1. Controller’s data
Name: LIGHT STUDIÓ Lakberendezési Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (abbreviated name: LIGHT STÚDIÓ Kft.)
Registered office: 5600 Békéscsaba, Zsíros utca 14.
Tax number: 22690290-2-04
Phone number: +36 20 256 0675
Email: info@lightstudio.hu
2. Purpose of the Policy
The Controller acknowledges that it is bound by the contents of this Policy.
The Controller’s processing principles are in line with the applicable data protection legislation, in particular:
- Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: “Privacy Act”);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data
- Protection Regulation, GDPR);
- Act V of 2013 on the Civil Code (Civil Code Act);
- Act C of 2000 on Accounting (Accounting Act);
- Government Decree 45/2014 (II.26.) on the detailed rules of contracts between consumers and businesses.
By publishing this Policy, the Controller intends to comply with its obligation under the GDPR to provide prior data protection information to data subjects in a concise, transparent, intelligible and easily accessible form, in clear and plain language.
The Controller shall process personal data only in accordance with the provisions of the applicable law and in strict compliance with the provisions of processing and data protection regulations, taking into account the principles of lawfulness, fair procedure and transparency, purpose limitation, data minimisation, accuracy and limited storage. The Controller shall process personal data confidentially and shall take all technical and organisational measures necessary to ensure the secure processing of the personal data as required by the GDPR.
3. Security of processing
Among the technical and organisational measures used to ensure the security of processing, the technical protection of personal data is ensured by password access, which guarantees that personal data can only be accessed by authorised persons. The Controller also uses firewall protection for the security of personal data to protect the computers used by the Controller from external attacks.
The Controller undertakes to ensure the security of the data, to take those technical and organisational measures and to maintain those procedural rules that ensure the protection of the data recorded, stored or processed and prevent the destruction, unauthorised use or unauthorised alteration of such data. Furthermore, the Controller undertakes to require any third party to whom it transfers or discloses the data to comply with the data security requirements.
The Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons. Only the Controller and processor(s) employed by the Controller may access the processed data, and shall not disclose those to third parties who are not authorised to access the data.
The Controller shall take great care to ensure the security of the personal data of the data subjects. The Controller shall act in full compliance with the law and shall require all data subjects to do the same. Personal data protection also includes physical data protection (storing documents in a lockable room) as well as IT protection.
The Controller stores the personal data provided by the data subject primarily on the servers of the processor(s) specified in this Policy equipped with the usual protection systems, and partly on its own IT equipment, in the case of paper media, at its registered office, appropriately locked away.
The data subjects acknowledge and accept that the protection of their personal data they provide cannot be fully guaranteed on the Internet and in the computer system. In the event of unauthorised access or disclosure, despite the efforts of the Controller, the procedure set out in this Policy shall apply.
The Controller reserves the right to unilaterally amend this Policy at any time. The Controller shall notify its customers, business partners and all data subjects in advance of any amendments by publishing the amended Policy on the website it operates. Amendments to this Privacy Policy shall become effective upon its publication on the website.
This Policy is available at all times at the Controller’s registered office at 5600 Békéscsaba, Zsíros utca 14, and on its website at https://lightstudio.hu/.
4. Personal, material and timely scope of the Policy
This Policy applies to the Controller and to natural persons whose personal data, rights or legitimate interests are affected by processing activities under this Policy.
The material scope of the Policy covers the following:
1. Processing relating to employment
2. Processing relating to potential customers, clients
3. Processing relating to the conclusion and performance of contracts, to contacts and invoicing
4. Activities related to marketing messages sent by the Controller
5. The Controller’s activities on the website https://lightstudio.hu/
6. The Controller’s activities on social media
7. Handling of complaints about the Controller’s business activities or data processing
This Policy shall enter into force on the date of its approval and shall remain in force until revoked.
5. Data Protection Officer
Pursuant to the provisions of the Privacy Act and the GDPR, the Controller shall not appoint a Data Protection Officer.
6. Specific processing activities
1. Processing in relation to job advertising activities
The purpose of processing in this context is the conclusion of employment contracts and the employment of new employees.
The data processed include the data subject’s name, address, e-mail address, telephone number, previous jobs, studies, qualifications, skills, languages spoken and, where applicable, personal data communicated by means of a motivation letter.
Legal basis for processing: voluntary consent of the data subject (Article 6(1)(a) GDPR).
Period of processing: until the data subject’s consent is withdrawn. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Unless the consent is withdrawn, the period of processing lasts until the last day of the calendar quarter following the calendar quarter in which the application is sent, unless the employment relationship is established (Section 2).
2. Processing relating to employees, workers
The purpose of processing in this context is the conclusion of employment contracts and the fulfilment of the provisions thereof.
Data processed: name of the data subject, e-mail address, telephone number, place and date of birth, mother’s name, social security number, address, personal identity card number, personal identification number, tax identification number. In relation to the occupational health examination, the Controller shall process only the certificate of fitness with the data referred to in this section.
Legal basis for processing: processing is necessary for the performance of a contract to which the data subject is a party or for the purposes of taking steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR).
Period of processing: during the employment contract and for 5 years after its termination, or during the legally required retention period of certain data.
3. Processing in the context of medical examination for fitness for employment
The purpose of processing in this context is to verify the medical fitness of employees and to provide occupational health services.
Data processed: occupational health certificate of the person concerned, name, place and date of birth, address, social security number, job/occupation.
Legal basis for data processing: processing based on legal obligations - Decree 33/1998 (VI.24.) NM; Government Decree 89/1995 (VII.14.).; Act XCIII of 1993.
Duration processing: 5 years after the retirement age applicable to the data subject.
4. Processing related to the control of company mobile phone use
The purpose processing in this context is to monitor the work-related use of the company telephone by the employee concerned.
Data processed: name of the data subject, telephone number, time of the call, duration of the call.
Legal basis for processing: processing based on legitimate interests (Article 6(1)(f) GDPR).
Period of processing: during the employment contract and for 5 years after its termination.
5. Processing related to the control of company computer/laptop use
The purpose processing in this context is to monitor the work-related use of the company computer/laptop by the employee concerned.
Data processed: name of the data subject, unique identification number and IP address of the computer/laptop.
Legal basis for processing: processing based on legitimate interests (Article 6(1)(f) GDPR).
Period of processing: during the employment contract and for 5 years after its termination.
6. Processing activities related to marketing messages communicated by the Controller; contact
The purpose of processing in this context is for the Controller to carry out verbal or electronic marketing activities, communicate information; contact interested parties (potential customers) and maintain contacts in order to conclude a contract.
Data processed: name, telephone number and email address of the data subject.
Legal basis for processing: (I.) the data subject’s voluntary consent (Article 6(1)(a) GDPR), provided to the Controller via https://lightstudio.hu/kapcsolat/ or by email, social media, other digital media channels or in person by the data subject filling in and voluntarily sending his or her personal data to the Controller in order to receive further information about products and services; (II) processing is necessary for the purposes of taking steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR).
Period of processing: until the data subject’s consent is withdrawn. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In the absence of withdrawal, for 8 years after the termination of the business relationship.
7. Other processing activities on the https://lightstudio.hu/ website operated by the Controller
While the user is browsing the website, technical information is also recorded (for example, in the form of log files containing the user’s IP address, the date and time of visiting the page, the URL of the page(s) visited), which cannot be used for personal identification but only for statistical purposes.
Data processed: see Section VIII.
Legal basis for processing: voluntary consent of the data subject (Article 6(1)(a) GDPR). If the data subject does not accept the use of cookies, certain functions of the website will not be available to him or her.
Period of processing: see Section VIII.
8. Processing in connection with the establishment of business relationships, conclusion of contracts and performance of contracts
The purpose of processing in this context is to establish a business relationship and to conclude and perform contracts tailored to the individual needs of the partner.
Data processed: the name, e-mail address, telephone number, place and date of birth, mother’s name and address of the partner concerned; personal identity card number, tax identification number.
Legal basis for processing: (I.) processing is necessary for the performance of a contract to which the data subject is a party, or processing is necessary for the purposes of taking steps at the request of the data subject prior to entering into a contract (Article 6 (1) (b) GDPR); (II.) processing based on a legal obligation - Act LIII of 2017, Sections 7-10 and 27.
Period of processing: while the contract is in effect and 8 years after the termination of the business relationship (contractual relationship). The personal data contained in the contract shall be stored for 20 years.
9. Billing-related processing
The purpose of processing in this context is the issuing of an invoice for the sale of goods or provision of services by the Controller.
Data processed: name, address and tax identification number of the data subject.
Legal basis for processing: processing based on a legal obligation - Act C of 2000.
Processing period: 8 years.
10. Processing related to complaints
The purpose processing in this context is to offer the option to lodge a complaint, to identify the complainant concerned, to record the verbal complaint, to investigate the complaint and to keep track of its settlement.
Data processed: name and address of the complainant concerned.
Legal basis for processing: processing based on a legal obligation - Section 17/A (5) of Act CLV of 1997.
Processing period: 3 years.
In any event, the legal basis for further processing may be if
1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) GDPR);
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR);
3. processing is necessary for compliance with a legal obligation to which the Controller is subject (Article 6(1)(c) GDPR);
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person (Article 6(1)(d) GDPR);
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (Article 6(1)(e) GDPR);
6. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f) GDPR);
For processing based on consent (Article 6(1)(a) GDPR), data subjects may withdraw his or her consent at any stage of the processing. In certain cases, the further processing, storage and transmission of part of the data provided with consent is required by law, which the Controller shall separately notify the data subjects.
If the person disclosing the data does not provide his or her own personal data in the course of the disclosure, the Controller is obliged to obtain the consent of the data subject and to ensure the lawfulness of the disclosure.
The Controller examines the lawfulness of processing at all stages of its activities, and only processes data for which it can justify the purpose and legal basis. In the event of the termination of a legal basis, processing may only be resumed if the controller can demonstrate an adequate alternative legal basis.
As a general rule, the Controller will consider the written form as a way of establishing the legal basis; in the case of consent expressed by implied conduct (as a legal basis), it must be examined whether it can be clearly demonstrated ex post. In case of doubt, written confirmation of the processing based on proactive behaviour should be sought, having regard to considerations of reasonableness and economy.
In the case of consent-based processing, the data subject shall give his or her written consent to the processing of personal data. Although such consent has no formal requirements, but subsequent evidence requires written consent on paper or in electronic form.
In the case of processing based on the legal basis of fulfilment of a legal obligation (Article 6(1)(c) GDPR), the processing is independent of the data subject’s consent, as the processing is determined by law.
Irrespective of the mandatory nature of the processing, the private individual data subject must be informed before the processing starts that the processing is mandatory and cannot be avoided, and must be provided with clear and detailed information on all relevant facts concerning the processing of his or her data before the processing starts.
7. Transmission of data to processors
The Controller shall only use a processor that provides adequate guarantees of compliance with the requirements of the GDPR and implements appropriate technical and organisational measures to ensure the protection of the rights of data subjects. The Processor shall process the personal data transferred to it on behalf of the Controller and in accordance with the Controller’s instructions, the applicable law and this Privacy Policy.
Contracted processor and controller partners shall process the personal data of data subjects only on the basis of instructions given by the Controller (except where required by law) and under an obligation of confidentiality.
Processors:
1. Accounting, payroll services:
Name: Varga Judit Fruzsina e.v.
Registered office: 4225 Debrecen, Gönczy Pál utca 104.
The role and tasks of the Processor include the handling, verification and accounting of the accounting records and financial activities of the Controller
2. Server hosting provider:
Name: Tárhely.Eu Kft.
Registered office: 1144 Budapest, Ormánság utca 4. X. em. 241.
The role and responsibilities of the Processor shall include providing and hosting the website of the Controller and the processing of data related thereto, in particular with regard to the activities of the Controller at https://lightstudio.hu.
3. Electronic mail system provider:
Name: Tárhely.Eu Kft.
Registered office: 1144 Budapest, Ormánság utca 4. X. em. 241.
The role and function of the Processor shall be limited to the servicing of the Controller’s mail system and the processing and storage of electronic mail sent by the Controller.
4. Provider of electronic invoicing and accounting services:
Name: Arendszergazda Informatikai Kft.
Registered office: 1024 Budapest, Kisrókus utca 21. 2. em 1.
The role and function of the Processor is limited to the processing of names, addresses and tax identifiers transmitted by the Controller and the archiving of invoices during the billing process.
5. Occupational health service provider:
Name: Dr. Ágnes Hursán Fazekasné
Registered office: 5600 Békéscsaba Justh Gyula u. 2.
The role and function of the Processor is limited to the processing of personal data of the Controller’s employees necessary for the performance of medical examinations in the context of their work activities.
6. Mail delivery service provider:
Name: Magyar Posta Zrt.
Registered office: 1138 Budapest, Dunavirág utca 2-6.
The role and function of the Processor is limited to the processing of personal data necessary for the delivery of postal items sent by the Controller.
Name: DPD Hungary Kft.
Registered office: 1134 Budapest, Váci út 33. 2. emelet.
The role and function of the Processor is limited to the processing of personal data necessary for the delivery of items sent by the Controller.
8. Cookies used by the https://lightstudio.hu/ website operated by the Controller
The Controller uses a small data package, a so-called cookie, for the operation of the website, to ensure the functioning and basic functions of the website and for the security of the computer system. The cookie will be read by the Controller and the service provider hosting the Controller’s website during the data subject’s repeated visits to the website until each specific session is closed. If the web browser of the data subject sends the previously saved cookie back to the Controller and the service provider hosting the Controller’s website as described above, the Controller and the service provider hosting the Controller’s website have the option to link the current visit of the data subject to previous visits, but only with regard to the data subject’s own content.
Legal basis for processing: consent of the data subject (Article 6(1)(a) GDPR).
If the data subject does not accept the use of cookies, certain functions will not be available to him or her.
While the user is browsing the website, technical information is also recorded (for example, in the form of log files containing the user’s IP address, the date and time of visiting the page, the URL of the page(s) visited), which cannot be used for personal identification but only for statistical purposes.
Cookies used by the website at https://lightstudio.hu/:
Cookie name: XSRF-TOKEN
Domain: lightstudio.hu
Description: Ensures the security of the website against so-called Cross-Site Request Forgery attacks.
Period: 2 hours
Type: Essential
Cookie name: _ga_*
Domain: lightstudio.hu
Description: Google Analytics uses this cookie to store and count page views and to keep track of session status.
Period: 1 year and 1 month
Type: Analytical
Cookie name: _ga
Domain: lightstudio.hu
Description: Google Analytics is Google’s analytics tool that helps website owners to get a more accurate picture of their visitors’ activities. The service may use cookies to collect information and compile reports on website usage statistics without individually identifying visitors to Google.
This is to distinguish users visiting the https://lightstudio.hu/ website without identifying the actual website visitor.
Period: 1 year and 1 month
Type: Analytical
Cookie name: _fbp
Domain: lightstudio.hu
Description: Facebook Meta configures this cookie to display ads, real-time offers from third parties on Facebook or on the digital platform operated by Facebook Ads after you visit the website.
Period: 3 months
Type: Analytical
Cookie name: _hjSessionUser_*
Domain: lightstudio.hu
Description: The website uses the analytics software of Hotjar Ltd (“Hotjar”). Hotjar configures this cookie to ensure that information from subsequent visits to the same website are associated with the same user ID that is retained in the unique Hotjar user ID for that website. With Hotjar, it is possible to measure and evaluate user behaviour (clicks, mouse actions, scrolling, etc.) on the website. The information that is generated by the “Tracking Code” and cookies when you visit the website is transmitted to the Hotjar server in Ireland where it is stored. The following (anonymous) information is collected by the Tracking Code: screen size and type of the visitor’s device, browser information, geographic location (country only), preferred language, user interactions to view websites, mouse actions (movement, position and clicks), keyboard activities and the Log data.
Period: 1 year
Type: Analytical
Cookie name: _hjSession_*
Domain: lightstudio.hu
Description: The website uses the analytics software of Hotjar Ltd (“Hotjar”). Hotjar configures this cookie to ensure that information from subsequent visits to the same website are associated with the same user ID that is retained in the unique Hotjar user ID for that website. With Hotjar, it is possible to measure and evaluate user behaviour (clicks, mouse actions, scrolling, etc.) on the website. The information that is generated by the “Tracking Code” and cookies when you visit the website is transmitted to the Hotjar server in Ireland where it is stored. The following (anonymous) information is collected by the Tracking Code: screen size and type of the visitor’s device, browser information, geographic location (country only), preferred language, user interactions to view websites, mouse actions (movement, position and clicks), keyboard activities and the Log data.
Period: 30 minutes
Type: Analytical
Cookie name: laraweb_session
Domain: lightstudio.hu
Description: This cookie identifies the user’s session instance on the website.
Period: 2 hours
Type: Other
The data subject can delete cookies from his or her computer or disable the use of cookies in his or her web browser at any time. You can usually manage cookies by going to your browsers’ Tools/Preferences menu and selecting Privacy/Preferences/Custom Settings under the menu item Cookies or Tracking.
Possible consequences of not providing data: the https://lightstudio.hu/ website cannot be browsed without issues, certain functions and services of the website do not work as intended or do not work at all and analytical measurements are inaccurate.
More precise guidance can be found at the website on safe online communication at https://www.youronlinechoices.com/hu/ (European Interactive Digital Advertising Alliance).
9. Processing of personal data while using cloud-based applications
The Controller uses cloud-based services primarily to store and backup any electronic invoices and other documents. A common feature of such services is that they are not provided by the user’s computer, but by a remote server, a server centre that can be located anywhere in the world. Such services are also provided by online hosting. The key advantage of cloud applications is that they provide a highly secure, flexible and scalable IT storage and processing capacity that is essentially independent of geographic location.
In these cases, the cloud service provider can be considered as a processor that processes personal data on behalf of the Controller. Cloud service providers are obliged to keep personal data confidential and may only process personal data if instructed by the Controller. The Controller shall choose its cloud service partners with the utmost care and shall take all measures that may be reasonably expected to ensure that they are contracted in a manner that takes into account the data security interests of subscribers, advertisers, persons attending and/or exhibiting or selling products at the event, other partners or other data subjects, and that their processing principles are transparent to the Controller. The Controller regularly examines who has access to the data and what data protection procedures and technical solutions can be employed to protect such data. Cloud storage is password protected and only the Controller has access to the data stored there.
The data subjects acknowledge the transfer of data necessary for the use of cloud-based applications by becoming familiar with this Policy.
10. Rights of data subjects
1. Transparent information:
The purpose of this Policy is also to provide clear, concise, transparent and understandable information about the processing activities carried out by the Controller.
2. Right of access:
The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
1. the purpose of the processing,
2. the categories of the personal data concerned,
3. the recipients to whom the personal data have been disclosed,
4. the intended period of the storage of the personal data.
You can request information about the above data from the Controller at the following mailing and email addresses:
Name: LIGHT STUDIÓ Kft.
Registered office: 5600 Békéscsaba, Zsíros utca 14.
Email: info@lightstudio.hu
3. Right to rectification:
The data subject shall have the right to obtain from the Controller the rectification of inaccurate personal data concerning him or her.
You can request information about the above data from the Controller at the following mailing and email addresses:
Name: LIGHT STUDIÓ Kft.
Registered office: 5600 Békéscsaba, Zsíros utca 14.
Email: info@lightstudio.hu
4. Right to erasure:
The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her. On the basis of this request, the Controller is obliged to delete the personal data if one of the following grounds applies:
1. the personal data are no longer necessary in relation to the purposes for which they were collected,
2. the data subject withdraws his or her prior consent and there is no other legal basis for the processing,
3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
4. the personal data have been unlawfully processed,
5. erasure of the data is required to comply with a legal obligation under EU or national law.
You can request information about the above data from the Controller at the following mailing and email addresses:
Name: LIGHT STUDIÓ Kft.
Registered office: 5600 Békéscsaba, Zsíros utca 14.
Email: info@lightstudio.hu
5. Right to restriction of processing:
The data subject has the right to request the Controller to restrict processing, in particular if the data subject:
1. disputes the accuracy of the data,
2. considers the processing to be unlawful, but for some reason does not request the erasure of the data.
You can request information about the above data from the Controller at the following mailing and email addresses:
Name: LIGHT STUDIÓ Kft.
Registered office: 5600 Békéscsaba, Zsíros utca 14.
Email: info@lightstudio.hu
6. Right to data portability:
The data subject has the right to receive personal data concerning him or her in a structured, commonly used, machine-readable format and the right to transmit such data to another Controller.
You can request information about the above data from the Controller at the following mailing and email addresses:
Name: LIGHT STUDIÓ Kft.
Registered office: 5600 Békéscsaba, Zsíros utca 14.
Email: info@lightstudio.hu
7. Right to object:
The data subject has the right to object to the processing of his or her personal data at any time on grounds relating to his or her particular situation, as provided for in Article 21 of Regulation (EU) 2016/679 of the European Parliament and of the Council.
You can request information about the above data from the Controller at the following mailing and email addresses:
Name: LIGHT STUDIÓ Kft.
Registered office: 5600 Békéscsaba, Zsíros utca 14.
Email: info@lightstudio.hu
The Controller shall inform the data subject that it will respond to the above requests within 30 days. We Controller shall reply to requests sent by mail via mail, and to requests sent by e-mail via e-mail, unless the data subject has explicitly requested otherwise.
The request, complaint or inquiry may also be submitted in person to the person responsible for personnel matters.
The information and measure listed in this Policy shall be provided by the Company free of charge. However, if the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Company may charge a reasonable fee or refuse to act on the request.
If the Company has reasonable doubts about the identity of the person making the request, it may request additional information to confirm the identity of the person concerned.
The Controller undertakes to inform all recipients to whom it has disclosed personal data of any requests sent to it in connection with the above rights, unless it proves impossible to do so. The Controller also undertakes to notify the data subject (the applicant) of its decision on the processing of the above requests within 30 days at the latest.
11. Personal data breach
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In the event of a personal data breach, the level of data breach must be at a serious risk level, i.e. the breach must be of a degree that may result in the personal data’s
1. destruction,
2. loss,
3. alteration,
4. unauthorised disclosure,
5. unauthorised access.
A breach is considered to occur if any one of the above occurs, but this does not exclude that more than one of the above may occur at the same time. This includes not only deliberate, malicious behaviour, but also damage caused by negligence. A breach, therefore, occurs when it is caused by an accidental or unlawful act.
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
In the event of a personal data breach (unless it is unlikely to pose a risk to the rights and freedoms of natural persons), the Controller shall immediately notify the National Authority for Data Protection and Freedom of Information. The Controller shall report the breach without undue delay and, if possible, no later than 72 hours after becoming aware of the breach. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information must be provided in phases without undue further delay.
The National Authority for Data Protection and Freedom of Information operates a dedicated system on its website for the notification of personal data breaches, through which notifications can be made electronically.
The Controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. The Controller must shall records of the data relating to the breaches, including the causes, the events and the personal data affected. It should also include the effects and consequences of the breaches and the actions taken to remedy them, as well as the conclusions of the Controller (for example, why it thinks the breach is not subject to the reporting obligation, or if the notification is late, the reason for the delay).
An incident that is unlikely to pose a risk to the rights and freedoms of natural persons does not need to be notified to the supervisory authority.
If the data breach is likely to result in a high risk to the rights and freedoms of the Controller’s partners, it shall inform the relevant partner without delay. The information provided to the data subject shall clearly and plainly describe the nature of the personal data breach and communicate the key information and the measures taken.
The data subject does not need to be informed as described above if any of the following conditions are met:
1. The Controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures to render the data unintelligible to persons who are not authorised to access the personal data;
2. The Controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
3. Such information would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
12. Keeping records
The Controller shall keep records of its processing of personal data, the personal data breaches and measures relating to the data subject'’ right of access, in accordance with its legal obligations.
The records of the Controller shall contain:
a) the name and contact details of the Controller, including any joint controller,
b) the purpose or purposes of the processing,
c) where personal data are transferred or intended to be transferred, the recipients of the transfer, including recipients in third countries and international organisations,
d) the data subjects and the data processed,
e) where profiling is used, the fact that it is used,
f) in the case of international transfers, the scope of the data transferred,
g) the legal basis for the processing operations, including transfers,
h) the date of erasure of the personal data processed, if available,
i) a general description of the technical and organisational security measures implemented pursuant to this Act,
j) the circumstances in which personal data breaches have occurred in relation to the data it processes, their effects and the measures taken to address them,
k) the legal and factual grounds for the measure restricting or rejecting the data subject’s exercising his or her right of access under this Act.
13. Data protection authority procedure
If you believe that the Company’s processing of your personal data is unlawful or you wish to make a comment or observation, please submit your request or complaint primarily to the Company.
You may also lodge a complaint or objection about data processing with the National Authority for Data Protection and Freedom of Information:
Name: Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information)
Registered office: 1055 Budapest, Falk Miksa utca 9-11
Mailing address: 1363 Budapest, Pf.: 9.
Telephone: +36 (30) 683-5969; +36 (30) 549-6838; +36 (1) 391 1400
Email: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu
14. Right to judicial remedy
The data subject may take the Controller to court in the event of a breach of his or her personal data or in the event of irregular processing. The court shall try the case with priority.
15. Miscellaneous provisions
The Controller shall provide information about any processing not listed in this Policy at the time of recording the personal data. In such cases, the provisions of the legislation in force shall prevail.
The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her (e.g. e-recruiting practices or profiling without any human intervention).
The Controller hereby informs the data subjects that the court, the prosecutor, the investigating authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, the National Bank of Hungary, or other bodies authorized by law may contact the Controller to provide information, to disclose or transfer data, or to provide documents. The Controller shall disclose to public authorities personal data only in the amount and to the extent that such disclosure make it strictly necessary for the purpose of the request, provided that the public authority has indicated the precise purpose and scope of the data.
The present content of the Policy shall enter into force on 12 April 2024.
LIGHT STUDIÓ Kft.