GEDÓ BENJÁMIN INDIVIDUAL ENTREPRENEUR

AS

 DATA PROCESSOR

 DATA PROCESSING NOTICE

on the rights of the natural person concerned with the processing of his/her personal data pursuant to the General Data Protection Regulation of the European Union 2016/679

 2025

 Data processing information

 on the rights of the natural person concerned with the processing of his/her personal data pursuant to the General Data Protection Regulation of the European Union 2016/679

1. INTRODUCTION

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (hereinafter: GDPR, or Regulation, General Data Protection Regulation) requires that the Data Controller shall take appropriate measures to provide the data subject with any information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language, and that the Data Controller shall facilitate the exercise of the data subject's rights.

The obligation of prior information of the data subject is also prescribed by Act CXII of 2011 on the right to informational self-determination and freedom of information.

We comply with this legal obligation by providing the information below.

The information publication must be made known to the Data Subjects through

The Data Controller qualifies as a data controller under the Regulation, and the regulations of the Regulation also apply to personal data processed by the Data Controller.

2. PURPOSE OF THE POLICY

Gedo Benjamin ev. as data controller for its guests, prospective guests, or other affected natural persons make it transparent the data processing procedures followed when using the services provided by it, the principles and rules related to the protection of natural persons with regard to the processing of their personal data shall apply regardless of the nationality and place of residence of the natural persons. The fundamental objective of the Data Controller is to respect the fundamental rights and freedoms of these natural persons in all cases, in particular as regards their right to the protection of their personal data.

3. APPLICABLE LEGISLATION

With regard to issues and topics not discussed in the Information, the provisions of the relevant laws shall prevail and shall be interpreted in conjunction with them.

When developing the provisions of the Notice, the Data Controller took into particular consideration:

• Regulation 2016/679 of the European Parliament and of the Council (the “General Data Protection Regulation” or “GDPR”),
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Infotv”),
• Act V of 2013 on the Civil Code (“Civil Code”)
• Act I of 2012 on the Labor Code (“Act I”)

4. SCOPE OF THE INFORMATION

The scope of this Data Management Notice covers all data processing related to the provision of the Data Controller's service.

5. MODIFICATION OF THE INFORMATION

The Data Controller reserves the right to unilaterally amend the Information.
The current Notice is available on the Data Controller's website (https://gedocoaching.com), and the Data Controller can be requested to send it at any time.

Amendments to the Notice shall enter into force upon publication on the website.

6. DATA CONTROLLER DATA

If you would like to contact our Data Controller, you can contact the Data Controller at the following contact details:

Name of the data controller: Gedó Benjámin year.
Tax number: 57797481-1-26
Registered office: 6791 Szeged, Öreghegydűlő 7602 hrsz.
E-mail: gedo1021@gmail.com

Gedó Benjámin participates in the data management processes as the actual data controller.

7. DEFINITION OF DATA PROTECTION TERMS

1. "Affected": any specific natural person identified or identifiable – directly or indirectly – on the basis of personal data; by way of example, a natural person using the services of the Data Controller, the requester, the job applicant, the Data Controller's Employees and Partners, etc. Each data processing precisely defines the groups of data subjects.
2. “Personal data”: any information relating to an identified or identifiable natural person (i.e. the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; such data include, for example, name, address, telephone number, etc.
3. "Contribution": the voluntary and definite expression of the data subject's will, based on adequate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, in full or in relation to certain operations; thus, consent has 3 basic elements: voluntariness, definiteness, and adequate information; in practice, this means a declaration of consent to data processing.
4. "Protest": the statement of the data subject objecting to the processing of his or her personal data and requesting the termination of the processing or the deletion of the processed data;
5. “Data Controller”: the natural or legal person or an organization without legal personality who, alone or jointly with others, determines the purposes of the processing of data, makes and implements decisions relating to the processing of data (including the means used), or has them implemented by the processor; the Data Controller is the legal person defined above.
6. “Data processing”: any operation or set of operations performed on data, regardless of the method used, including in particular collection, recording, recording, organization, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, restriction, erasure and destruction, as well as preventing further use of the data, taking photographs, audio or video recordings, and recording physical characteristics (e.g. fingerprints or palm prints, DNA samples, iris images) suitable for identifying a person; for example, data processing related to contact, cookie management of the Websites, etc.
7. “Data transfer”: making the data accessible to a specific third party;
8. "Publication": making the data accessible to anyone;
9. “Data deletion”: making the data unrecognizable in such a way that its recovery is no longer possible;
10. “Data Lock”: marking the data with an identification mark for the purpose of limiting its further processing permanently or for a specified period of time;
11. “Data designation”: providing the data with an identification mark for the purpose of distinguishing it;
12. “Data destruction”: complete physical destruction of the data medium containing the data, such as shredding the document containing the data;
13. "Data processing": the performance of technical tasks related to data processing operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data; for the sake of clarity, data processing is the provision of cloud services, using an illustrative list;
14. “Data Processor”: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller
15. "Third person": a natural or legal person or an organization without legal personality who is not the same as the data subject, the data controller or the data processor;
16. "Third country": any state that is not an EEA state;
17. “Data protection incident”: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed; e.g., the result of hacking, ransomware, data leakage, data theft
18. “Restriction of data processing”: marking stored personal data with the aim of restricting their future processing;
19. “Third party”: a natural or legal person or an organisation without legal personality who is not the same as the data subject, the controller or the processor, or the persons who, under the direct control of the controller or processor, are authorised to process personal data;

20. “Profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics relating to performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; such processing is not carried out by the Data Controller.
21. "Partner": legal entities using the Data Controller's services on a contractual basis and/or facilitating the performance of the Data Controller's services (performance assistants), business entities without legal personality, to which the Data Controller - after the consent of the data subject - transfers or may transfer personal data, or which perform or may perform data storage, processing, related IT and other activities facilitating secure data management for the Data Controller;
22. “Coworker”: a natural person in a contractual, employment or other legal relationship with the Data Controller, who is entrusted with the task of providing and fulfilling the Data Controller's services and who comes into contact or may come into contact with personal data during his/her data management or data processing tasks and for whose activities the Data Controller assumes full responsibility towards the personal circle of the data subjects and third parties;
23. "Website": THE https://gedocoaching.com website, which is managed and maintained by the data controller.

8. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

Article 5 of the Regulation defines the principles applicable to data processing. The Data Controller ensures that these aspects are applied during each identified data processing.

1. “Principle of purpose”: Personal data may only be collected for specified, explicit and legitimate purposes and may not be processed in a manner incompatible with those purposes; If data processing serves multiple purposes at the same time, consent must be given for all data processing purposes.
2. The principle of “legality, due process and transparency”: We always process personal data lawfully and fairly, and in a manner that is transparent to the data subject. Data subjects must be made aware of how their personal data is being collected, used, accessed or otherwise processed, and the extent to which their personal data is being or will be processed.
   In the spirit of the principle of transparency, our Data Controller ensures that information and communication related to the processing of personal data is easily accessible and understandable, and that it is formulated in clear and plain language.
3. The principle of “proportionality, necessity” or “data economy”: Only personal data that is essential for the purpose of data processing and suitable for achieving the purpose may be processed. Personal data may only be processed to the extent and for the period necessary to achieve the purpose. Accordingly, the Data Controller shall only process data that is absolutely necessary.
4. Principle of “Accuracy”: During data processing, the accuracy, completeness and – if necessary in view of the purpose of data processing – up-to-dateness of the data must be ensured, and the data subject must only be identified for the period necessary for the purpose of data processing.
5. Principle of “Limited storage capacity”: Personal data shall be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for a longer period only if the personal data are processed for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of Regulation (EU) 2016/679, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of data subjects as provided for in this Regulation.
6. Principle of “Integrity and Confidentiality”: Personal data must be processed in such a way that appropriate technical or organizational measures are used to ensure the appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage to data.
7. The principle of “accountability”: The Data Controller is responsible for compliance with points af.) and those specified in the Regulations, and must be able to demonstrate this compliance.
8. The principle of “Privacy by design”: very conscious data protection mindset, which very briefly means that when determining the method of data processing and during data processing, the Data Controller implements appropriate technical and organizational measures – such as pseudonymization – with the aim of effectively implementing the above principles, fulfilling obligations, incorporating legal guarantees, etc., and does all of this in a regulated and detailed documented manner. In practice, the mindset is facilitated by the training of Employees, their data protection awareness, and the impact assessment, risk analysis, and balancing of interests test used during the introduction and/or regular review of individual data processing.
9. Personal data will retain this quality during data processing as long as the relationship with the data subject can be restored. The relationship with the data subject can be restored if the data controller has the technical conditions necessary for the restoration.

9. DATA TRANSFER, DESIGNATION OF DATA PROCESSORS

The processing of personal data is carried out by the Data Controller. If the Data Controller outsources the task, then it is carried out by data processor(s).
In this case, the Data Controller transfers data to the data processors and is responsible for the activities of the data processors.
When using a data processor, the Data Controller requires as a contractual obligation that the contracted data processor comply with the provisions of the Regulation and have the required records in place to protect personal data.

The data controller may transfer data to organizations specified in the legislation, in compliance with its obligations specified in the legislation.

We inform the data subjects that the court, the prosecutor, the investigating authority, the misdemeanor authority, the administrative authority, the National Data Protection and Freedom of Information Authority, or other bodies authorized by law may contact the data controller to provide information, communicate or transfer data, or make documents available.
The Data Controller will only provide personal data to the authorities - if the authority has specified the exact purpose and scope of the data - to the extent and insofar as this is absolutely necessary to achieve the purpose of the request.

CERTAIN DATA PROCESSING

 

1. Contract fulfillment

The data controller must process certain personal data of the customer concerned in order to establish or fulfill the contract.

The scope of the affected parties: Any natural person who has an employment contract with the data controller.

Purpose of data processing: The purpose of data processing is to establish and fulfill the contract.

Scope of processed data:

name

address

Email address

phone number

Legal basis for data processing:

GDPR Article 6 (1) (b):

 

"(b) the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the data subject's request prior to entering into a contract;”

Duration of data processing: The Data Controller will keep and process your personal data for 8 years after the termination of the contract.

Data transmission: The data controller only transfers the data to the accountant due to a legal obligation. The accountant acts as a data processor in the data management process. We transfer your data to the accountant based on a data processing agreement.

The legal basis for the data transfer is GDPR Article 6(1)(c):

"(c) the processing is necessary for compliance with a legal obligation to which the controller is subject;”

1. Marketing content / professional knowledge dissemination

 

Purpose of data processing:

Due to the data controller's activities, it acquires new clients by presenting the results achieved through its work as a reference on its website and on social media platforms (Facebook, Instagram), therefore, with the express consent of the data subject, the data controller shares photos and videos of the data subjects on these internet platforms. for marketing purposes.

Furthermore, with the express consent of the data subject, the data controller may use photos and videos taken of the data subject. for professional dissemination/consultation purposes shares with colleagues.

Legal basis for data processing:

GDPR Article 6 (1) (a):

"the)the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”

Scope of processed data:

name

photo and video recording

 

Duration of data processing: The Data Controller processes personal data until the data subject withdraws their consent, or for 10 years at the latest.

Data transmission: Share on Facebook, Instagram, the data controller's website, and share with colleagues.

1. Sending informational e-mails

Purpose of data processing:

Informing clients about the progress of the cooperation.

Legal basis for data processing:

GDPR Article 6 (1) (a):

"the) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”

Scope of processed data:

email address

name

 

Duration of data processing: The Data Controller processes personal data until the data subject withdraws their consent, or for 10 years at the latest.

Data transmission: We do not transfer your personal data. 

1. Contact us on Facebook/Instagram

Purpose of data processing:

Contacting and communicating with customers.

Legal basis for data processing:

GDPR Article 6 (1) (a):

"the) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”

Scope of processed data:

username

profile

name

 

Duration of data processing: The Data Controller processes personal data until the data subject withdraws their consent, or for 10 years at the latest.

Data transmission: We do not transfer your personal data. 

1. Health data sheet

Purpose of data processing:

Cooperation requires whether the data controller can perform the processing and what health risks the parties must expect.

Legal basis for data processing:

GDPR Article 9(2)(a):

"the)the data subject has given his or her explicit consent to the processing of those personal data for one or more specific purposes, unless Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject's consent;”

Scope of processed data:

Pursuant to Article 9(2)(a) of the GDPR:

body weight

height

diseases

Regularly taken medications

 

Duration of data processing:

Pursuant to Article 9(2)(a) of the GDPR:

The Data Controller processes personal data until the data subject withdraws their consent or until the contract is terminated.

Data transmission: We do not transfer your personal data. 

Website visit data

 

1. Using Google Adwords conversion tracking

1. The data controller uses the online advertising program “Google AdWords” and, within its framework, uses Google’s conversion tracking service. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
2. When a User reaches a website through a Google ad, a cookie required for conversion tracking is placed on their computer. These cookies have a limited validity and do not contain any personal data, so the User cannot be identified by them.
3. When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User clicked on the advertisement.
4. Each Google AdWords customer receives a different cookie, so they cannot be tracked across AdWords customers' websites.
5. The information – obtained using conversion tracking cookies – is used to generate conversion statistics for AdWords customers who have opted for conversion tracking. This allows customers to see the number of users who clicked on their ads and were redirected to a page with a conversion tracking tag. However, they do not receive any information that could be used to identify any individual user.
6. If you do not wish to participate in conversion tracking, you can refuse this by disabling the installation of cookies in your browser. You will then not be included in the conversion tracking statistics.
7. Further information and Google's privacy policy can be found at: www.google.de/policies/privacy/

1. Using Google Analytics

1. This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files that are saved on your computer, to help the website operator analyze how users use the website.
2. The information generated by the cookie about the website used by the User is usually transmitted to and stored on a Google server in the USA. By activating IP anonymization on the website, Google will shorten the User's IP address beforehand within member states of the European Union or in other states party to the Agreement on the European Economic Area.
3. The full IP address will only be transmitted to a Google server in the USA and shortened there in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how the user uses the website, to compile reports on website activity for the website operator and to provide other services relating to website and internet usage.
4. Within the framework of Google Analytics, the IP address transmitted by the User's browser will not be merged with other data held by Google. The User can prevent the storage of cookies by setting their browser accordingly, but please note that in this case not all functions of this website may be fully usable. You can also prevent Google from collecting and processing the data generated by cookies and relating to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

11. EXERCISE OF RIGHTS RELATED TO DATA PROCESSING

Right to information

The Data Controller shall take appropriate measures to provide data subjects with all information referred to in Articles 13 and 14 of the GDPR concerning the processing of personal data and with all information pursuant to Articles 15-22 and 34 in a concise, transparent, intelligible and easily accessible form, in clear and plain language.

Right of access

This essentially means information about what data we process about you, why and how.
You have the right to receive feedback from the Data Controller, as data controller, regarding the nature of your personal data being processed, and you have the right to access your personal data and the following information:

1. the purposes of data processing;
2. the categories of the User's personal data;
3. the recipients or categories of recipients to whom the personal data have been or will be disclosed;
4. where applicable, the planned period for which the personal data will be stored, or the criteria for determining this period.
5. the User's right to correct, erase or restrict the processing of personal data concerning him or her, as well as to object to the processing of personal data;
6. the right to lodge a complaint with the supervisory authority;
7. if the data was not collected from the User, information about its source;
8. the fact of any automated decision-making, understandable information about the logic applied, and information about the expected consequences of data processing for the User.

The Data Controller shall provide copies of the processed personal data to the affected User.

Right to rectification

You have the right to request that we rectify inaccurate personal data concerning you without undue delay. You may also request that we complete incomplete personal data, if necessary.

The right to withdraw consent / the “right to erasure”

The Regulation also calls the right to erasure “the right to be forgotten”.
If the processing in question is based on your consent, you have the right to withdraw it at any time and to have your personal data erased without undue delay upon request.
The right to erasure does not apply to mandatory data processing defined by law or internal regulations. In some cases, the Data Controller has a legal obligation to process certain data, therefore, a request for erasure of data cannot be fulfilled, in particular in the case of compliance with a legal obligation applicable to the Data Controller requiring the processing of personal data.

Right to block/restrict data processing

You have the right to request that we restrict the processing of your data. This means that we may only store restricted data, but may not otherwise use it unless you have given us your consent or in certain legal cases. You may request that we restrict the processing of your data if:

1. the User disputes the accuracy of the personal data, in which case the restriction applies for a period of time that allows the Data Controller to verify the accuracy of the personal data;
2. the data processing is unlawful and the User opposes the deletion of the data and instead requests the restriction of their use;
3. The Data Controller no longer needs the personal data for the purposes of data processing, but the User requires them for the establishment, exercise or defense of legal claims.
4. if the User has objected to the data processing; in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the Data Controller override the legitimate grounds of the User.

Right to data portability

If the processing in question is based on your consent or is related to the performance of a contract, you have the right to receive the data in a structured, commonly used, machine-readable format (e.g. PDF, Excel or Word) and to transmit it to another controller. You also have the right, where technically feasible, to request the direct transmission of personal data between controllers.

The right to protest

Please read this paragraph on the right to object carefully. If the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, you have the right to object to the processing at any time on grounds relating to your particular situation. In such a case, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Automated decision-making

The Data Controller does not engage in automated decision-making.

Rules of procedure

The data controller shall act without undue delay, but in any case within 14 days of receipt of the request. within a month inform the data subject of the action taken following a request pursuant to Articles 15 to 22 of the GDPR. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months.
The data controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receipt of the request. If the data subject submitted the request electronically, the information shall be provided electronically, unless the data subject requests otherwise.

If the controller does not take action on the data subject's request, it shall inform the data subject without delay, but no later than one month from the receipt of the request, of the reasons for the failure to take action and of the fact that the data subject may lodge a complaint with a supervisory authority and exercise his or her right to a judicial remedy.

The controller shall provide the requested information and communication free of charge. If the data subject's request is manifestly unfounded or, in particular, excessive due to its repetitive nature, the controller may charge a reasonable fee, taking into account the administrative costs of providing the requested information or communication or taking the requested action, or may refuse to act on the request.
The controller shall inform any recipient to whom the personal data have been disclosed of any rectification, erasure or restriction of processing made by the controller, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of these recipients upon request.
The controller shall provide the data subject with a copy of the personal data subject to processing. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request electronically, the information shall be provided in electronic format, unless the data subject requests otherwise.

Informing the data subject about the data protection incident

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the data breach without undue delay.

This notification must clearly and intelligibly describe the nature of the data breach and provide at least the following:

1. the name and contact details of the data protection officer or other contact person who can provide further information;
2. the likely consequences of a data protection incident must be described;
3. the measures taken or planned by the data controller to remedy the data protection incident must be described, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

The data subject does not need to be informed if any of the following conditions are met:

1. (a) the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the data breach, in particular measures that render the data unintelligible to persons not authorised to access the personal data, such as the use of encryption;
2. (b) the controller has taken further measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph (1) is no longer likely to materialise;
3. (c) the provision of information would involve a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly available information or a similar measure shall be taken which ensures that the data subjects are informed in a similarly effective manner.

Additional rules are contained in the Data Controller's INCIDENT HANDLING POLICY.

12. DATA SECURITY

1. The Data Controller plans and implements data processing operations in such a way as to ensure the protection of the privacy of the data subjects.
2. The data controller ensures the security of the data (protection with a password, antivirus, SSL encryption), takes the technical and organizational measures and develops the procedural rules that are necessary for the enforcement of the Info Act and other data and privacy protection rules.
3. The data controller protects the data with appropriate measures, in particular:
   • unauthorized access,
   • the change,
   • the transmission,
   • disclosure,
   • deletion or destruction,
   • accidental destruction and damage,
   • against inaccessibility resulting from changes in the technology used.
4. The data controller ensures through appropriate technical solutions that the data stored in the registers cannot be directly linked and assigned to the data subject.
5. In order to prevent unauthorized access to personal data, alteration and unauthorized disclosure or use of data, the data controller ensures:
   • the development and operation of the appropriate IT and technical environment,
   • the controlled selection and supervision of employees participating in the provision of services,
   • on the issuance of detailed operating, risk management and service procedures.
6. Based on the above, the service provider ensures that the data it processes
   • be available to the entitled person,
   • its authenticity and authentication are ensured,
   • its immutability can be verified,
7. The IT system of the data controller and its hosting provider protects, among other things,
   • computer fraud,
   • espionage,
   • computer viruses,
   • spam,
   • the hacks
   • and against other attacks.

 

 

 

 

 

 

13. LEGAL REMEDY

Be the first to contact me

If you believe that the processing of your personal data violates the GDPR or other data protection law, we recommend that you first contact me using the contact details provided above so that I can respond to your concern as quickly and efficiently as possible.

 

Right to lodge a complaint with a supervisory authority (right to a judicial remedy)

If you do not wish to contact us, in the event of a grievance, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data concerning you infringes this Regulation.
The supervisory authority to which the complaint has been submitted is obliged to inform the client about the procedural developments related to the complaint and its outcome, including the client's right to seek judicial redress.

In Hungary, you can file a complaint with the National Data Protection and Freedom of Information Authority, which can be contacted at:

National Data Protection and Freedom of Information Authority

1055 Budapest, Falk Miksa Street 9-11.

Mailing address: 1363 Budapest, P.O. Box 9.

Phone: +36/1/391-1400 Fax: +36/1/391-1410

E-mail: ugyfelszolgalat@naih.hu

In the event of going to court, you can freely file your claim either with the court competent for your place of residence (permanent address) or place of residence (temporary address), or with the registered office of the Data Controller. You can find the court of your place of residence or place of residence at www.birosag.hu page, and the Court of Gyula acts according to the registered office of the Data Controller.

These rules are contained in Article 77 of the Regulation.

Right to an effective judicial remedy against the supervisory authority

Without prejudice to other administrative or non-judicial remedies, every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.
Without prejudice to other administrative or non-judicial remedies, every data subject has the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject of the procedural developments or the outcome of the complaint submitted within three months.
Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

If proceedings are brought against a decision of the supervisory authority in relation to which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority shall be obliged to send this opinion or decision to the court.
These rules are contained in Article 78 of the Regulation.

Right to an effective judicial remedy against the controller or processor

Without prejudice to any available administrative or non-judicial remedies, including lodging a complaint with a supervisory authority, each data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.
Proceedings against a controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its official authority. These rules are set out in Article 79 of the Regulation.

Compensation and damages

1. In the event that the Data Controller violates the data subject's personal rights by unlawfully processing the data subject's data or by violating data security requirements, the data subject may claim damages from the Data Controller through court proceedings.
2. The data controller shall be liable to the data subject for any damage caused by the data processor and the data controller shall also be obliged to pay the data subject any compensation due in the event of a personal rights infringement caused by the data processor. The data processor shall only be liable for damage caused by data processing if it has failed to comply with the obligations expressly imposed on data processors as set out in this Regulation, or if it has disregarded or acted contrary to the lawful instructions of the data controller.
3. The data controller or data processor is exempt from liability for the damage caused and from the obligation to pay damages if it proves that it is not responsible in any way for the event that caused the damage.
4. No compensation for damage shall be required and no compensation for injury may be claimed if the damage or the infringement of personal rights resulted from the intentional or grossly negligent conduct of the injured party or the person concerned.

14. OTHER INFORMATION

The data controller declares that

• the personal data provided will not be made public or transmitted abroad;
• reserves the right to change the Information to align it with the legal background and other internal regulations that may be amended in the meantime.
• The data controller will always name each separate data processing operation – not covered by this information – in a separate information notice and inform the data subjects thereof.

Date: Szeged, September 1, 2025.

Gedo Benjamin

data controller