PRIVACY POLICY REGARDING THE RIGHTS OF NATURAL PERSONS IN RELATION TO THE PROCESSING OF PERSONAL DATA

INTRODUCTION

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter: the Regulation), mandates that the Data Controller takes appropriate measures to ensure that all information regarding the processing of personal data is provided to the data subject in a concise, transparent, intelligible, and easily accessible form, clearly and understandably. Furthermore, the Data Controller facilitates the exercise of the data subject's rights.

The obligation to provide prior information to the data subject is also stipulated by Act CXII of 2011 on Informational Self-Determination and Freedom of Information. With the following information, we fulfill this statutory obligation. The information must be published on the company's website or sent to the data subject upon request.

CHAPTER I

IDENTIFICATION OF THE DATA CONTROLLER

This privacy policy is issued by the Controller:

• Company Name: Aventail Service and IT Consultancy Limited Liability Company
• Headquarters: 6722 Szeged, Bécsi körút 23. A. building, ground floor 1.
• Company Registration Number: 06 09 025190
• Tax Number: HU26654070
• Representative: László Szalma, Managing Director
• Phone Number: +36 70 594 4281
• Email Address: info@aventail.hu
• Website: https://aventail.hu/

(hereinafter: the Company)

CHAPTER II

IDENTIFICATION OF DATA PROCESSORS

Data Processor: any natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller (Article 4(8) of the Regulation). The use of a data processor does not require the prior consent of the data subject, but the data subject must be informed. Accordingly, the following information is provided:

1. IT Service Provider

   Our company engages a data processor for maintaining and managing its servers, who provides hardware operation and system administration services. Within the term of our contract, this processor may process personal data stored on the servers as part of storage and maintenance operations. Additionally, our company uses a data processor for domain registration and maintenance.

   Service Provider Name

   • Company Name: László Szalma Individual Entrepreneur
   • Headquarters: 6726 Szeged, Bal fasor 36. ground floor 5.
   • Tax Number: 60349095-2-26
   • Representative: László Szalma
   • Phone Number: +36 70 594 4281
   • Email Address: hosting@f6.hu
2. Accounting and Payroll Service Provider

   To fulfill its tax and accounting obligations, our company contracts an external service provider for accounting services. This provider also handles the personal data of natural persons who are in a contractual or payment relationship with our company for fulfilling these obligations, as well as the personal data of employees for complying with tax, contribution, and social security obligations arising from employment relationships.

   Service Provider Name

   • Company Name: TOP-TAX Ltd.
   • Headquarters: 6727 Szeged, Fürst Sándor Street 50.
   • Company Registration Number: 06 09 012269
   • Tax Number: 14254532-2-06
   • Representative: Katalin Jámborné Miklós, Managing Director
   • Phone Number: +36 70 213 7742
   • Email Address: topadokft@gmail.com
3. Postal Services, Delivery, Parcel Dispatch

   These data processors receive the personal data necessary for the delivery of postal items (data subject's name, address, phone number) from our company and use them to deliver the postal items.

   These Service Providers:

   Hungarian Post

4. Occupational Health Service Provider

   This data processor handles the personal data of employees in connection with occupational health examinations on behalf of our company.

   Service Provider Name

   • Company Name: MEDISTAR Health Limited Liability Company
   • Headquarters: 6721 Szeged, Juhász Gyula Street 16.
   • Company Registration Number: 06 09 019176
   • Tax Number: 24077358-2-06
   • Representative: Dr. Andrea Ónodiné Papp, Managing Director
   • Phone Number: +36 62 425 499
   • Email Address: medistarkft@gmail.com
   • Website: http://www.medistar.hu/
5. Legal Advisor Service Provider

   This data processor handles the personal data of individuals involved in legal matters on behalf of our company.

   Service Provider Name

   • Company Name: Dr. Anna Jelenfi Individual Attorney
   • Headquarters: 6600 Szentes, Vásárhelyi Street 3.
   • Tax Number: 45808058-3-26
   • Representative: Dr. Anna Jelenfi
   • Phone Number: +36 63 316 600
   • Email Address: jelenfiiroda@invitel.hu

CHAPTER III

DATA PROCESSING RELATED TO EMPLOYMENT

1. Employment and Personnel Records
   1. Only such data may be requested and recorded from employees, and only such occupational medical fitness examinations may be conducted, which are necessary for establishing, maintaining, or terminating employment, or for providing social and welfare benefits, and do not infringe on the personal rights of employees.
   2. Based on the Company’s Legitimate Interest (Article 6(1)(f) of the Regulation), the Company processes the following personal data of employees for establishing, fulfilling, or terminating an employment relationship:
      1. name,
      2. birth name,
      3. date of birth,
      4. mother's name,
      5. address,
      6. citizenship,
      7. tax identification number,
      8. social security number (TAJ),
      9. pension registration number (for retired employees),
      10. phone number,
      11. email address,
      12. personal identification number,
      13. residence card number,
      14. bank account number,
      15. online identifier (if applicable),
      16. start and end date of employment,
      17. job title,
      18. copy of documents certifying educational qualifications and professional training,
      19. photo,
      20. resume,
      21. salary details, including payment and other benefits,
      22. debts to be deducted from salary by enforceable decision, law, or written consent,
      23. performance evaluations,
      24. reasons and manner of termination of employment,
      25. certificate of good conduct (depending on the job),
      26. summary of occupational fitness examinations,
      27. documents related to private pension fund and voluntary mutual insurance fund membership,
      28. passport number for foreign employees; details of documents proving work eligibility,
      29. data recorded in reports of workplace accidents involving the employee,
      30. results and evaluations of personality, ability, and skill assessments,
      31. all documents related to the rights of employees with reduced working capacity.
   3. The employer may process data concerning illness and trade union membership only for the purpose of fulfilling rights or obligations defined by the Labor Code.
   4. Recipients of personal data: the employer’s manager, the exercising authority of the employer's rights, employees handling personnel tasks, and data processors.
   5. Personal data of employees in executive positions may be forwarded to the owners of the Company.
   6. Retention period of personal data: 3 years after the termination of employment, except for documents necessary for calculating service time and pension.
   7. Before starting data processing, the employee must be informed that processing is based on the Labor Code and the employer’s legitimate interest.
2. Data Processing Related to Fitness Examinations
   1. Only fitness examinations prescribed by employment-related regulations or necessary for exercising rights or fulfilling obligations specified by such regulations may be applied to employees. Before the examination, employees must be informed in detail about the purpose, tools, and methods of the examination. If the examination is prescribed by law, employees must also be informed of the law and the specific provision.
   2. Employers may require employees to complete test forms related to job fitness and preparedness both before and during the employment relationship.
   3. Psychological or personality trait assessments that involve a larger group of employees for improving work efficiency or organization may only be conducted anonymously unless the data can be linked to specific individuals.
   4. Scope of processable personal data: the fact of job fitness and conditions necessary for it.
   5. Legal basis for data processing: the employer’s legitimate interest.
   6. Purpose of data processing: establishing, maintaining, and fulfilling employment.
   7. Recipients or categories of recipients of personal data: the employee examined, the examining professional, the person exercising employer rights, and the supervisor of the employee.
   8. Retention period of personal data: 3 years after the termination of employment.
3. Processing of Job Applicants' Data, Applications, and Resumes
   1. Scope of processable personal data: name, date and place of birth, mother’s name, address, qualifications, photo, phone number, email address, resume, cover letter, results and evaluations of personality, ability, and skill assessments, notes prepared by the employer.
   2. Purpose of data processing: evaluating applications and conducting employment contracts with selected candidates. Applicants must be informed if they are not selected.
   3. Legal basis for data processing: the applicant’s consent.
   4. Recipients or categories of recipients: individuals authorized to exercise employer rights, personnel employees, data processors, and those evaluating completed assessments.
   5. Retention period of personal data: until the evaluation of the application. Personal data of unselected applicants must be deleted, as well as data of those who withdraw their application.
   6. Applications may only be retained with the applicant’s explicit, clear, and voluntary consent, provided retention is necessary to achieve a lawful data processing purpose consistent with legal requirements. This consent must be requested after the recruitment process ends.

CHAPTER IV

DATA PROCESSING RELATED TO CONTRACTS

1. Data Processing of Contract Partners – Record Keeping of Clients, Buyers, Suppliers
   1. On the legal basis of contract performance, the Company processes the following personal data of natural persons contracted as clients, buyers, or suppliers for the purpose of contract conclusion, performance, termination, or granting contract benefits:
      1. name
      2. birth name
      3. date of birth
      4. mother's name
      5. address
      6. tax identification number
      7. tax number
      8. entrepreneurial license number
      9. primary producer certificate number
      10. personal identification number
      11. address card number
      12. registered office, business site address
      13. phone number
      14. fax number
      15. email address
      16. website URL
      17. bank account number
      18. position
      19. client number (customer or order number)
      20. online identifier (e.g., lists of clients, suppliers, or loyalty program members).

      This data processing is considered lawful even if it is necessary to take steps at the request of the data subject prior to entering into a contract. Recipients of personal data: employees performing customer service, accounting, and tax-related tasks, as well as data processors. Data retention period: 8 years after the termination of the contract.

   2. Before starting data processing, the data subject must be informed that the legal basis for processing is contract performance, which can also be stated in the contract.
   3. The data subject must be informed if their personal data is shared with a data processor.
2. Contact Information of Natural Person Representatives of Legal Entities (Clients, Buyers, Suppliers)
   1. Scope of processable personal data: name, address, phone number, email address, online identifier.
   2. Purpose of data processing: performance of the contract between the Company and its legal entity partner, business communication. Legal basis: consent of the data subject.
   3. Recipients of personal data: employees performing customer service tasks.
   4. Data retention period: 8 years after the business relationship or the termination of the representative's role.
3. The customer service does not record telephone conversations.
4. Visitor Data Processing on the Company's Website
   1. Cookies are small data files placed on the user's computer by the website visited. Cookies aim to facilitate and make the use of a given online service more convenient. There are several types, but they are generally categorized into two groups: temporary cookies, which are stored only during a specific session (e.g., security identification during online banking), and permanent cookies (e.g., website language settings) that remain on the computer until the user deletes them. According to the European Commission’s guidelines, cookies may only be placed on the user's device with their permission, except where they are strictly necessary for the use of a specific service.
   2. For cookies that do not require user consent, information must be provided during the user's first visit to the website. It is sufficient to display a brief summary of the cookie policy on the website, with a link to the full policy.
   3. For cookies requiring user consent, information should also be provided during the user's first visit if data processing related to cookie use begins immediately upon visiting the site. If cookie use is linked to a feature explicitly requested by the user, information may be provided alongside the use of that feature. In this case, a brief summary of the cookie policy with a link to the full policy suffices.
5. Social Media Policy / Data Processing on the Company’s Facebook/LinkedIn Page
   1. The Company maintains Facebook/LinkedIn pages to promote and introduce its products and services.
   2. Questions posted on the Company’s Facebook/LinkedIn page do not qualify as officially submitted complaints.
   3. The Company does not process personal data published by visitors on its Facebook/LinkedIn page.
   4. Visitors are subject to the Facebook/LinkedIn Privacy and Service Terms.
   5. In cases of unlawful or offensive content, the Company reserves the right to exclude the person from its community or delete their comments without prior notice.
   6. The Company is not responsible for unlawful data content or comments posted by Facebook/LinkedIn users or for any operational errors, disruptions, or issues arising from changes in the Facebook/LinkedIn system.

CHAPTER V

DATA PROCESSING BASED ON LEGAL OBLIGATIONS

1. Data Processing for Tax and Accounting Obligations
   1. The Company processes the legally specified personal data of natural persons who engage in business relationships with it as customers or suppliers, on the legal basis of fulfilling tax and accounting obligations (bookkeeping, taxation). The processed data, as defined by the relevant laws, include tax number, name, address, tax status, and other data stipulated by applicable tax and accounting laws.
   2. Personal data is retained for 8 years following the termination of the legal relationship providing the legal basis.
   3. Recipients of personal data: employees and data processors of the Company responsible for tax, accounting, payroll, and social security tasks.
2. Data Processing for Payer Obligations
   1. The Company processes personal data as required by law for fulfilling tax, social security, and payroll obligations of individuals with whom it has a payer relationship (employees, family members, other beneficiaries). Processed data include personal identification information, tax identification number, social security number, and data related to health and union membership if legally required.
   2. Personal data is retained for 8 years following the termination of the legal relationship providing the legal basis.
   3. Recipients of personal data: employees and data processors of the Company responsible for taxation, payroll, and social security tasks.
3. Data Processing for Archival Records
   1. The Company processes archival records deemed of permanent value under the Archival Law for the preservation and future use of the Company's archival materials.
   2. The duration of data retention is governed by the Archival Law until the transfer to the public archive.
4. Data Processing for Anti-Money Laundering Obligations
   1. The Company processes personal data of clients, representatives, and ultimate beneficial owners to prevent money laundering and terrorist financing, as required by the Anti-Money Laundering Act. Processed data include name, citizenship, date and place of birth, address, ID document type and number, and a copy of the presented documents.
   2. Recipients of personal data: employees responsible for client services, the Company’s management, and the designated officer under the Anti-Money Laundering Act.
   3. Personal data is retained for 8 years following the end of the business relationship or the execution of the business transaction.

CHAPTER VI

INFORMATION ON DATA SUBJECT RIGHTS

I. Summary of Data Subject Rights

1. Right to transparent information, communication, and facilitation of rights exercise
2. Right to information when data is collected from the data subject
3. Right to information when data is not collected from the data subject
4. Right of access
5. Right to rectification
6. Right to erasure ('Right to be Forgotten')
7. Right to restriction of processing
8. Notification obligation regarding rectification or erasure of personal data or restriction of processing
9. Right to data portability
10. Right to object
11. Rights related to automated individual decision-making, including profiling
12. Restrictions
13. Right to be informed about a personal data breach
14. Right to lodge a complaint with a supervisory authority
15. Right to effective judicial remedy against a supervisory authority
16. Right to effective judicial remedy against a data controller or processor

II. Detailed Explanation of Data Subject Rights

1. Transparent Information, Communication, and Facilitation of Rights Exercise
   1. The data controller must provide all information and communication relating to data processing in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, especially for children. The information may be provided in writing, electronically, or orally, provided the identity of the data subject is verified by other means.
   2. The data controller must facilitate the exercise of data subject rights.
   3. The data controller must inform the data subject without undue delay and within one month of receiving a request about the action taken. This period may be extended by two months if necessary, with notification to the data subject.
   4. If no action is taken, the data controller must inform the data subject within one month of the reasons and the possibility to lodge a complaint with a supervisory authority or seek judicial remedy.
   5. Information and actions regarding the rights of the data subject are provided free of charge, except where fees are permitted under the Regulation.

   The detailed rules can be found under Article 12 of the Regulation.

2. Right to prior information – if personal data is collected from the data subject
   1. The data subject has the right to be informed about facts and information related to data processing before it begins. In this context, the data subject must be informed about:
      1. the identity and contact details of the data controller and its representative
      2. the contact details of the data protection officer (if applicable)
      3. the purpose of the intended processing of personal data and the legal basis for processing
      4. in the case of processing based on legitimate interest, the legitimate interests of the data controller or a third party
      5. the recipients of the personal data – with whom the personal data will be shared – or the categories of recipients, if applicable;
      6. if applicable, the fact that the data controller intends to transfer personal data to a third country or an international organization.

      The detailed rules of the right to prior information are included in Article 13 of the Regulation.

   2. To ensure fair and transparent data processing, the data controller must provide the data subject with the following additional information:
      1. the duration of personal data storage, or if this is not possible, the criteria used to determine this duration;
      2. the data subject’s right to request access, rectification, erasure, or restriction of processing of personal data concerning them, and to object to such processing, as well as the right to data portability;
      3. in the case of data processing based on the data subject’s consent, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
      4. the right to lodge a complaint with a supervisory authority;
      5. whether the provision of personal data is a statutory or contractual requirement or a prerequisite for entering into a contract, as well as whether the data subject is obliged to provide personal data and the possible consequences of failure to provide such data;
      6. the existence of automated decision-making, including profiling, and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
   3. If the data controller intends to process personal data for a purpose other than that for which it was collected, the data subject must be informed of this other purpose and any relevant additional information before further processing.

   The detailed rules of the right to prior information are included in Article 13 of the Regulation.

3. Right to information when data is not collected from the data subject
   1. If the data controller did not obtain personal data from the data subject, the data subject must be informed within one month of obtaining the personal data at the latest; if the data is used for communication with the data subject, at least at the time of the first communication with the data subject; or, if disclosure to another recipient is envisaged, at the latest at the time the personal data is first disclosed.
   2. Further rules are governed by the provisions set out in the previous point (Right to prior information).

   The detailed rules of this information are included in Article 14 of the Regulation.

4. The right of access by the data subject
   1. The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the related information mentioned in the previous points. (Article 15 of the Regulation).
   2. If personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation.
   3. The data controller must provide the data subject with a copy of the personal data undergoing processing. For any further copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.

   The detailed rules for the right of access of the data subject are included in Article 15 of the Regulation.

5. The right to rectification
   1. The data subject has the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning them.
   2. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

   These rules are included in Article 16 of the Regulation.

6. Right to erasure (‘right to be forgotten’)
   1. The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following applies:
      1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
      2. the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
      3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
      4. the personal data have been unlawfully processed;
      5. the personal data have to be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
      6. the personal data have been collected in relation to the offer of information society services directly to a child.
   2. The right to erasure does not apply to the extent that processing is necessary:
      1. for exercising the right of freedom of expression and information;
      2. for compliance with a legal obligation which requires processing by Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
      3. for reasons of public interest in the area of public health;
      4. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
      5. for the establishment, exercise, or defense of legal claims.

   The detailed rules for the right to erasure are included in Article 17 of the Regulation.

7. Right to restriction of processing
   1. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
   2. The data subject has the right to obtain from the controller restriction of processing where one of the following applies:
      1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
      2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
      3. the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or
      4. the data subject has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the data subject.
   3. The data subject shall be informed before the restriction of processing is lifted.

   The relevant rules are included in Article 18 of the Regulation.

8. Notification obligation regarding rectification or erasure of personal data or restriction of processing
   The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with this Regulation to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

   These rules can be found under Article 19 of the Regulation.

9. Right to data portability
   1. Under the conditions laid down in the Regulation, the data subject shall have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
      1. the processing is based on consent or on a contract; and
      2. the processing is carried out by automated means.
   2. The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
   3. The exercise of the right to data portability shall be without prejudice to Article 17 of the Regulation (right to erasure). This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right shall not adversely affect the rights and freedoms of others.

   The detailed rules are included in Article 20 of the Regulation.

10. Right to object
    1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on public interest, official authority (Article 6(1)(e)) or legitimate interest (Article 6(1)(f)), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
    2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
    3. The right referred to in this section shall be explicitly brought to the attention of the data subject at the latest at the time of the first communication with the data subject, and shall be presented clearly and separately from any other information.
    4. The data subject may exercise their right to object by automated means using technical specifications.
    5. Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right, on grounds relating to their particular situation, to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

    The relevant rules are included in the Regulation's article.

11. Automated individual decision-making, including profiling
    1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
    2. This right shall not apply where the decision:
       1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
       2. is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
       3. is based on the data subject’s explicit consent.
    3. In the cases referred to in points a) and c), the controller shall implement suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view, and to contest the decision.

    Further rules are included in Article 22 of the Regulation.

12. Restrictions
    1. Union or Member State law to which the controller or processor is subject may restrict, by way of a legislative measure, the scope of the rights and obligations (Articles 12-22, 34, Article 5) when such a restriction respects the essence of the fundamental rights and freedoms.

    The conditions of this restriction are included in Article 23 of the Regulation.

13. Communication of a personal data breach to the data subject
    1. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and shall, at least:
       1. include the name and contact details of the data protection officer or other contact point where more information can be obtained;
       2. describe the likely consequences of the personal data breach;
       3. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
    2. The communication to the data subject shall not be required if any of the following conditions are met:
       1. the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
       2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize;
       3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

    Further rules are included in Article 34 of the Regulation.

14. Right to lodge a complaint with a supervisory authority
    The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy.

    The detailed rules of the right to prior information are included in Article 13 of the Regulation.

    Supervisory Authority:

    Hungarian National Authority for Data Protection and Freedom of Information

    • Headquarters 1125 Budapest Szilágyi Erzsébet fasor 22/c
    • Postal Address 1530 Budapest, Pf.: 5.
    • Phone Number: +36 (1) 391-1400
    • Central Email Address: ugyfelszolgalat@naih.hu
    • Website: https://www.naih.hu/
15. Right to an effective judicial remedy against a supervisory authority
    1. Without prejudice to any other administrative or non-judicial remedy, every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
    2. Without prejudice to any other administrative or non-judicial remedy, every data subject shall have the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
    3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
    4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

    These rules are included in Article 78 of the Regulation.

16. Right to an effective judicial remedy against a controller or processor
    1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, every data subject shall have the right to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.
    2. Proceedings against a controller or processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has their habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

    These rules are included in Article 79 of the Regulation.

Dated: Szeged, on April 9, 2021

Aventail Service and IT Consulting Limited Liability Company

represented by: László Szalma, managing director