Website Privacy Notice 

Effective: from 01.09.
2023 until revoked

which (hereinafter referred to as the “Prospectus”) is published in

hereinafter referred to as the “Data Controller”, as www.vvpekseg.hu website and its sub-pages (hereinafter referred to as the “Website”) in order to provide appropriate and detailed information to users and visitors of the Website (hereinafter referred to as: “Data Subjects” or “Data Subjects”) about the scope of their data processed by the Data Controller, the method, purpose and legal basis of data processing, as well as about ensuring the constitutional principles of data protection, the requirements of data security, the prevention of unauthorized access to, alteration of, and unauthorized disclosure or use of Data Subjects’ data.

Among the foregoing, the Data Controller declares that the Website Notice has been prepared on the basis of and in accordance with its valid and applicable General Data Protection Notice (hereinafter: “General Data Protection Notice”); accordingly, in connection with the operation of the Website, it processes personal data solely on the basis of the provisions of this Website Notice.

Possibility to amend the Website Notice and the General Data Protection Notice

The Data Controller reserves the right to unilaterally amend the General Data Protection Notice and this Website Notice in the future. The new provisions will be published on the Website.

Definitions:

Data subject: any natural person who is identified or can be identified, directly or indirectly, on the basis of personal data.

Consent: a voluntary and explicit expression of the Data Subject’s wishes, based on appropriate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, whether in full or in relation to specific operations.

Personal Data: data that can be associated with the Data Subject, in particular the name, the identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and the inference that can be drawn from the data concerning the Data Subject.

Data controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements decisions regarding the processing (including the means used) or has the data processed by a processor.

Data processing: any operation or set of operations which is performed upon data, regardless of the procedure used, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of their further use, taking of photographs, sound recordings or images and physical features which can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans).

Transfer: making data available to a specified third party.

Data processor: a natural or legal person or unincorporated body that processes personal data on behalf of the controller.

Data processing: the performance of data processing operations, technical tasks, regardless of the method and means used to perform the operations and the place of application.

Disclosure: making the data available to anyone.

Data erasure: making data unrecognisable in such a way that it is no longer possible to recover it.

Machine processing: includes the following operations when they are carried out wholly or partly by automated means: storage of data, logical or arithmetical operations on data, alteration, deletion, retrieval and dissemination of data.

System: the totality of the technical solutions that operate the Data Controller’s computer processing and, if any, the pages and services of its partners accessible via the Internet (hereinafter “System”).

Cookie: a cookie is a small text file that is stored on the hard drive of your computer or mobile device and is activated on subsequent visits. The websites use cookies to record information about your visit (pages visited, time spent on our sites, browsing data, exits, etc.) and personal preferences, but this is not data that can be linked to the Data Subject. This tool helps us to design a user-friendly website to enhance the online experience of our Data Subjects. Most web browsers automatically accept cookies, but Data Subjects have the option to delete or refuse them. As each browser is different, Data Subjects can set their cookie preferences individually using the browser toolbar. If the Data Subject does not wish to allow any cookies from the websites they visit, they can change their web browser settings to receive notifications of cookies sent, or simply refuse all cookies or only cookies sent by certain websites. You can also delete cookies stored on your computer, notebook or mobile device at any time. For more information on settings, see your browser’s Help. If the Data Subject chooses to disable cookies, he or she will have to opt out of certain features of the websites (for example, the website will not remember that the Data Subject has remained logged in). We distinguish between two types of cookies: ‘session cookies’ and ‘persistent cookies’.

“Session cookies”: stored temporarily by the computer, notebook or mobile device until the Data Subject leaves the website; these cookies help the system to remember information while the Data Subject is visiting from one page to another, so that the Data Subject does not have to re-enter or fill in the information. 

“Persistent cookies”: are stored on your computer, notebook or mobile device even after you leave the website. These cookies allow the website to recognise you as a returning visitor, even though they do not personally identify you.

The purposes of data processing

The purpose of this Notice is to ensure that the Data Controller informs the Data Subject of the purpose of the processing, the legal basis for the processing and all relevant information concerning the processing before the data are collected.

Principles of Data Processing

Personal data must be obtained and processed fairly and lawfully.

Personal data should only be stored for a specific and legitimate purpose and should not be used in any other way.

The scope of the personal data processed must be proportionate to, and compatible with, the purpose for which they are stored and not excessive in relation to that purpose.

Adequate security measures must be taken to protect personal data stored in automated data files against accidental or unlawful destruction or accidental loss, and against unlawful access, alteration or dissemination
.  

Data transmission

The Data Controller is entitled and obliged to transmit to the competent authorities any personal data at its disposal and stored by it in accordance with the law, which it is obliged to transmit by law or by a final decision of a public authority or where it is suspected of having committed a crime or an offence. The Data Controller shall not be held liable for such transfers and the consequences thereof.

In addition to the foregoing, the Data Controller shall transfer data only to its contractually related co-controllers and/or processors, including only to those who are contractually bound to the Data Subject; accordingly, the Data Controller shall transfer data to third parties only for the purposes and to the extent necessary to fulfil the purposes set out in this Notice. Such transfers shall not place the Data Subject in a less favourable position than the data processing and data security rules set out in the current version of this Policy.

Security of data processing

The Data Controller shall, in accordance with its obligation under Article 32 of the GDPR, do its utmost to ensure the security of the Data Subjects’ data, and shall take the necessary technical and organisational measures and establish the procedural rules necessary to enforce the GDPR and other data protection and confidentiality rules, taking into account the reasonable expectations of the Data Subject in its relationship with the Data Controller, as well as the state of science and technology and the costs associated with the implementation risks and the nature of the personal data to be protected.

The Data Controller processes data on paper and by automated means. Where processing is carried out by automated means, the processing of any data by a human operator shall only take place in exceptional and duly justified cases.

In particular, the Data Controller shall protect the data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction and against accidental destruction or accidental damage. Data which are automatically and technically recorded during the operation of the system(s) of the Data Controller shall be stored for a period of time from the moment they are generated which is reasonable for the purposes of ensuring the functioning of the system. The Data Controller shall ensure that these automatically recorded data cannot be linked to other personal data, except in cases required by law.

If this is the case, the employees of the Data Controller’s departments who handle personal data are obliged to keep the personal data they have obtained as business secrets. For this purpose, the employees of the Data Controller shall also be under a specific obligation and in the course of their work shall ensure that no unauthorised persons have access to personal data. Personal data are stored and stored in such a way that they cannot be accessed, accessed, altered or destroyed by unauthorised persons.

The controller’s chief executive officer, who has decision-making powers at any given time, shall determine the organisation of data protection, the tasks and powers relating to data protection and related activities, and shall designate the person responsible for supervising data processing, taking into account the specific characteristics of the controller.

How the data is collected

The Data Controller receives and obtains the Data Subjects’ data under this Notice directly from the Data Subject in person, in each case on the basis of the Data Subjects’ voluntary consent. 

In all cases, the Data Subject is responsible for the accuracy of the personal data provided. The Data Controller does not verify the personal data provided to it.
 Unless otherwise stated, the Data Subject has consented to the processing of his or her personal data in accordance with the Privacy Notice and this Policy.

Data processors

The Data Controller does not use a Data Processor in connection with these activities.

Records of processing activities

The controller and, where applicable, its representative, shall keep records of the processing activities carried out under its responsibility. These records shall contain the following information:

• the name and contact details of the controller and the name and contact details of the Data Protection Officer;
• the purposes of the processing
• a description of the categories of data subjects and the categories of personal data;
• the categories of recipients to whom the personal data are or will be disclosed, including recipients in third countries or international organisations;
• where applicable, information on the transfer of personal data to a third country or an international organisation, including the identification of the third country or international organisation and, in the case of a transfer pursuant to the second subparagraph of Article 49(1) of the GDPR Regulation, a description of the appropriate safeguards;
• if possible, the time limits foreseen for the deletion of the different categories of data;
• where possible, a general description of the technical and organisational measures referred to in Article 32(1).

The controller shall make the register available to the supervisory authority upon request.
  

Data Protection Officer

Taking into account that none of the mandatory cases set out in Article 37 of the GDPR Regulation – processing of sensitive data, systematic and systematic large-scale monitoring of data subjects, performance of a public task – apply, no DPO has been appointed.

Rights of the Data Subject

Right to information

The Data Subject must be informed clearly and in detail of all the facts relating to the processing of his or her data before the processing starts.

The person concerned

• request information about the processing of your personal data,
• request the rectification of your personal data,
• request the erasure or restriction of your personal data,
• may exercise their right to data portability,
• object to the processing of your personal data,
• may withdraw their consent to the processing,
• may have recourse to the Data Controller, the data protection authority and the courts in the event of a breach of their rights.

Right of access

At the request of the Data Subject, where the information cannot be refused by law, the Data Controller shall provide the Data Subject with information concerning.

• the purpose of the processing,
• the legal basis for processing
• the categories of personal data concerned,
• the names and addresses of any data processors and their data processing activities,
• the duration of the processing,
• the circumstances and effects of a possible data breach and the measures taken to deal with it,
• the right to obtain from the Controller the rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data,
• the right to lodge a complaint with a supervisory authority,
• where the personal data have not been collected from the data subject, any available information about their source,
• the fact of automated decision-making, including profiling, and, at least in these cases, the logic used and clear information on the significance of such processing and its consequences for the Data Subject,
• where applicable, the transfer of the Data Subject’s personal data to a third country.

The data controller shall provide the information in writing in an intelligible form within the shortest possible time from the submission of the request, but not later than thirty (30) days.

Right to rectification

At the request of the data subject, the Data Controller shall correct inaccurate or inaccurate personal data concerning him or her. Taking into account the purpose of the processing, the Data Subject may request the completion of incomplete personal data, including by means of a supplementary declaration. As long as the data cannot be corrected or completed, the Controller shall restrict the processing of personal data and temporarily suspend the processing operations, except for storage.

Right to erasure

The Data Subject shall have the right to obtain from the Data Controller, upon his or her request, the erasure of personal data relating to him or her without undue delay if.

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
• the data subject has withdrawn his or her consent and there is no other legal basis for the processing,
• the data subject objects to the processing of his or her personal data and the Data Controller has no overriding legitimate grounds for the processing, or the data subject objects to processing for direct marketing purposes,
• the personal data have been unlawfully processed,
• the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Data Controller,
• the personal data were collected directly in connection with the information society services offered to children, without the consent of the person exercising parental authority.

If the controller determines that there is an obligation to erase the personal data it has processed, it shall cease processing and destroy the personal data previously processed.

If the Controller has disclosed the personal data and is obliged to delete it, it shall take reasonable steps and technical measures, taking into account the available technology and the cost of implementation, to inform the controllers about the deletion of the links to or copies or duplicates of the personal data in question.

The controller may not erase personal data where the processing is necessary

• to exercise the right to freedom of expression and information,
• fulfil an obligation under EU or national law or exercise official authority,
• in the public interest in the field of public health,
• is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and deletion would make the processing impossible or seriously jeopardise it,
• to bring, enforce and defend legal claims.

Right to restriction

The Data Controller shall, at the request of the Data Subject, restrict the processing of personal data if.

• the Data Subject contests the accuracy of the personal data,
• the processing is unlawful and the Data Subject opposes the erasure of the data and requests the restriction of their use,
• The controller no longer needs the personal data, but the Data Subject requires them for the establishment, exercise or defence of legal claims,
• the Data Subject has objected to the processing and the Controller is still investigating.

Personal data subject to the restriction may be processed, except for storage, only in the following cases:

• with the consent of the data subject,
• to bring, maintain or defend legal claims or defend the rights of another natural or legal person,
• important public interest of the Union or of a Member State.

The controller must inform the data subject requesting the restriction before lifting it.

Right to data portability

In the event of consent, performance of a contract or automated decision-making, the Data Subject is entitled to use the data he or she has provided to the Data Controller.

• receive it in a structured, widely used, machine-readable format,
• to another controller
• directly to another controller, if technically feasible.

Data subjects may not exercise their right to data portability if the processing is in the public interest or in the exercise of official authority.

Right to object

The Data Subject has the right to object at any time to the processing of his or her personal data by the Data Controller on the basis of legitimate interest and profiling, in particular if the personal data is used for direct marketing, public opinion polling or scientific research.

The Data Controller shall examine the objection within a maximum of thirty (30) days from the date of the request and inform the Data Subject in writing of its decision. The Controller shall suspend processing for the duration of the investigation, but for a maximum of five (5) days.

If the Data Subject’s objection is deemed justified, the Data Controller shall terminate the processing, including further recording and transmission of data, block the data and notify the objection and its consequences to all persons to whom the data have been transmitted and who are obliged to take action to enforce the right to object. 

If the Data Subject does not agree with the decision of the Data Controller, he or she has the right to take legal action within thirty (30) days of the decision or the last day of the deadline.

General notification obligation

The Controller shall inform each recipient of any rectification, erasure, objection or restriction of processing to whom or with which the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. The Data Subject shall, upon request, be informed by the Controller of such recipients.

Enforcement options

In the event of questions, comments, requests and complaints, the Data Subjects may contact the Data Controller in order to assert their rights, in particular at the following contact details:

Vál-Völgye Bakery Ltd
8087 Alcsútdoboz, Hrsz 0121/4 
+36 708844922 info@vvpekseg.hu

Remedies:

National Authority for Data Protection and Freedom of Information 
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/c. 
Phone: +36 1 391 1400 
Fax: +36 1 391 1410 
E-mail: ugyfelszolgalat@naih.hu 
Website: ugyfelszolgalat@naih.hu Website: http://www.naih.hu 
Online case start: http://www.naih.hu/online-uegyinditas.html

Judicial enforcement

You also have the right to take legal action against the Data Controller’s actions, in addition to the administrative remedies. The GDPR, the Infotv. and the rules of the Civil Code and the Civil Code apply to the lawsuit. The court of law has jurisdiction to decide on the lawsuit. The lawsuit may also be brought, at the option of the data subject, before the court of the place of residence of the data subject (for a list of courts and their contact details, please consult the following link: http://birosag.hu/torvenyszekek).

I hereby accept and enter into force this Prospectus.

Dated: 2023.09.01.2023

Vál-Völgye Bakery Ltd

Kenéz-Hanyecz Kinga 
Data
 Controller