Data Subject has the right to request the deletion of their personal data without undue delay, and the Data Controller shall comply without undue delay. If the Data Controller has granted third parties access to the data to be erased, it shall inform them to delete all references and copies of the personal data, unless prevented by legal or legitimate grounds.

The right to erasure does not apply if data processing is necessary for:

• exercising the right of freedom of expression and information;
• compliance with a legal obligation or the establishment, exercise, or defense of legal claims;
• public interest archiving, scientific, historical research, or statistical purposes, where erasure would make the processing impossible or seriously impair its purpose.

The Data Controller shall also delete personal data in its documentation when the purpose of processing ceases. For paper-based records, destruction shall be documented for verification purposes by the competent authority.

Right to Rectification

The Data Subject may request correction of inaccurate personal data. The Data Controller is responsible for ensuring the accuracy of personal data and shall review it periodically.

Right to Restriction of Processing

The Data Subject may request the restriction of the processing of their personal data. Restricted data may only be processed—except for storage—with the Data Subject’s consent, for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for important public interest of the EU or a Member State. 

Right to Data Portability

The Data Subject may request their personal data in a structured, commonly used, and machine-readable format (e.g., .doc, .pdf) and has the right to transmit such data to another Data Controller without hindrance.

Right to Object

If the Data Subject has not given consent to data processing, they may object at any time to the processing of their personal data for specific reasons. In such cases, the Data Controller shall cease processing unless it can demonstrate compelling legitimate grounds that override the Data Subject’s interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

9. Remedies and Legal Recourse

The Data Subject has the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH). The NAIH can be contacted as follows:

Mailing address: 1055 Budapest, Falk Miksa street 9-11, Hungary

Phone: +36 (1) 391-1400

Email: ugyfelszolgalat@naih.hu

Website: www.naih.hu

In addition to submitting a complaint to the supervisory authority, the Data Subject has the right to seek judicial remedy to enforce their rights. According to the relevant provisions of the GDPR, legal proceedings against the Data Controller must be initiated before the court of the Member State where the Data Controller is established—in this case, a Hungarian court.

Regarding complaints, the competent Hungarian court is the court of first instance (törvényszék). At the Data Subject’s discretion, proceedings may be initiated before the court competent based on either their place of residence or habitual residence. A list of courts and their contact details can be found at the following link: www.birosag.hu/torvenyszekek

10. Cookie notice

A cookie is a small text file that is stored on the hard drive of the Data Subject’s computer or mobile device for the duration set in the cookie and is reactivated upon subsequent visits. Its purpose is to record information related to visits and personal settings, which cannot be linked to the individual visitor. Cookies also help create a user-friendly website and mobile application experience and enhance the Data Subject’s online experience.

By consenting to the storage of statistical and marketing cookies displayed on online interfaces, and by accessing or using the Data Controller’s online platforms, the Data Subject consents to the storage and collection of other local storage technologies, data collectors, and additional data on their devices.

Cookies used on the websites can be categorized as follows:

• Necessary cookies: These cookies are essential for the website’s functionality, enabling the use of basic functions necessary for proper operation.
• Analytical cookies: These cookies help optimize the website’s performance and improve user experience. By enabling more detailed analysis, they also contribute to displaying advertisements and personalized content to users.

It is important to note that the Data Subject can delete cookies from their device and generally configure their browser to accept or reject all cookies. Most browsers provide guidance in the “Help” section on how to manage cookie settings. However, some online functionalities require cookies to operate properly; therefore, disabling them may affect the use of certain parts of the online platforms and diminish the user experience.

11. Final provisions

If the Data Controller intends to process personal data for purposes other than those specified in this Notice, the Data Controller shall inform the Data Subject of the new purpose prior to such further processing. Processing for the new purpose may only commence thereafter—if the legal basis for processing is consent—provided that the Data Subject also gives their consent in addition to the information provided.

This Notice is valid until revoked and applies to the entire organizational structure of the Data Controller, including data processors, employees, officers, staff, and contractors.

This Notice shall be reviewed annually and whenever there are changes to domestic or EU legislation. Only the Data Controller is authorized to amend this Notice.

This Notice is effective as of December 8, 2025.

_________________________________

Kulcspatikák Zrt.

dr. Kőhalmi Ákos and Kiss-Leizer György board members