GDPR

Privacy Policy of

VILLBAU BIZTONSÁGTECHNIKA Kft.

The following information is provided to the visitors of our website and also for application users regarding to our personal data processing practices, the technical and organizational measures we take to ensure the protection of their data, their related rights, and their possibilities of exercising those rights.

Controller:

VILLBAU BIZTONSÁGTECHNIKA Kft.

(Address: 1182 Budapest, Üllői út 611. , Registration Nr.: 01-09-723124, VAT ID: HU13194693, Phone: +3612975125, e-mail: mail@villbau.com) is represented individually by: the Executive Director, hereinafter referred to as Controller.

Processing the data of the visitors to the VILLBAU

Website Information on the use of cookies

Following a common Internet practice, VILLBAU uses cookies on its website. Cookies are small files containing a line of characters which are saved on the visitor’s computer when they visit a website. Should they visit the site again, the cookies enable the website to be able to recognize the visitor’s browser. Cookies can store user settings (e.g. selected language) and other information, as well. Among other things, they can collect information about the visitor and his or her device, they remember the individual settings of the visitor. Cookies in general ensure that a website can be used more easily, they enable users to have a true web experience, and that the website can become an efficient source of information, furthermore, they enable the operator of the website to monitor the operation of the website, to prevent abuse and to continue providing uninterrupted services at a satisfactory level.

The following data is collected and processed during the use of the webpage by VILLBAU website with regard to the visitor and the device they use for browsing:

– the identifier of the product last viewed

From these data the system automatically generates statistical data. The operator does not link these with personal data. It is not compulsory to accept and allow the use of cookies. You may reset your browser in a way that it bans all of the cookies or that is warns if the system is sending a cookie. Although most browsers automatically accept cookies by default, these may be changed to prevent automatic acceptance and so that it would offer a choice every time.

You can find more information on the cookie settings of the most popular browsers in the links below

Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu

Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak- haszn

Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete- managecookies#ie=ie-11

Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete- managecookies#ie=ie-10-win-7

Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete- managecookies#ie=ie-9

Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete- managecookies#ie=ie-8

Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq

Safari: https://support.apple.com/hu-hu/HT201265

However, please be advised that some of the functions of the website or some of the services offered may not function properly without cookies. The cookies used on the website are not suitable to enable the identification of the user on their own.

The cookies used on the VILLBAU website:

1. Session cookies that are technically indispensable These cookies are necessary to enable visitors to browse the website, use all the functions and the services accessible through the website in a fault free manner, therefore – among others – specially to remember the operations carried out at the last visit on the specific webpage. These enable the VILLBAU to remember the choices the user made in connection with the website. Prior to using the service and during the use of the service users can ban this data processing at any time. These data cannot be linked to the personal data of the user and may not e transferred to third parties without the permission of the user. Data processing period of these cookies is 2 hours.

Processed data:

– Language displayed

– Information on accepted privacy policy

– Information on successful login

Legal basis of the processing is the consent of the subject.

1.1. Cookies requiring consent:

Duration of processing: 1 day

1.2. Cookies necessary to facilitate functioning:

The legal basis of the processing is the consent of the visitor. Purpose of data processing: To increase the efficiency of the service, to improve user experience, to make the use of the website more convenient.

Duration of processing: 2 hours

1.3. Performance cookies:

Google Analytics cookies – find more information here:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Google AdWords cookies – find more information here:

https://support.google.com/adwords/answer/2407785?hl=hu

Registration for the use of personalized functions

The person who registers on the website can provide his or her consent for the processing of his or her personal data by ticking the appropriate box.

Data provided during registration:

name

– business name

– e-mail address

– preferred language selection

The purpose of personal data processing:

1. Fulfilling the services provided on the website, improving services

2. Keeping contact by electronic, phone, SMS and postal means.

3. Analysing the usage of the website.

4. Use for conducting own research and preparing statistics.

Results generated from these are only published in a form which does not allow the identification of

individual users. Legal basis of the processing is the consent of the data subject.

Recipient of personal data, and categories of recipients: employees of the VILLBAU performing tasks related to its customer service and its marketing activities, as data processors: IT provider of the VILLBAU and its employees dealing with hosting services. Storage period of personal data: as long as registration is valid / the service is provided, or until data subject withdraws his or her consent (requests erasure, which can be sent to mail@villbau.com e-mail address).

Data processing related to the newsletter service

The person who registers on the website for the newsletter service can provide his or her consent for the processing of his or her personal data by pressing the Subscribe button after ticking the appropriate box for providing consent for the processing of data. Data subject can unsubscribe at any time by using the “Unsubscribe” application of the newsletter, or by sending a written declaration via an e-mail, which means the withdrawal of the consent. In such cases every data concerning the unsubscribing person must be deleted without delay.

Scope of personal data that can be processed: name of natural person (first and last name), e-mail address.

The purpose of processing the personal data:

1. Sending newsletters about the products and services of the VILLBAU

2. Sending advertising material

3. Communication regarding technical information (updates, new functions, patches)

Legal basis of the processing: the consent of the data subject

Recipient of personal data, and categories of recipients: employees of the VILLBAU performing tasks related to its customer service and its marketing activities, employees of the IT provider of the VILLBAU as data processors with the purpose of providing the hosting service.

Storage period of personal data: as long as the newsletter service is provided, or until data subject withdraws his or her consent (until his or her request for erasure, which can be sent to mail@villbau.com e-mail address).

Community guidelines / Data processing on the Facebook page of the VILLBAU

The VILLBAU maintains a Facebook page in order to raise awareness of and promote its products and services.

Questions submitted on the Facebook page of the VILLBAU do not constitute an official complaint.

The VILLBAU does not process the personal data that the visitors of the Facebook page of the VILLBAU reveal.

Data protection and General terms and conditions of Facebook apply to visitors.

In the event that unlawful or offensive content is posted, the VILLBAU may, without prior notification, ban data subject from the members, or delete their posts.

The VILLBAU does not accept any responsibility whatsoever for data content or posts published by Facebook users that are in breach of legislation. The VILLBAU does not accept any responsibility whatsoever for errors, malfunctions resulting from the operation of Facebook, or for issues resulting from a change in the functioning of the system.

Data processing with the purpose of direct marketing

Unless regulated otherwise by law, advertisements can only be sent to natural person recipients of an advertisement directly (direct marketing), especially by way of electronic correspondence or other, equivalent individual means of communication – with the exception set forth in Act XLVIII of 2008 – if the recipient of the advertisement has provided his or her prior, explicit and unequivocal consent.

Scope of personal data that the VILLBAU may use for direct marketing purposes: name, address, phone number, e-mail address, online identifier of the natural person.

The purpose of processing the personal data is to carry out direct marketing activities related to the operation of the VILLBAU, i.e. the sending of advertising publications, newsletters, current promotions in printed form (by post) or by an electronic means (e-mail) on a regular basis or at intervals to the contact details provided at registration.

Legal basis of the processing: the consent of the data subject

Recipients of personal data, and categories of recipients: employees of the VILLBAU performing tasks related to its customer service activities, as data processors: the employees of the IT provider of the VILLBAU providing server services and in case of postal deliveries, the employees of the Post.

Storage period of personal data: until consent is withdrawn.

Camera System

The legal basis of the data management is the voluntary consent of the data subject to inform the Data Controller in the form of warning signs / stickers. Consent may also be given in the form of suggestive behavior. Inferior behavior, especially when the subject enters or stays in the units affected by the CCTV system.

Stakeholder Circle: Any natural person in an area monitored by a CCTV system.

Scope and purpose of the data processed:

Image identification

Personal information, identification

The purpose of data management is the protection of property, assets, equipment in the area, the protection of persons and the identification of persons involved, the prevention of accidents in the area and the circumstances of such accidents, the reasons of quality assurance, evidence, guest complaint investigation, etc. The purpose of data management is defined separately for each camera.

Duration of data processing: 2005 CXXXIII. 31 (2) of the Act (3 business days after recording if not used).

Processing the data of contracting partners

Under the legal title of performing a contract, the VILLBAU processes the name, birth name, date of birth, mother’s name, address, tax identification number, tax number, residential address, address of the registered seat and premises, phone number, e-mail address, website URL, bank account number, client number (customer number, order number), online identifier (list of buyers and suppliers, customer loyalty lists) of the natural persons that enter into a contract with the VILLBAU as clients or suppliers, with the purpose of concluding, performing, terminating the contract or on order to provide contractual discounts. This data processing is lawful even if it is necessary for the implementation of the measures that data subject requested prior to entering into contract. Recipient of personal data: employees of the VILLBAU performing tasks related to serving customers, its employees performing accounting and taxation-related tasks, and its data processors. The duration of personal data processing: 5 years after the agreement terminated.

Data subject must be notified that the legal basis of the processing is the performing of the contract, this notification may be made in the agreement, as well.

Data subject must be notified that his or her personal data are forwarded to the data processor.

Contact details of natural persons who represent legal entities as clients, buyers, suppliers

Scope of the processed personal data: name, address, phone number, e-mail address of the natural person.

The purpose of processing the personal data: performing the contract the VILLBAU entered into with its partner who is a legal entity, maintaining business contact. Service Provider processes the personal data in accordance with Article 6 section (1) point f) of GDPR and the legal basis is its legitimate interest in establishing and maintaining business relations. Recipient of personal data, and categories of recipients: employees of the VILLBAU performing tasks related to its customer service.

Personal data are stored for five years after the business relation existed, or after the data subject acted as point of contact.

Data transmission

The processing of personal data is basically done by the Data Controller or, if the task is outsourced, in accordance with Annex I of the Code. provided by the data processor (s) specified in Annex II. In this case, Data Controller transfers the data to the data processors and is responsible for the data processor’s activities.

The Data Controller may forward the Data specified by the Data Subject to its Client’s Affiliates if the legal basis of the data processing is clear (eg the data subject has given his or her prior and voluntary consent) and the data are indispensable for judging or filling the position.

The Service Provider may use a data processor (eg system operator, carrier company, accountant) for the operation of the IT system, fulfillment of orders and settlement of accounts. The Service Provider shall not under any circumstances be responsible for the data management practices of such third parties.

Name of data processor:

Company Name Address Occupation
Koczián és Koczián Kft. 1185 Budapest, Üllőí út 668. Bookkeeping
Magyar Telekom Nyrt. 1047 Budapest, Váci út 19.H-1097 Budapest, Könyves Kálmán krt. 36. Web, email service provider
KRONOS Trade Kft. Budapest, Alkotmány u. 20, 1054 Accounting software provider
ITS Logistics Hungary 2220 Vecses, Hungary Almaskert u. 4. Delivery services
TNT Express Hungary Kft. H-1185 Budapest International Airport Terminal 1 Delivery services
GLS General Logistics Systems Hungary Kft. 2351 Alsónémedi, GLS Európa utca 2. Delivery services

INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

Right to preliminary notification

Data subject has the right to receive information on the facts and information related to the processing priorto the processing begins.

A) Information to be provided where personal data are collected from the data subject

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: a) the identity and the contact details of the controller and, where applicable, of the controller’s representative; b) the contact details of the data protection officer, where applicable;

c) the purposes of the processing for which the personal data are intended as well as the legal basis for theprocessing;

d) where the processing is based on point (f) of Article 6(1) (pursuing legitimate interests), the legitimateinterests pursued by the controller or by a third party;

e) the recipients or categories of recipients of the personal data, if any;

f) where applicable, the fact that the controller intends to transfer personal data to a third country or

international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

a) the period for which the personal data will be stored, or if that is not possible, the criteria used to

determine that period;

b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

c) where the processing is based on point (a) of Article 6(1) of the Regulation (data subject’s consent) or point (a) of Article 9(2) of the Regulation (data subject’s consent), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

d) the right to lodge a complaint with a supervisory authority;

e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the

significance and the envisaged consequences of such processing for the data subject.

3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information. (Regulation Art. 13)

B) Information to be provided where personal data have not been obtained from the data subject

1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

b) the contact details of the data protection officer, where applicable;

c) the purposes of the processing for which the personal data are intended as well as the legal basis for theprocessing;

d) the categories of personal data concerned;

e) the recipients or categories of recipients of the personal data, if any;

f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organization and the existence or absence of an adequacy decision by the

Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

a) the period for which the personal data will be stored, or if that is not possible, the criteria used to

determine that period;

b) where the processing is based on point (f) of Article 6(1) (legitimate interest), the legitimate interests pursued by the controller or by a third party;

c) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning him or her, as well as to restrict or to object to the processing of the personal data concerning the data subject, as well as the right to data portability;

d) where the processing is based on point (a) of Article 6(1) of the Regulation (data subject’s consent) or point (a) of Article 9(2) of the Regulation (data subject’s consent), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

e) the right to lodge a complaint with a supervisory authority;

f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources; and

g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3. The controller shall provide the information referred to in paragraphs 1 and 2:

a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

5. Paragraphs 1 to 4 shall not apply where and insofar as:

a) the data subject already has the information;

b) the provision of such information proves impossible or would involve a disproportionate effort, in

particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) of the Regulation or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;

c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or

d) the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.(Regulation Art. 14)

Data subject’s right to access

1. The data subject shall have the right to obtain from the controller confirmation as to whether or notpersonal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of data processing:

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the data subject, any available information as to their source;

h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer.

3. The controller shall provide the data subject with a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others. (Regulation Art. 15)

Right to erasure (“the right to be forgotten”)

1. The data subject shall have the right to obtain from the Controller the erasure of personal data or personal account concerning him or her without undue delay, and Controller shall be obliged to erase the personal data concerning the data subject without undue delay, where one of the following grounds applies:

a) personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the Regulation, and where there is no other legal ground for the processing;

c) the data subject objects to the processing pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d) the personal data have been unlawfully processed;

e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the Regulation.

g) personal account (ENICOM application) are no longer needed.

2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of

implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

a) for exercising the right of freedom of expression and information;

b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the Regulation;

d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) for the establishment, exercise or defence of legal claims. (Regulation Art. 17)

4) Users can indicate their intention to delete their account at the following email address: support@villbau.com.

Right to restriction of processing

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, in this case the restriction is for a period enabling the controller to verify the accuracy of the personal data;

b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

d) the data subject has objected to processing pursuant to Article 21(1); in this case the restriction is for the period until it is verified whether or not the legitimate grounds of the controller override those of the data subject.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted. (Regulation Art. 18)

Right to data portability

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of this right shall be without prejudice to Article 17 of the Regulation. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others. (Regulation Art. 20)

Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) of Article 6(1) of the Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or point f) (processing is necessary for pursuing the legitimate interests of controller or a third party), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the Regulation, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. (Regulation Art. 21)

Automated individual decision-making, including profiling

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2. Paragraph 1 shall not apply if the decision:

a) is necessary for entering into, or performance of, a contract between the data subject and a data

controller;

b) is authorized by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

c) is based on the data subject’s explicit consent.

3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least data subject’s right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1) of the Regulation, unless point (a) or (g) of Article 9(2) applies

and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place. (Regulation Art. 22)

Restrictions

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

a) national security;

b) defence;

c) public security;

d) the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;

f) the protection of judicial independence and judicial proceedings;

g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

i) the protection of the data subject or the rights and freedoms of others;

j) the enforcement of civil law claims.

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

a) the purposes of the processing or categories of processing;

b) the categories of personal data;

c) the scope of the restrictions introduced;

d) the safeguards to prevent abuse or unlawful access or transfer;

e) the specification of the controller or categories of controllers;

f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

g) the risks to the rights and freedoms of data subjects; and

h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction. (Regulation Art. 23)

Communication of a personal data breach to the data subject

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Controller shall communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the Regulation.

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

a) the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access the personal data, such as encryption;

b) the controller has taken subsequent measures after the personal data breach which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize;

c) communication would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal data breach to the data subject, the

supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met. (Regulation Art. 34)

Right to lodge a complaint with a supervisory authority

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78. (Regulation Art. 77) The supervisory authority in Hungary is the National Authority for Data Protection and Freedom of Information. The detailed statutory regulations to be applied are included in Act CXII of 2011 on Informational Self-determination and Freedom of Information.

Right to an effective judicial remedy against a supervisory authority

1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.

3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court. (Regulation Art. 78)

Right to an effective judicial remedy against a controller or a data processor

1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation. 2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. (Regulation Art. 79)

LODGING A REQUEST BY DATA SUBJECT,

CONTROLLER’S MEASURES

1. The controller shall provide to the data subject information on the measures taken in response to his/her request for the exercising of his or her rights without undue delay but under no circumstances later than one month after the receipt of such a request.

2. That period may be extended by two further months where necessary, taking into account the complexity and the number of the requests. The controller shall inform the data subject of any such extension no later than one month after the request has been received and shall provide the reasons for the delay.

3. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information, where possible, shall be provided by electronic means.

4. If the controller does not take action on the request of the data subject, it shall inform the data subject of the reasons for not taking action without delay but not later than one month after the request has been received and shall inform the data subject of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy.

5. The data controller shall provide the information pursuant to Articles 13 and 14 of the Regulation and the information on the rights of the data subject (Articles 15 to 22 and 34 of the Regulation) without a fee. If the request of the data subject is unquestionably unfounded or excessive, especially due to its repetitive nature, the controller may, deny action in response to the request. The burden of proof for determining the unquestionably unfounded or excessive nature of the request shall be borne by the controller.

6. Where the controller has reasonable doubts concerning the identity of the natural person exercising the rights of the data subject, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

DATA SECURITY

Controller ensures data security. To this end, it shall take the technical and organizational measures and procedures necessary to enforce applicable laws, data protection and confidentiality rules.

The Controller shall protect the data by appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, accidental destruction and damage, or inaccessibility due to changes in the technology used.

The Data Controller ensures (also) the internal rules, instructions and procedures of the Data Controller, which are separate from the Data Protection and Data Security Regulations and this Prospectus.

The Data Controller shall, when defining and applying data security measures, take into account the state of the art and shall choose from a number of possible data management solutions that provide a higher level of protection of personal data, unless this would be a disproportionate difficulty.

In particular, in the context of his IT security responsibilities, the Data Controller shall ensure:

  • Measures to protect against unauthorized access, including protection of software and hardware devices, and physical protection (access protection, network protection);

  • Measures to ensure that data files can be restored, including regular backup and separate secure management of copies (mirroring, backup);

  • Protection of data files against viruses (virus protection);

  • Physical protection of data files and their storage media, including protection against fire, water, lightning, and other material damage, and recoverability from such events (archiving, fire protection).

The Data Controller reserves the right to change the Prospectus in order to adapt it to the legislative background, the Rules and other internal regulations that will be amended in the meantime.

Information

Address: 611. Üllői str. Budapest, 1182

Phone: +36 1 297 5125

Fax: +36 1 294 2928

Email: mail@villbau.com

Where to find us

47.436751 N

19.1927923 E

Opening hours

Monday-Thursday: 8am – 5pm

Friday: 8am – 3pm

Saturday-Sunday: CLOSED