Privacy Policy

the Bravo Group Ltd.

(Head office: 1075 Budapest, Kazinczy utca 9. B. lház. 3. floor. Door 6.

Company registration number: 01-09-409542)

NAOMI BAR (hereinafter referred to as Naomi Bar or Bar, address: 1077 Budapest, Wesselényi utca 43.)

Last update: 13 March 2024.

Dear Guests/Visitors!

As the operator of the NAOMI BAR, Bravo Group Ltd., we would like to share our privacy and data management principles in a clear and understandable way through this notice, so that it is transparent and clear to everyone where, how and to what extent we interact with your personal data.

The following information is provided pursuant to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”).

This Privacy Policy describes how Bravo Group Kft. (hereinafter referred to as Bravo Group Kft. as Data Controller), which operates the Bar and the related website, processes the personal data of its guests and visitors to www.naomibudapest.com. Bravo Group Ltd. declares that it is committed to protecting the personal data of its guests, partners and visitors to the website and attaches the utmost importance to respecting their right to information self-determination.

The current version of the Privacy Policy (the “Policy”), which contains information about the data management activities of the Naomi Bar, is available on the website www.naomibudapest.com and in printed form at the Bar’s central customer service desk.

The Data Controller reserves the right to unilaterally change this information at any time. If this notice is amended, we will inform the data subjects/customers by posting the amendment on the website and on the premises.

Amendments to the Prospectus will enter into force on the date and publication on the above website.

I. Name and contact details of the Data Controller:

Name of data controller:	Bravo Group Ltd.
Headquarters:	1075 Budapest, Kazinczy utca 9. B. lház. 3. floor. door 6.
Your mailing address:	1075 Budapest, Kazinczy utca 9. B. lház. 3. floor. door 6.
Your email address:	naomi@naomibudapest.com

Definitions of terms

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’ means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“controller” means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;

“data processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Controller;

“recipient” means a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;

“the data subject’s consent” means a freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;

“data breach” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“transfer” means the making available of data to a specified third party;

“erasure”: rendering data unrecognisable in such a way that it is no longer possible to recover it;

“data marking”: the marking of data with an identification mark to distinguish it; restriction of processing: the marking of stored personal data for the purpose of restricting their future processing;

“data destruction” means the complete physical destruction of a data medium containing data;

“cookie”: a small packet of data (text file) sent by the web server and placed on the user’s computer for a specified period of time, which, depending on its signal, may be supplemented by the server on subsequent visits, i.e. when the browser returns a previously

saved cookie, the cookie management service provider has the option to link the user’s current visit to previous visits, but only for its own content;

“third party” means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;

“IP address”: in all networks in which communication takes place according to the TCP/IP protocol, server machines have an IP address, i.e. an identification number, which allows them to be identified over the network. It is well known that every computer connected to the network has an IP address, through which it can be identified.

“objection”: a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data.

The data processing activities of the controller are based on voluntary consent, contract, legitimate interest or legal obligation. In the case of processing based on voluntary consent, data subjects may withdraw their consent at any stage of the processing.

In certain cases, the processing, storage and transmission of the scope of the data provided is required by law, of which the Data Controller shall separately inform its customers and guests.

Please note that if you do not provide your own personal data, it is your obligation and responsibility to obtain the consent of the data subject!

The data subject (hereinafter: data subject or guest) warrants that the consent of the natural person concerned has been obtained lawfully for the processing of personal data provided or made available by him or her in the course of using our services.

By providing his/her email address and data, any data subject is also responsible for ensuring that only he/she uses the email address and data provided by him/her to use the service. In view of this assumption of responsibility, any liability in connection with an email address and/or data provided shall be borne solely by the data subject who provided the email address and data.

III. Data processing and its duration

We will only ever store data subjects’ data for as long as we are required to do so by our legal/accounting/data reporting obligations or for as long as it is necessary for the operation of the service. When deciding on the duration of storage, we take into account the volume, nature and sensitivity of the data and the potential impact of a data leakage in the event of a data breach.

For tax purposes, we need to keep visitors’ billing and purchase information for at least 8 years to comply with our legal obligations.

In certain circumstances, we may use the data in an anonymised form for statistical purposes, in which case we will store the data for an unlimited period without any information.

1. Data processing related to your membership of the Naomi Bar Club

Bravo Group Ltd. will in the future offer the opportunity to guests who meet the criteria for club membership and wish to become a club member. Club membership conditions can be found at naomibudapest.com.

Data processed: name, club card number, address, e-mail address, date of issue, signature

Purpose of data processing: to provide discounts, to inform you about the latest opportunities.

Stakeholders: those involved in the Club membership.

Duration of data processing, deadline for deletion of data: the Company will process the personal data provided until the consent is withdrawn, the membership of the Club is terminated or the Company is dissolved, but for a maximum of 5 years.

Recipient of the personal data: none.

Legal basis for processing: voluntary consent of the data subject, Article 6(1)(a) GDPR.

Failure to provide the data will result in the data not being processed and the data subject will not be able to use the Club membership, receive discounts and be informed of current opportunities and news.

2. Data processing related to online requests for proposals

Visitors to www.naomibudapest.com have the possibility to book online under the booking menu.

Data processed: name, expected date of arrival and departure, number of adults, type of care, e-mail address, telephone number, text of message.

Purpose of processing: sending a personalised offer.

Stakeholders: persons requesting an offer.

Duration of data processing, deadline for deletion of data: personal data are processed in accordance with the rules applicable to the reservation in case of a successful offer, and in case of rejection of the offer, the Data Controller deletes the data on the date of rejection. If the offer is rejected, the data will be deleted by the Data Controller on the day following the expiry of the offer period.

Recipients of personal data: none.

Legal basis for processing: voluntary consent of the data subject, Article 6(1)(a) GDPR.

The consequence of not providing the data is that the data subject will not be able to use the Club membership, to benefit from discounts and to be informed about current opportunities and news.

3. Processing of data relating to bookings by e-mail

The Data Controller also provides the possibility to make reservations by e-mail.

Data processed: name, personal data provided in the e-mail.

Thepurpose of data processing is to enable requesting/booking by e-mail .

Stakeholders: persons requesting a quote by e-mail.

Recipients of personal data: none.

Legal basis for processing: voluntary consent of the data subject, Article 6(1)(a) GDPR.

Failure to provide the data will result in the Data Controller being unable to make an individual offer.

4. Camera surveillance system data management

The Company uses a camera surveillance system in the Bar. For more information about the data management related to the camera system, please visit the Data Controller’s website and consult the Camera Policy and the document printed in the Bar, where you can find a paper copy of the Privacy Policy and the Privacy Policy for the camera system, which will be sent to the e-mail address provided by the data subject upon request.

The data processed are natural persons entering and leaving the monitored area. Some of the natural persons entering are the Data Controller’s own employees, but in the case of the Bar’s guests, their personal data voluntarily provided and recorded by the camera system are concerned

Purpose of processing: protection of persons and property.

Target population: the guest entering the monitored area.

Duration of processing, time limit for erasure of data: maximum 72 hours from the date of recording, except where the use of the recording is necessary in the course of a notified or otherwise known official procedure.

Recipients of the personal data: the Data Controller uses the services of a partner entrusted with the maintenance of the camera system.

Legal basis for processing: legitimate interest of the Data Controller, based on Article 6(1)(f) GDPR.

5. Billing-related data processing

The Data Controller will invoice the guest for the service used.

The data processed include name, address.

Purpose of data processing: settlement of the consideration for the service used for consideration, fulfilment of the invoicing obligation.

Stakeholders: guests using the service.

Duration of data processing, deadline for deletion of data: 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting.

Recipient of the personal data: a contracted partner of the Data Controller performing accounting tasks.

Legal basis for processing: to comply with the legal obligation under Article 6(1)(c) of Act C of 2000 on Accounting, Article 169(2).

Failure to provide the data will result in the guest not being able to use the service because the Data Controller is unable to fulfil its legal obligation.

6. Data processing related to payment by bank transfer, credit card

The Data Controller offers its guests the possibility to pay by bank transfer and credit card.

Scope of data processed Name of the bank account holder, bank account number, amount of the final account and advance payment, date of transfer

Purpose of the processing: to enable the payment of the price of the service used for consideration by debit card or bank transfer.

Stakeholders: guests using the service.

Duration of data processing, deadline for deletion of data: 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting.

Recipients of personal data: in the case of payment by bank card and transfer, the bank card and payment transaction data are processed by Erste Bank Zrt., 1138 Budapest, Népfürdő u. 24-26. (www.erstebank.hu).

Legal basis for processing: to comply with the legal obligation under Article 6(1)(c) of Act C of 2000 on Accounting, Article 169(2).

Failure to provide the data will result in the guest not being able to use the service because the Data Controller is unable to fulfil its legal obligation.

7. Social media (instagram, Facebook)

We keep in touch with our guests and those interested in our services through our social pages on Facebook and Instagram. On the social networking sites, people can comment and write posts on the content we share.

The fact of data collection, the scope of data processed: the name registered on Facebook and Instagram, and the user’s public profile picture.

Data subjects: all data subjects who have registered on Facebook and Instagram and have “liked” the Facebook profile of Balaton Hotel & Restaurant.

Purpose of data collection: to share on social networking sites, certain content, products, package offers or the website itself, or

“liking”, promoting.

Duration of data processing, time limit for deletion of data, possible controllers entitled to access the data and description of data subjects’ rights in relation to data processing: the data subject can find out about the source of the data, the processing of the data and the method and legal basis of the transfer on the relevant Community site. The data are processed on the social networking sites, so the duration of the processing, the way in which the data are processed and the possibilities for deleting and modifying the data are governed by the rules of the social networking site concerned.

Legal basis for processing: the data subject’s voluntary consent to the processing of his or her personal data on social networking sites.

8. Processing of data collected by cookies

Formoreinformation about cookies usedon please visit https://balatonhotelsiofok.hu/cookie-tajekoztato.

On the website, the Data Controller uses the services and cookies of Google Analytics.

Google Analytics is a web analytics service provided by Google LLC. (hereinafter referred to as “Google”) to help the Data Controller learn more about the visitor behaviour of its website. The information obtained from Google Analytics is used by the Data Controller to improve the functioning of the website. The cookies collect anonymous information about the number of visitors to the website, the pages from which visitors come to the website and the pages they view.

Google Analytics tracking can be turned off at the following link: https://tools.google.com/dlpage/gaoptout.

The most commonly used browsers’ menus for deleting and managing cookies:

Internet Explorer: https://support.microsoft.com/hu-hu/help/17442
MozillaFirefox: https://support.mozilla.org/hu/kb/sutik-informacio-amelyet- websites-tarolnak-sami#w_sakti-beaallagtaasok
Google

Crome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3D Desktop&hl=hu

Microsoft Edge: https://support.microsoft.com/hu-hu/help/4468242/microsoft-edge- browsing-data-and-privacy

9. Management of data collected during marketing communications

To carry out marketing communication, which is essential for the operation and activities of the Company and the Bar. The legal basis for the processing of data in this context is the expression of interest in our services or the express consent of users. Under the European Union’s Privacy and Electronic Communications Regulations (PECR), we send marketing messages to our users if they have made a purchase from us or have expressly consented to receive marketing messages.

In all cases, we will provide a prominent means of opting out and unsubscribing from messages. You will find an unsubscribe link at the bottom of each email, or you can request to be removed from the database by emailing naomi@naomibudapest.com.

10. Automated decision-making and profiling

None of the above data processing takes place in the course of.

11. Data processors:

The Data Controller uses data processors, with whom it has a written contract, in order to serve the needs of its guests and to improve the service.

The Bravo Group Ltd. software performs data processing tasks in order to record reservations, their status and the consumption of guests.

Name of data processor:	Bravo Group Ltd.
Seat:	1075 Budapest, Kazinczy utca 9. B. lház. 3. floor. door 6.
Website:	naomibudapest.com

The email account provider of the Data Controller:

Name of data processor:	Bravo Group Ltd.
Seat:	1075 Budapest, Kazinczy utca 9. B. lház. 3. floor. door 6.
Website:	naomibudapest.com

12. Data transmission

The Data Controller may be contacted by the courts, investigative authorities, law enforcement authorities, administrative authorities, the data protection authority or other bodies authorised by law to provide information, documents, data or data.

The Data Controller shall disclose personal data to the authorities only to the extent and to the extent strictly necessary for the purpose of the request.

13. Rights of data subjects

With regard to the processing of the data subject’s sensitive data, the Data Controller shall.

be informed of the circumstances surrounding the processing;
request the rectification or, in the cases specified under the GDPR, the erasure of personal data;
request the restriction of processing;
to be informed of the recipients to whom personal data concerning him or her have been disclosed subject to rectification, erasure or restriction of processing;
access your personal data;
exercise your right to data portability (in the cases specified under the GDPR)
object to processing based on legitimate interest.

1. Right to information of the data subject

By publishing this information, the Data Controller shall take measures to ensure that the data subject has at his or her disposal all the information on the processing of personal data as provided for in Articles 13 and 14 of the GDPR.

Where the data provided have not been obtained by the Data Controller from the data subject, the obtaining of the data is in any case required by the Union or Member State law applicable to the Data Controller.

2. Right of access of the data subject

The data subject has the right to receive feedback from the Data Controller on the processing of his or her personal data after proof of his or her identity. Right of access

the Data Controller shall provide the information related to the exercise of the rights of the Data Controller in writing, by post or electronically. The right to be informed may be exercised in writing through the contact details indicated in the section “Name and contact details of the Data Controller”.

The data subject has the right to access personal data and the following information:

the purposes of the processing;
categories of personal data processed;
the recipients or categories of recipients to whom your data have been or will be disclosed;
the envisaged storage period of personal data;
the right to rectification, erasure or restriction of processing and the right to object;
the right to lodge a complaint with a supervisory authority;
if the data have not been collected from the data subject, any information on the source of the data;
the fact of automated decision-making, including profiling, and the logic used and available information on the significance of such processing and the likely consequences for the data subject.

In the event of a transfer of personal data to a third country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards for the transfer.

3. The right to rectification

The data subject may request, through the contact details provided in the “Name and contact details of the controller” section, that the controller rectify inaccurate data relating to him or her (e.g. in the case of a change of address).Taking into account the purpose of the processing, the data subject has the right to request the completion of incomplete personal data processed by the controller.

4. The right to erasure

The data subject shall have the right to obtain, upon reasoned request, the erasure of personal data concerning him or her without delay. The Controller shall delete personal data where:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
the data subject withdraws his or her consent and there is no other legal basis for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
the personal data have been unlawfully processed;
the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Data Controller;
personal data are collected in connection with the provision of information society services.

The data subject may not exercise his or her right to erasure, inter alia, where the processing is necessary:

to exercise the right to freedom of expression and information;
for the purposes of complying with an obligation under Union or Member State law that requires the controller to process personal data or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for archiving, scientific and historical research purposes or statistical purposes in the field of public health, or on grounds of public interest;
necessary for the establishment, exercise or defence of legal claims.

5. Right to restriction of processing

The data subject shall have the right to obtain, upon a reasoned request, restriction of processing by the Controller if:

the data subject contests the accuracy of the personal data (as long as the Data Controller verifies the accuracy of the data);
the processing is unlawful and the data subject opposes the erasure of the data;

the Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims;
the data subject has objected to the processing (until the Data Controller rejects the objection).

During the period of restriction, personal data may continue to be processed, except for storage, inter alia, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

6. The right to protest

The data subject may object to processing where the legal basis for the processing is the legitimate interests of the controller or the processing necessary for the performance of a task carried out in the exercise of official authority vested in the controller. In such a case, the Controller may continue to process the data only if it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subjects or for the establishment, exercise or defence of legal claims.

7. Right to data portability

The data subject shall have the right to receive personal data relating to him or her which he or she has provided to the Controller in a structured, commonly used, machine-readable format and the right to transmit such data to another Controller without hindrance from the Controller to whom the personal data have been provided, if.

the processing is based on consent or a contract; and
the processing is carried out by automated means.

8. Consent-based processing

Where the legal basis for a processing operation is the data subject’s consent pursuant to Article 6(1)(a) of the GDPR, the data subject shall have the right to withdraw the consent previously given to the processing operation at any time. It is important to note, however, that the withdrawal of consent only applies to data for which there is no other legal basis for processing. If there is no other legal basis for the processing of the personal data concerned, in that case, the personal data will be permanently and irrevocably deleted following the withdrawal of consent. The withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent prior to its withdrawal.

IV. Deadline for action

The data subject may make a request concerning the above rights in writing or by electronic means addressed to the Data Controller using any of the contact details in point 1 of this notice.

The Data Controller shall decide on the request without undue delay, at the latest within one month of its receipt, and shall inform the data subject of the action taken on the request or, if no action is taken, of the reasons for the lack of action, of the possibility of lodging a complaint with the supervisory authority or of seeking judicial redress.

The deadline for action may be extended by a further two months if necessary, taking into account the complexity of the application and the number of requests. The Data Controller shall inform the applicant of the extension, stating the reasons, within one month of receipt of the request.

If the data subject has made his or her request by electronic means, the information will be provided by electronic means unless the data subject requests otherwise.

If the data subject’s request is manifestly unfounded or excessive, the Data Controller may charge a fee or refuse to take action.

If the controller does not act on the data subject’s request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the right to lodge a complaint with the supervisory authority and to seek judicial remedy.

The Data Controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort. Upon request, the Controller shall inform the data subject of these recipients.

V. Security of data processing

The protection of data subjects’ privacy and compliance with applicable legislation are of utmost importance to the Company and the Bar. Therefore, after conducting a privacy impact assessment on this site, we have compiled a list of the data collected, its necessity and legal basis, and its legal compliance.

To protect the data you provide through the site and the data generated by the site, we use SSL certification (Let’s Encrypt Authority X3 certification) throughout the website.

To protect the site from attack, we use premium security software (iThemes Security Pro) to protect your data from. “brute force” and virus attacks against the stored data.

User data is stored in the site’s databases in encrypted form (pseudonymised) and cannot be read by third parties.

From time to time, it is necessary for our business to provide data to our service partners (e.g. hosting provider, courier company, mailing software). In such cases, we always choose to comply with the GDPR regulation and, in the case of a US-based partner, to participate in the EU-US Privacy Shield initiative and sign a data management contract with them, ensuring responsible data handling.

We will ensure the security of data processing and will take the necessary and appropriate technical and organisational measures to ensure this. We will ensure the confidentiality (e.g. prevention of disclosure, unauthorised access), integrity (alteration, modification), availability (accessibility, recoverability) of your personal data:

The above requirements are met as follows:

we ensure, by means of hardware and software tools, that the tools used for data management (hereinafter referred to as the “Data Management System”) cannot be accessed by unauthorised persons;
electronic data is stored in a locked, password-protected IT system;
prevent the unauthorised reading, copying, modification or removal of data media;
we process personal data only for the time necessary
the IT compliance level is regularly reviewed and, where necessary, improved.

VI. Procedural rules

The Data Controller shall inform the data subject of the action taken on the request pursuant to Articles 15 to 22 of the GDPR without undue delay and in any event within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months.

The data controller shall inform the data subject of the extension of the time limit within one month of receipt of the request, stating the reasons for the delay. Where the data subject has made the request by electronic means, the information shall be provided by electronic means, unless the data subject requests otherwise.

If the controller fails to act on the data subject’s request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.

The Data Controller shall provide the requested information and data free of charge. Where the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Controller may, taking into account the administrative costs of providing the information or information requested or of taking the action requested, charge a reasonable fee or refuse to act on the request.

The controller shall inform any recipient to whom or with whom the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort. At the request of the data subject, the controller shall inform him or her of those recipients.

The data controller shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject has made the request by electronic means, the information shall be provided in electronic form, unless the data subject requests otherwise.

VII. Informing the data subject about the personal data breach

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the personal data breach without undue delay.

VIII. Reporting a data protection incident to the authority

The Data Controller shall notify the data protection incident to the supervisory authority competent under Article 55 without undue delay and, where possible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by the reasons justifying the delay.

IX: Possibility to complain

If you have a complaint regarding the processing of your personal data, please contact the Data Controller at the following contact details:

Name of data controller:	Bravo Group Ltd.
Headquarters:	1075 Budapest, Kazinczy utca 9. B. lház. 3. floor. door 6.
Your mailing address:	1075 Budapest, Kazinczy utca 9. B. lház. 3. floor. door 6.

Your email address:

bravogroupkft@gmail.com

If you suffer a breach in connection with the exercise of your rights or the processing of your personal data, you may bring a civil action against the Data Controller. A court of law shall have jurisdiction to rule on the action. Proceedings may be brought before the courts for the place of residence or domicile of the data subject. The court shall rule on the case out of turn. In the event of a finding of infringement, you may claim damages and compensation and the court may order the Data Controller to exercise the rights of the data subject.

For more information and contact details of the courts, please visit: http://birosag.hu/torvenyszekek

Complaintsagainstpossible infringements of the Data Controller may be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

Contact details of the authority:

E-mail: ugyfelszolgalat@naih.hu Phone: +36-1-391-1400

Postal address: 1363 Budapest, PO Box 9 Website: www.naih.hu

E-mail: ugyfelszolgalat@naih.hu

Annex 1

The relevant legislation

In drafting this Notice, the Data Controller has taken into account the applicable laws in force and the main international recommendations, in particular:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information Act CXII of 2011 (Infotv.);
Act C of 2003 on electronic communications;
Act V of 2013 on the Civil Code (Civil Code Act);
Act CXXX of 2016 on the Code of Civil Procedure (Pp).