The data controller responsible for your personal data is:

Rózsaszín Elefánt Ügynökség Korlátolt Felelősségű Társaság.
8230 Balatonfüred, Tamási Áron utca 15. B épület
19-09-524146
32416095-2-19

Representative: Péter Bárány, Managing Director
E-mail: info@rozsaszinelefant.com Home Page: www.rozsaszinelefant.com

THE PURPOSE OF THIS NOTICE

This data protection notice (hereinafter: Notice) has been prepared taking into account the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: "GDPR") on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). In this Notice, the Company briefly presents how it collects personal data, how it uses them, and informs you, as the data subject, about your choices regarding the use of the information and the proper protection of your data.

The Company does not collect personal data through its website, except insofar as the visitor of the website voluntarily provides them or they are necessary for the conclusion of a contract or the execution of the desired activity. By using the Company’s website and other services, you accept the Privacy Notice and thereby consent to the Company processing your personal data in accordance with this and the supplementary Statements.

The consent statement is one of the most important factors of data processing. You have the right to decide not to provide the Company with any personal data about yourself; however, in this case, it is possible that you will not be able to access the Company’s services or certain parts of its website. The consent statement is given by using the appropriate function of the website and clicking the corresponding button. The consent statement can be withdrawn in accordance with the provisions of this notice, but this does not necessarily mean the termination of data processing, taking into account the legal bases for data processing set out below.

TERMS USED IN THE NOTICE

Unless otherwise stated, the terms used in the Notice correspond to the terms and their interpretations defined in the Infotv. and the GDPR.

PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

At the Company, the processing of personal data is carried out based on the following principles: The Company processes data lawfully and fairly, as well as in a transparent manner for the data subject.

To this end, the Company communicates to its clients and employees the data protection rules it applies in its business and internal processes through the Privacy Notice and case-specific data protection notices attached to various documents. ("principle of lawfulness, fairness, and transparency") The collection of personal data may only take place for clear and lawful purposes, and further processing may only be carried out in accordance with these purposes. ("principle of purpose limitation") Data processing must always be appropriate and relevant to the intended purposes and limited to what is necessary. ("principle of data minimization")

The processed data must be accurate and up-to-date throughout the entire workflow; therefore, the Company takes all reasonable measures to correct or, if necessary, delete inaccurate personal data as soon as possible. ("principle of accuracy") The Company processes personal data only until the achievement of the purposes or the existence of the legal basis, except in cases where further processing is required by law. ("limited storage principle")

The Company ensures, by appropriate technical and organizational measures, the security of the processed personal data against data protection incidents. ("principle of integrity and confidentiality") The Company is responsible for ensuring that its data security rules and data processing practices based on them comply with the provisions of the Infotv. (Hungarian Data Protection Act) and the GDPR and that it can demonstrate compliance. ("principle of accountability") The Company’s website, as a service provider, is intended for persons who have reached the age of 18 due to the nature of the events.

The PURPOSE OF THE COMPANY’S DATA PROCESSING

The fundamental purpose of the Company’s data processing is to carry out and facilitate the Company’s commercial activities, send newsletters, provide information about commercial promotions, sell products and offer services related to the products, fulfill contracts, enforce rights arising from contracts, and fulfill obligations in accordance with the applicable laws.

Provision of services related to products, performance of contracts, enforcement of rights arising from contracts, and fulfillment of obligations in accordance with the applicable laws.

LEGAL BASES FOR THE COMPANY’S DATA PROCESSING

The legal bases for the Company's personal data processing are as follows: • The voluntary and explicit consent of the data subject. • The data processing is based on legal regulations.

• Data processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract.
• Data processing is necessary for the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. In such cases, the Company always conducts the necessary risk assessment and decides on data processing based on the results.

DATA PROCESSING ACTIVITIES CARRIED OUT BY THE COMPANY

Customers and other partners who contact the Company provide the following data:

• In the case of a legal entity or an entity without legal personality: the partner’s name, registered office, company registration number, tax number, phone number, email address, and the name of the natural person contact.
• In the case of a natural person: the partner’s name, address, phone number, email address (and other personal data).
• In the case of purchasing goods or services: data required by the relevant tax and accounting regulations.

Depending on the service, the range of provided data may vary.

The Provider’s websites use cookies during visits, about which the website informs visitors in detail through this privacy policy. The cookies store the web connection’s Session ID, the contents of the shopping cart during orders, as well as customizable display settings of the web interface. The Provider uses these cookies solely to ensure the provision of IT services and the proper functioning and display of the website. Detailed terms related to cookies are outlined in the Data Management and Data Security Policy. Further characteristics and types of data processing carried out by the Company, as well as the duration of data processing and the persons authorized to access the data, are detailed in the Data Management and Data Security Policy.

DATA SECURITY

The Company has designed and carries out its data processing operations in a manner that ensures the protection of the data subjects' privacy, fundamental rights, and freedoms in accordance with the Info Act, the GDPR, and other data protection regulations. Within this framework, the Company ensures the security of stored and otherwise processed data, protecting them from unauthorized access, alteration, transmission, disclosure, deletion, accidental or unauthorized destruction, loss, damage, or becoming inaccessible.

The Company, during its data processing and related organizational activities, takes into account the current state and development of science and technology, striving to ensure and maintain data security by applying the most secure and risk-appropriate technology to protect the rights and freedoms of natural persons. The Company conducts electronic data processing. Data recorded electronically is stored on computer servers; the objectives and efforts described regarding data security are applied and taken into consideration in all methods of data processing.

.

LIMITATION OF THE DATA CONTROLLER’S LIABILITY

In addition to the above, the Company does not accept responsibility for any actions committed by any domestic or foreign legal entity, natural person, or organization without legal personality, whether directly or indirectly, based on the data or information available on or accessed through the website, regardless of whether such data or information is provided by the Company or others. The Company is not liable for unauthorized data use resulting from the unlawful breach of its database or system by an unauthorized user, who thereby gained access to data through such illegal activity.

DATA TRANSFER

The Company, upon an official request and to the extent defined therein, provides data services to the court, prosecutor’s office, investigative authority, administrative offense authority, administrative authority, or other authorities and bodies specified by law, to the necessary extent for fulfilling the request. The data controller maintains a data transfer register for the purpose of verifying the legality of data transfers and informing the data subject, which includes the date of the data transfer, the legal basis and recipient of the data transfer, the scope of the personal data transferred, and other data specified by the legislation governing data processing.

ENSURING THE RIGHTS OF THE DATA SUBJECTS

The Company places special emphasis — including through the issuance of this Notice — to ensure that the data subject receives thorough and clear information about all essential circumstances related to the processing of their personal data, as well as the procedural rules, which are elaborated in more detail in the Data Management and Data Security Policy. If the Company collects the data directly from the data subject, it provides this information at the start of the collection. If the data collection originates from another source, the Company informs the data subject within a reasonable time — no later than one month from the acquisition of the data — or at the first contact with the data subject. (“the data subject’s right to be informed”) The Company ensures that the data subject receives feedback about whether the processing of their personal data is ongoing, and what the purpose of the processing is at any given stage. Furthermore, the data subject is entitled to receive information about all matters disclosed to them by the Company at the start of the data processing. (“the data subject’s right of access”) The Company is obliged, upon request by the data subject or upon its own observation, to promptly rectify any inaccurate personal data concerning the data subject. The data subject also has the right to request the completion of their personal data, taking into account the purpose of the data processing. (“the data subject’s right to rectification”) If any personal data is subject to restriction at the Company, it may only be processed — other than for storage — with the data subject’s consent or for the purpose of exercising legal claims, or to protect the rights of another natural or legal person. (“the data subject’s right to restriction of processing”)

The Company, in every case where rectification, deletion, or restriction of data processing occurs regarding the personal data it manages, informs all recipients to whom the personal data has been disclosed, so that the recipients can also take the necessary measures concerning the data. Upon the data subject’s request, the Company ensures that the personal data relating to them and provided to the Company

in a structured, commonly used, machine-readable format, and upon the data subject's request, the Company also transfers this data to another data controller designated by the data subject. (“the data subject's right to data portability”) The Company ensures—if applicable—that the data subject can object to the processing of their personal data for direct marketing purposes. In such cases, the personal data can no longer be processed for this purpose. (“the data subject's right to object”)

LEGAL REMEDIES

Withdrawal of Consent

The data subject has the right to withdraw their consent, provided that they acknowledge that the Service will cease or will no longer continue in the same quality as before, according to the Company's notification.

Request for Information

Upon the data subject's request, the Company provides information about the personal data it processes concerning them, the purpose, legal basis, and duration of the data processing, as well as who has received or will receive their data and for what purpose. The data controller shall provide the requested information in writing within fifteen (15) days from the submission of the request.

Correction, Deletion, Restriction

The data subject has the right to request the correction or deletion of incorrectly recorded data at any time. Deletion does not apply to data processing required by law (e.g., accounting regulations), which the Company retains for the necessary period.

Personal data must be deleted if its processing is unlawful;

1. a) the data subject requests it (except if data processing is based on a mandatory legal provision);
2. b) the data is incomplete or incorrect — and this condition cannot be lawfully remedied — provided that deletion is not excluded by law;
3. c) the purpose of the data processing has ceased, or the statutory retention period of the data has expired (except for data that must be transferred to archival custody under laws protecting archival materials);
4. d) it is ordered by a court or the National Authority for Data Protection and Freedom of Information (NAIH).

Instead of deletion, the Company shall block (restrict) the personal data if the data subject requests it, or if based on the available information it can be assumed that deletion would infringe the legitimate interests of the data subject. Such blocked personal data may only be processed as long as the purpose of data processing that excludes the deletion of the personal data continues to exist.

The Company shall mark the personal data it processes if the data subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed personal data cannot be clearly established.

The data subject, as well as all parties to whom the data was previously transferred for data processing purposes, must be informed about the correction, restriction, or deletion of the data. Notification may be omitted if, considering the purpose of the data processing, it does not violate the legitimate interests of the data subject.

If the Company does not comply with the data subject’s request for correction, restriction, or deletion, it shall provide the factual and legal reasons for rejecting the request in writing within 25 (twenty-five) days of receiving the request. In the event of rejection, the Company shall inform the data subject of the possibility of judicial remedy and the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH).

Objection

Az érintett tiltakozhat személyes adatának kezelése ellen,

1. a) if the processing or transfer of personal data is necessary solely for the fulfillment of the Company’s legal obligation or for the enforcement of the legitimate interests of the data recipient or a third party, except in the case of mandatory data processing;
2. b) if the use or transfer of personal data is for the purposes of direct marketing, public opinion polling, or scientific research; and
3. c) in other cases specified by law.

The Company shall examine the objection within the shortest possible time from the submission of the request, but no later than within fifteen (15) days, make a decision regarding its merits, and inform the applicant of its decision in writing.

If the Company finds the data subject’s objection to be well-founded, it shall terminate the data processing — including any further data collection and transmission — and shall block the data. Furthermore, the Company shall notify all parties to whom it previously transmitted the Subscriber’s personal data about the objection and the measures taken based on it, so that those parties may also act to enforce the data subject’s right to object.

Compensation

The Company is obliged to compensate for any damage caused to another party by the unlawful processing of the data subject’s personal data or by the breach of data security requirements. The Company shall be exempt from liability if it proves that the damage was caused by an unavoidable reason outside the scope of the data processing. If the data subject provided the data of a third party during registration for the purpose of using the Service, or caused damage in any way while using the Service, the Company is entitled to claim compensation from the Subscriber. In such cases, the Company shall provide all reasonable assistance to the competent authorities in order to identify the infringing person.

The data subject may exercise their rights via the following contact details: hello@rozsaszinelefant.com.

If the data subject does not agree with the decision of the Company, or if the Company fails to meet the deadline set out in the Info. Act, the data subject may turn to a court within 30 (thirty) days from the date of notification of the decision or from the last day of the deadline.

The data subject may enforce their rights before a court in accordance with the Info. Act and the Civil Code (Act V of 2013), and may also contact the National Authority for Data Protection and Freedom of Information (NAIH) (1125 Budapest, Szilágyi Erzsébet fasor 22/C, http://www.naih.hu/uegyfelszolgalat,-kapcsolat.html) in the event of any complaint regarding the data processing practices of the data controller.

Data Processing Register

The Company, as data controller, keeps a record of data processing activities, which includes the following:

• the name and contact details of the Data Controller; the designation and purpose of the data processing; description of the categories of data subjects; description of the categories of personal data; in case of data transfers, the categories of recipients; the intended time limits for data retention; the method of data storage.
• the method of data storage vagy the manner of data storage

DATA PROTECTION INCIDENT

A data protection incident is defined as a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, transmitted, stored, or otherwise processed personal data. The Company shall report the occurrence of the data protection incident to the Authority within 72 hours of becoming aware of the incident, in accordance with data protection laws, including Article 32(3) of the GDPR, and in the manner, content, and form required by the Authority. If the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, Rózsaszín Elefánt Ügynökség Kft. shall promptly inform the data subject concerned. If the data protection incident does not pose a risk to the rights and freedoms of natural persons, the Company may refrain from notifying the Authority. The Company maintains a record of data protection incidents, including the date of occurrence, other relevant facts related to the incident, its effects, and the measures taken to remedy the incident.

Amendment of the Privacy Policy

The Company, as the data controller, reserves the right to review this Privacy Notice from time to time and to amend it at any time by unilateral decision. By using the Website, the user acknowledges this.