SOLUTION MOVEMENT

Privacy Notice

Version 1.5.

Effective from 27 November 2023.

The Solution Movement provides the following information regarding the processing of personal data in connection with its membership, communication, and website activities based on Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR).

1. Data of the Controller

Name of data controller: Solution Movement
Abbreviated name of data controller: MEMO
Organization type: Association
Association form: Party
Registration Number: 01-02-0017750
Headquarters: 1061 Budapest, Székely Mihály Street 16.

Represented by:

Dr. Viktor Dénes Huszár, President, independently
Dr. Krisztina Ilona Bajusz, Vice-President, independently Dr. Dániel Bogó, Vice-President, independently


Mailing address: 1101 Budapest, Expo tér 5-7.
E-mail: info@memo.hu

Data controller accepts inquiries related to data protection at the following contact information:

Data Protection Officer:
Name: dr. Ádám Németh (lawyer at dr. Németh Ádám Law Office)
E-mail: bejelentes@drnemethadam.hu

2. Applicable Legal Framework

The personal data processing carried out by the Data Controller based on this Privacy Notice is subject to the following regulations:

  • 1. Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);
  • 2. Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Infotv.);
  • 3. Act V of 2013 on the Civil Code (hereinafter: Civil Code);
  • 4. Act CLXXV of 2011 on the right of association, the status of public benefit organizations, and the operation and support of civil organizations (hereinafter: Ectv.);
  • 5. Act XXXIII of 1989 on the Operation and Finances of political parties (hereinafter: PartyTv.);
  • 6. Act XXXVI of 2013 on the Electoral Procedures (hereinafter: Ve.);
  • 7. Decree 1/2018 (I. 3.) of the Ministry of Justice on the detailed rules for the implementation of tasks within the competence of election offices in the parliamentary elections, the determination of the nationwide aggregated data of the election results, the forms to be used in the electoral procedure, and the amendment of certain regulations related to elections;
  • 8. Act CL of 2017 on the Rules of Taxation;
  • 9. Act C of 2000 on Accounting; and
  • 10. Act CXXVII of 2007 on Value-added tax.

3. Characteristics of data processing carried out by the Controller on the basis of this notice

3.1. Data Processing Related to Voters

3.1.1. Coordination Regarding the Signing of Recommendation Sheets

Purpose of data processing: Upon the request of the data subject, and based on prior appointment scheduling, visiting the data subject's residence for the purpose of the data subject's personal signature on the endorsement sheet of a candidate running in the parliamentary elections, local government representative and mayor elections, as well as elections for members of the European Parliament, including repeated and by-elections.

Upon the request of the data subject, the Data Controller organizes for the candidate or activist representing the Data Controller in the electoral district corresponding to the data subject's residence to visit the data subject's place of residence. This provides the data subject with the opportunity to fill out and sign the endorsement sheet. This also involves the transmission of data to the candidate or activist.

Data Controller's Identity: The data subject may independently contact both the Data Controller and the candidate, seeking the signature on the endorsement sheet, without mutual dependence. Given that these activities share the same purpose (collecting endorsements), the Data Controller and the candidate jointly carry out data processing. The agreement between the Data Controller and the candidate regulates issues of responsibility related to data processing. The candidate is also obliged to act in accordance with this privacy notice and the regulations determined by the Data Controller during data processing.

The activist is considered to be a data processor during this data processing.

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR, Article 9(2)(a)).

Given that the Data Controller operates as a party, the fact that the data subject signs or intends to sign the recommendation sheet of the candidate running on behalf of the Controller constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of data subjects: Persons who have contacted the Controller with a request to sign a recommendation sheet.

Scope of personal data processed: The data provided by the data subject includes the name, e-mail address, telephone number and address. Based on the address provided by the data subject to the Controller, the Data Controller determines the given constituency and the person of the candidate running in the given constituency, as well as the date of the visit.

Duration of storage of personal data: until the last day of the deadline for the candidate's notification, i.e. in the case of the election of members of parliament and the election of members of the European Parliament, until the 37th day preceding the election day (Articles 124 and 252 of Ve), in the case of the election of local government representatives and mayors, until the 34th day preceding the election day (Article 307/G of Ve).

3.1.2. Collection of recommendations

Purpose of data management: Collection of recommendations in the election of members of parliament, the election of local government representatives and mayors, and the election of members of the European Parliament - including repeated and interim elections

The voter recommends the candidate by providing and signing his personal data on the recommendation sheet of the candidate running on behalf of the Data Controller in the election of members of parliament, the election of local government representatives and mayors, and the election of members of the European Parliament - including repeated and interim elections. On the recommendation sheet, the person collecting the recommendation also indicates his personal data and signature. When the candidate is announced, the signature sheet is handed over to the electoral commission responsible for registering the candidate.

In view of the fact that the withdrawal of the recommendation is subject to a legal prohibition (Ve. Section 122 (5) the right of the data subject to erasure or withdrawal of consent may be exercised considering this limitation.

Data Controller: The Data Controller and the Candidate can contact directly with the data subject. Entering contact serve the common purpose (collecting the recommendation) of the Data Controller and the Candidate, therefore the Data Controller and the Candidate are joint controller. The contract between the Data Controller and the Candidate is regulate the responsibilities of the parties and the Candidate must handle the data of the data subject according to this privacy policy.

The activist is considered to be a data processor during this data processing.

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR, Article 9(2)(a)).

Due to the fact that the Data Controller operates as a party, the fact that the data subject signs the recommendation sheet of the candidate running on behalf of the Controller or collects recommendations for the candidate constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of stakeholders: voter giving recommendations, person collecting recommendations.

Scope of personal data processed:

  • • voter giving recommendations: name, personal identification, Address in Hungary, signature.
  • • person collecting recommendations: name, personal identification number or official identity card number, signature.

Duration of storage of personal data: until the last day of the deadline for the candidate's notification, i.e. in the case of the election of members of parliament and the election of members of the European Parliament, until the 37th day preceding the election day (Articles 124 and 252 of Ve), in the case of the election of local government representatives and mayors, until the 34th day preceding the election day (Article 307/G of Ve). If the person collecting the recommendation has also indicated their personal data on a signature sheet without a recommendation, the period of storage of the personal data may be extended until the day following the above deadline (26 February 2022).

3.1.3. Processing of additional data when collecting recommendations

Purpose of data management: Handling of additional data necessary for the collection of recommendations in the election of members of parliament, the election of local government representatives and mayors, and the election of members of the European Parliament - including repeated and interim elections

Data Controller: The Data Controller and the Candidate can contact directly with the data subject. Entering contact serve the common purpose (collecting the recommendation) of the Data Controller and the Candidate, therefore the Data Controller and the Candidate are joint controller. The contract between the Data Controller and the Candidate is regulate the responsibilities of the parties and the Candidate must manage the data of the data subject according to this privacy policy.

The activist is considered to be a data processor during this data processing.

Legal basis for data processing: The legitimate interest of the Controller in conducting the collection of recommendations and ensuring data accuracy (Article 6(1)(f) of the GDPR).

Due to the fact that the Data Controller does not process personal data relating to the political opinion of the data subject for the purpose of data processing and the data relating to the political opinion of the data subject cannot be deducted on the basis of the personal data processed, the data processed do not fall within the special category of the GDPR as defined in Article 9(1).

Definition of stakeholders: voters contacted by the referral collector.

Scope of personal data processed: whether the person visited by the collector was at home at the time or not, the address of the data subject has changed and has since died.

Duration of storage of personal data: until the last day of the deadline for the candidate's notification, i.e. in the case of the election of members of parliament and the election of members of the European Parliament, until the 37th day preceding the election day (Articles 124 and 252 of Ve), in the case of the election of local government representatives and mayors, until the 34th day preceding the election day (Article 307/G of Ve).

3.2. Data processing related to supporters, supporting members and members

3.2.1. Data processing related to supporters

Purpose of data management: Cooperation and contact with supporters.

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR, Article 9(2)(a)).

Given that the Controller operates as a party, the fact that the data subject provides or intends to provide support to the Data Controller constitutes a special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of data subjects: persons providing support to the Controller.

The scope of personal data processed: name, address (or temporary address), mailing address (if differs from the address or temporary address), place and date of birth, mother’s birth name, phone number, e-mail address, website URL, category of support.

Duration of storage of personal data: until the withdrawal of the consent of the data subject.

If the support involves the issue of an invoice, the provisions of the section entitled “Registration of membership fees and payment of grants” shall be applied with an appropriate derogation.

3.2.2. Conducting a membership procedure for candidates and candidates for membership

Purpose of data management: Conducting a membership procedure

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR, Article 9(2)(a)).

Given that the Controller operates as a party, the fact that the data subject has submitted a request for membership to the Controller constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of data subjects: persons applying for membership procedures at the Data Controller, members supporting the application for membership with their recommendation.

Scope of personal data processed:

  • • name, birth name, nationality, place and time of birth, permanent address, notification address, telephone number, e-mail address, other contact details, declaration by the data subject that he or she meets the conditions of membership;
  • • cv data, id card picture, personal data included in the summary of the interview;
  • • only for candidates: the name of the member who supported the application for membership and other personal data (address and contact details) contained in the statement of recommendation.

Duration of storage of personal data: For this purpose, the Controller handles the above categories of personal data until the conclusion of the membership procedure. If a membership relationship is established, the personal data processed will be transferred to the members' register and supporting members’ register, respectively. If the application for membership is rejected, the name, place of birth and date of birth of the data subject and the date of refusal shall be entered in the register of rejected applications for admission based on the consent of the data subject, the rest of the data will be deleted.

3.2.3. Register of members and supporting members

Purpose of data management: Registration of a member, supporting member

Legal basis for data processing: maintenance of the membership relationship between the data subject and the Controller (Article 6(1)(b) GDPR).

Given that the Controller operates as a party, the fact that the data subject is registered in the Data Controller's member register constitutes a special data referring to the political opinion of the data subject. The processing of the special data is subject to the fact that the data processing takes place within the framework of the legal activity of the association for political purposes under appropriate guarantees, on condition that the data processing is carried out exclusively on the current or former members of the Data Controller, or refers to persons who are in regular contact with the organisation in relation to the organisation's objectives and that personal data are not made available to persons outside the organisation without the consent of the data subjects (Article 9(2)(d) of the GDPR).

Definition of data subjects: members of the Data Controller, supporting members, members supporting the application for membership with their recommendation.

Scope of personal data processed:

  • • name, birth name, nationality, place and time of birth, permanent address, notification address, telephone number, e-mail address, other contact details, declaration by the data subject that he or she meets the conditions of membership;
  • • cv data, id card picture, personal data included in the summary of the interview;
  • • only for members: the name of the member who supported the application for membership and other personal data included in the statement of recommendation (address and contact details);
  • • the start date of membership, in the case of members only: the fact that the membership has been suspended, the start and end dates;
  • • data generated during the procedure of the Ethics Committee, sanction applied.

Duration of storage of personal data: until the termination of the membership relationship.

3.2.4. Registration of membership fees and payment of grants

Purpose of data management: registration of the payment of membership fees. The Controller makes card payment available via the Simple system, during which data is forwarded to OTP Mobil Kft., the provider of the Simple system, as set out below.

Legal basis for data processing: compliance with the legal obligation (billing and tax liability) imposed on the Controller (Article 6 (1) c) of the GDPR, Section 159 (1) of VAT Tv.

Due to the fact that the Controller operates as a party, the fact that the data subject is registered in the Data Controller's register concerning the payment of membership fees and subsidies constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the fact that the data processing takes place within the framework of the legal activity of the association for political purposes under appropriate guarantees, on condition that the data processing is carried out exclusively on the current or former members of the Data Controller, or refers to persons who are in regular contact with the organisation in relation to the organisation's objectives and that personal data are not made available to persons outside the organisation without the consent of the data subjects (Article 9(2)(d) of the GDPR).

Definition of stakeholders: member, support member, supporter.

The scope of personal data processed: name, address/billing address, e-mail, phone number, amount and date of payment.

Duration of storage of personal data: 8 years (Section 169 (1) of Accounting Act)

Based on the consent of the data subject, the Controller shall forward the following categories of the personal data concerning the data subject, as submitted on the website www.memo.hu, to OTP Mobil Kft. (1093 Budapest, Közraktár u. 30-32.), as independent controller. Categories of personal data forwarded: family name, given name, country, phone number, e-mail address. Purpose of data forwarding: customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

3.2.5. Register of rejected applications for admission

Purpose of data processing: Register of rejected admission requests (to reduce the volume of admission requests in bad faith)

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR, Article 9(2)(a)).

Due to the fact that the Controller operates as a party, the fact that the data subject is registered in the Register of Rejected Recruitment Requests constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of data subjects: persons applying for membership whose application for admission has been rejected by the Presidency.

Scope of personal data processed: name, place and time of birth, date of rejection

Duration of storage of personal data: 12 months

3.2.6. Register of former members

Purpose of data processing: Register of former members

Legal basis for data processing: the Controller has a legitimate interest in reducing the volume of bad faith recruitment requests during the recruitment of members, supporters, and support members (Article 6(1)(f) of the GDPR).

Due to the fact that the Controller operates as a party, the fact that the data subject is registered in the register of former members of the Data Controller constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the fact that the data processing takes place within the framework of the legal activity of the association for political purposes under appropriate guarantees, on condition that the data processing is carried out exclusively on the current or former members of the Data Controller, or refers to persons who are in regular contact with the organisation in relation to the organisation's objectives and that personal data are not made available to persons outside the organisation without the consent of the data subjects (Article 9(2)(d) of the GDPR).

Definition of data subjects: former members whose membership has been terminated as a result of withdrawal, termination or exclusion resulting from a suspension. This processing does not cover the termination of the membership due to death.

The scope of the personal data processed: name, date of termination of legal relationship, reason for termination of legal relationship, the fact that the member has fulfilled his or her accounting obligations or has been postponed, acquitted or is being prosecuted.

Duration of storage of personal data:

  • • 6 months in the event of withdrawal or termination due to suspension
  • • 12 months in case of exclusion

3.3. Management of the data of inquirers, joiners, and newsletter subscribers

The purpose of data processing: The Data Controller provides the opportunity for anyone to join the community of the Solution Movement and request information from the Data Controller about its activities without becoming a member.

The intention to join can be expressed by filling out the designated forms such as "Join as a Volunteer," "Join with Your Ideas/Proposals," "Subscribe to Our Newsletter," or "Join Our Youth Section," or by subscribing to the newsletter, filling out a questionnaire, and sending consent for newsletter-related data processing.

After joining, the Data Controller keep in connection with the data subject via electronic communication (via email and telephone) and send information about the activity of the MEMO.

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) GDPR).

Given that the Controller operates as a party, the fact that the data subject is registered in the Data Controller's regular contact register constitutes special data referring to the political opinion of the data subject. The processing of the special data is subject to the explicit consent of the data subject (Article 9(2)(a) of the GDPR).

Definition of data subjects:

  • • Persons who have send the joining form.

The scope of personal data processed: name, postal code, e-mail, phone number.

Additional information that we are managing if you are joining to our youth department (’Csatlakozz ifjúsági tagozatunkhoz’) is the data of birth (based on this information the Data Controller can check the age of the data subject).

Additional information that we are managing if you are joining to us with an idea (’Csatlakozz ötleteddel/javaslatoddal’) is the idea of the data subject.

Duration of storage of personal data: Until the data subject's consent is withdrawn.

3.4. Responding to Inquiries

The purpose of data processing: Responding to unofficial inquiries received from outside the organization.

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR).

Definition of data subjects: Individuals who approach the Data Controller with inquiries.

Scope of processed personal data: Name, email address, phone number.

Storage duration of personal data: 3 years.

3.5. Survey-related Data Processing

The purpose of data processing: The Data Controller aims to understand the opinions of sympathizers and Hungarian citizens on issues that concern them. For this purpose, the Data Controller contacts individuals electronically and in paper form to solicit their opinions. The data subject can express their opinions to the Data Controller by completing the survey. The Data Controller processes the overall responses and keeps the answers provided by the individual confidential.

Legal basis for data processing: Consent of the data subject (Article 6(1)(a) of the GDPR).

Definition of data subjects: Individuals who fill out the membership form on the Data Controller's website or other platforms.

Scope of processed personal data: Name, address, answers to the questions.

Storage duration of personal data: Until the withdrawal of consent by the data subject.

3.6. Processing related to the exercise of the rights of the data subject and the complaint concerning the processing of personal data

Purpose of data management: Enforcement of data subject rights, handling of complaints.

Legal basis for data processing:

Legal basis for data processing: Compliance with the legal obligation imposed on the Controller (Article 6(1)(c) GDPR, Articles 15-18, 21 of the GDPR, Article XXVIII (7) of the Fundamental Law).

Definition of data subjects: Persons who have complained about the processing of their personal data validating their rights as data subjects.

The scope of personal data processed: name, place and time of birth, mother's name, e-mail address, other data provided in the submission on the enforcement of her rights or in the complaint concerning data processing (e.g., subject of a complaint).

Duration of storage of personal data: 5 years from the end of the enforcement of the rights of the data subject or the settlement of the complaint related to the processing of personal data (general limitation period according to the Civil Code).

3.7. Processing related to the execution of contracts

Purpose of data management: Execution and performance of contract on services used or provided by the Controller, request for, or providing quotation prior to the execution of the contract.

Legal basis for data processing:

  • • In case the data subject is a party to the contract, then processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract (Article 6(1)b of GDPR).
  • • In case the data subject is not a party to the contract, then processing is based on the legitimate interest pursued by the controller to the performance of the contract (Article 6(1)f of GDPR)
  • Definition of data subjects: contracting party (if the contracting party is a natural person), or the representative, contact person of the contracting party (if the contracting party is an entity).

    The scope of personal data processed: name of the contracting party, (billing) address, e-mail, telephone, data pertaining to the service ordered.

    Duration of storage of personal data: 5 years of the performance of the contract (Article 6:22. of the Civil Code), or 8 years of the performance of the contract (Article 169(2) of the Act on Accounting), if the contract is qualified as an accounting record.

3.8. Data processing on the Data Controller's website

3.8.1. Data relating to the Website and its operator

The website available at www.megoldasmozgalom.hu and www.memo.hu address (hereinafter: Website) is operated by the Data Controller. The contents placed on the Website are protected by copyright, their use is only possible with the prior written consent of the Data Controller. The Data Controller accepts requests for the use of the contents placed on the Website at the contact details specified in section 1 above. Hyperlinks placed on the Website may point to websites operated by third parties on which further data processing may take place. The visitor can find out about the data processing on the given website.

3.8.2. Data security measures applied on the Website

During the operation of the Website, the Data Controller strives to use technological solutions for data security. When designing the development and development of the Website, it considers data protection and data security aspects, tests the security of the Website, and in the course of the further development of the Website, in case of changes of data protection relevance, it amends this Privacy Notice, as necessary. The Data Controller uses https on the Website. This Privacy Notice is available from the main page of the Website, so data subjects can be informed in advance about the circumstances of the processing of their personal data before providing their personal data (subscription to the newsletter, registration, contacting the Data Controller, etc.).

3.8.3. Cookie Policy

The Controller's cookie policy can be found at the following address:https://memo.hu/cookie

3.8.4. Privacy Policy of the MEMO Application

The Controller’s privacy policy applicable to the MEMO application can be found at the following address: https://memo.hu/adatvedelem

Links to the privacy policy can be found on the login page of the MEMO application, and on the information page of the MEMO application in App Store and Google Play store.

4. Data Processors

In the personal data processing activities outlined in this Privacy Notice, the Data Controller engages the following data processors:

  • • The web hosting provider for the website is CloudFlare, Inc. (101 Townsend St, San Francisco, CA 94107, United States). The provider is a company registered in the United States. The agreement with the provider includes the standard contractual clauses for data transfer between the European Union and the United States, as accepted by the European Commission. However, the storage of personal data transmitted to the Data Controller via email or web form during the operation of the website does not occur on the hosting provided by CloudFlare, Inc., but on a server located within the European Union. Accordingly, the Data Controller does not transmit special category data to CloudFlare, Inc.
  • • In the processing of data related to voters (section 3.1), the activist qualifies as a data processor.
  • • For sending newsletters, the Data Controller uses the Listamester service operated by Bithuszárok Számítástechnikai és Szolgáltató Betéti Társaság (registered office: 2051 Biatorbágy, Damjanich utca 8.; company registration number: 13-06-065996; website: https://www.listamester.hu/).
  • • For membership sign-ups, newsletter subscriptions, and contact form submissions, the Data Controller utilizes the Jotform, Inc. service (4 Embarcadero Center, Suite 780, San Francisco CA 94111, United States). The provider is a company registered in the United States. The agreement with the provider includes the standard contractual clauses for data transfer between the European Union and the United States, as accepted by the European Commission. However, the server selected for providing the Jotform, Inc. service is located within the European Union. Beyond the data processing carried out by Jotform, Inc. for the Data Controller, Jotform, Inc. voluntarily adheres to the now-defunct Privacy Shield data transfer agreement. In this regard, they have designated a European Union representative and a privacy dispute resolution forum to ensure the data subjects' privacy enforcement possibilities. In addition to the data processing performed for the Data Controller by Jotform, Inc., the company also conducts data processing for its own purposes, for which information is available in their privacy policy on their website: https://www.jotform.com/privacy/.

5. Data transmission, other common features of data processing

The Data Controller does not transfer the processed data to a third country or to an international organization, nor does it carry out automated decision-making and profiling.

The Data Controller transfers the personal data it manages to an authority, court, or other public body only based on legislation and in a documented way.

6. Rights of the Data Subject and Remedies

6.1. Right to Withdraw Consent

In the case of data processing based on consent, the data subject is entitled to withdraw his consent at any time. The withdrawal of consent does not affect the legality of consent-based data processing prior to withdrawal.

6.2. Right to Request Information

The data subject is entitled to request information in writing from the Data Controller regarding the processing of their personal data. Within one month, the Data Controller will provide written information to the data subject about the purpose, legal basis, scope, duration, source of the data, possible data transfers, etc., related to each data processing.

6.3. Right to Rectification

The data subject is entitled to request in writing that the Data Controller correct, complete, or modify their personal data if it is inaccurate or has changed (e.g., in the case of incorrect data collection or subsequent data changes). The Data Controller will inform the data subject in writing within one month about the completion, supplementation, or modification of the data.

6.4. Right to Erasure

The data subject is entitled to request in writing that the Data Controller delete their personal data. If there is no legal obligation for the Data Controller to retain the data, the Data Controller will delete the specified personal data within 5 business days and inform the data subject in writing.

6.5. Right to Restriction of Data Processing

The data subject is entitled to request in writing that the Data Controller restrict the processing of their personal data. Restriction (blocking) of data processing may occur, for example, if the data subject wishes to use the blocked personal data for the purpose of enforcing their rights before a court or authority. The Data Controller may only process the blocked personal data with the explicit consent of the data subject or for the purpose of asserting, enforcing, or defending legal claims or protecting the rights of natural or legal persons. The Data Controller is also obliged to clearly indicate the fact of blocking and manage the blocked personal data separately.

6.6. Right to Data Portability

The data subject is entitled to request in writing the Controller to send the personal data relating to him in a delimited, widely used, machine-readable format, and he is entitled to transfer this data to another data controller without being hindered by the Controller.

The right to data portability may be exercised in the following cases:

  • • the processing is based on the consent of the data subject or
  • • data processing is necessary for the performance of a contract in which the data subject is also a contracting party (including where, at the request of the data subject, steps are taken prior to the conclusion of the contract); and
  • • data processing is carried out in an automated manner.

The data subject may request the Controller to transfer his personal data directly between data controllers if this is technically feasible.

6.7. Right to protest

The data subject is entitled to object to the processing of his personal data based on the legitimate interest of the Controller or a third party, including profiling based on those provisions, for reasons related to his or her situation. In this case, the Controller may no longer process the personal data unless the Controller proves that the processing is justified by compelling legitimate reasons that take precedence over the interests, rights, and freedoms of the data subject or which relate to the submission, enforcement, or protection of legal claims.

6.8. Enforcement of data processing

The data subject is entitled to contact the Data Controller directly if he has questions about the processing of his personal data or wishes to exercise his data protection rights. The name and contact details of the Data Protection Officer can be found in section 1 of this Privacy Policy.

In case of violation of data protection rights, the data subject can apply for redress to the National Authority for Data Protection and Freedom of Information (registered office: 1055 Budapest, Falk Miksa Street 9-11, postal address: 1363 Budapest, Pf.: 9., phone: +36 (1) 391-1400, e-mail: ugyfelszolgalat@naih.hu).

If the processing of the data subject's personal data is carried out unlawfully, the data subject is entitled to file a civil action against the Data Controller. The person concerned may also bring the case before the court of his place of residence (https://birosag.hu/torvenyszekek).

7. The scope and amendment of this Privacy Notice

This Privacy Notice shall enter into force on the date specified in the subheading of this document and shall remain in force until the Controller replaces it with an updated version of the Privacy Policy. The Controller reserves the right to unilaterally amend this Data Protection Notice at any time if the review of the Data Protection Notice, the change affecting the Data Controller's data management activities, a change in the law, data protection authority practice, business need, authority or court decision necessitate the amendment. The revised Data Protection Notice is published on the Website or sent to the data subject on request.