General Data Protection Regulation - GDPR part 2

Rental service (rental of ski / snowboard equipment, rental of test track)

1.The fact of data collection, the scope of the data being processed and the purpose of data management:

 Our product is not available in our shop and is ordered by buyer

1.The fact of data collection, the scope of the data being processed and the purpose of data management:

 Skiing, cycling test days and other programs

1.The fact of data collection, the scope of the data being processed and the purpose of data management:

Sports equipment (bicycle, skis, snowboard, ski boots, snowboard boots)

 1.The fact of data collection, the scope of the data being processed and the purpose of data management:

 2. Data management mode: paper, service booklet

3. Method of deletion: after service, destroy the paper

Managing Warranty Matters

 1.The fact of data collection, the scope of the data being processed and the purpose of data management:

 2. Data management mode: garanciális jegyzőkönyv

3. Method of deletion: the signature of the protocol after the transaction

Customer relations and other data management

 1.If the data handler is questioned when using our services, he / she may have a problem with the person concerned, he or she may contact the data manager using the methods provided on the website (phone, email, social networking sites, etc.)

 2.Data Manager is the received email, messages, phone, Facebook, etc. the information given with the name and e-mail address of the interested party and other voluntarily entered personal data will be erased after a maximum of 2 years from the date of disclosure.

 3.Data management not listed in this information is provided when data is included.

 4.The Service Provider is obliged to provide information, communicate, transfer or provide documentation on the basis of an exceptional authority request or the authorization of the law in case of request of other bodies.

 5.In these cases, the Service Provider shall provide the Requesting Party with personal data only to the extent and to the extent that it is indispensable to achieve the purpose of the request, in so far as it indicates the exact purpose and scope of the data.

Rights of affected persons

 1.   Right of access

 You are entitled to receive feedback from the data controller about whether your personal data is being processed and, if such processing is in progress, you have the right to have access to your personal information and the information listed in the decree.

 2.   Right to rectification

 You are entitled to request the data controller to rectify any inaccurate personal information that he or she is required to do without undue delay. Taking into account the purpose of data management, you are entitled to request the supplementation of incomplete personal data, including by means of a supplementary statement

 3.   The right to cancel

 You are entitled to request that the data controller, without undue delay, disclose personal information about you, and the data controller is obliged to delete personal information about you, without undue delay, under certain conditions.

 4.   The Right to Forgive

 If the data controller has disclosed the personal data and is required to cancel it, taking reasonable steps, including technical measures, to take into account the cost of technology available and the costs of implementation, in order to inform the data controllers handling the data that you have applied for the personal data in question pointing links or deleting a duplicate or duplicate of these personal data.

 5.   Right to Restrict Data Management

 You are entitled to request that your data controller restricts your data handling if one of the following conditions is met:

 ·         You dispute the accuracy of personal data, in this case the restriction refers to the time period that allows the data controller to verify the accuracy of personal data;

 ·         data handling is illegal and you are opposed to deleting the data and instead asks for their use to be restricted;

 ·         the data controller no longer needs personal data for data processing, but you require them to submit, enforce, or protect legal claims;

 ·         You have protested against data processing; in this case, the restriction applies to the duration of determining whether the data controller's legitimate reasons prevail over your legitimate grounds.

 6.   The right to data storage

 You are entitled to receive personal data that is made available to you by a data controller in a fragmented, widely used machine-readable format and is entitled to transfer this data to another data controller without this being obstructed by the data controller whose provided personal information to you

 7.   Right to protest

 You are entitled, at any time, to object to your personal data for reasons of your own situation, including profiling based on these provisions.

 8.   Protest in case of direct business acquisition

 If your personal data is handled for direct business, you are entitled to protest at any time against the processing of any personal data relating to it, including profiling, if it is related to direct business acquisition. If you object to personal data being handled for direct business purposes, your personal information can no longer be handled for that purpose.

 9.   Automated decision-making in individual cases, including profiling

 You are entitled to exclude the scope of any decision based solely on automated data handling, including profiling, which would have a bearing on it or affect it significantly. The preceding paragraph shall not apply if the decision is made:

 ·         You need to conclude or complete a contract between you and the data controller;

 ·        is made possible by the law of the Union or of the Member States applicable to the data controller, which also lays down appropriate measures to protect your rights and freedoms and legitimate interests; or

 ·         You are based on your explicit consent.

 Deadline for action

 The data controller shall inform you, without undue delay, within 1 month of receipt of the request, of the measures taken on the above applications

 If necessary, it may be extended by 2 months. The controller will inform you about the extension of the deadline by indicating the cause of the delay within 1 month of receipt of the request.

 If the data controller fails to take measures upon your request, he or she will notify you without delay and at the latest within one month of the receipt of the request for reasons of non-action and whether you may file a complaint with a supervisory authority and exercise his or her remedy.

Security of data handling

 The data controller and the data processor shall take appropriate technical and organizational measures to take into account the state of science and technology and the costs of implementation, the nature, scope, circumstances and objectives of data management and the risk of varying probability and severity of natural persons' rights and freedoms to guarantee an adequate level of data security, including, inter alia, where appropriaten:

• a. the pseudonymization and encryption of personal data;
• b. ensuring the continued confidentiality, integrity, availability and resilience of the systems and services used to manage personal data;
• c. in the case of physical or technical incidents, the ability to restore access to personal data and the availability of data in a timely manner;
• d. a method for systematically testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of data processing.

Inform the person concerned about the privacy incident

 If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject of the data protection incident without undue delay.

 Information given to the data subject should be clearly and easily understood and the nature of the privacy incident must be disclosed and the name and contact details of the Data Protection Officer or other contact person providing additional information should be disclosed; the likely consequences of a data protection incident should be described; the measures taken or planned by the data controller to remedy the data protection incident, including, where appropriate, measures to mitigate the potential adverse effects of the data protection incident.

 The person concerned shall not be informed if any of the following conditions are met:

 the data controller has implemented appropriate technical and organizational protection measures and applied those measures to the data covered by the data protection incident, in particular measures such as the use of encryption that make it impossible for persons who are unauthorized to access personal data to data

• after the data protection incident, the data controller has taken further measures to ensure that high risk for the rights and freedoms of the person concerned is no longer likely to occur
• the information would require disproportionate effort. In such cases, the data subject shall be informed by means of publicly disclosed information or a similar measure shall be taken to ensure that such information is equally effective.

 If the data controller has not yet notified the data subject of the data protection incident, the supervisory authority may, after considering whether the privacy incident is likely to pose a high risk, may inform the data subject.

Report a privacy incident to the authority

 The data protection incident shall be reported to the supervisory authority under Article 55 without undue delay and, if possible, no later than 72 hours after the data protection incident becomes known, unless the data protection incident is unlikely to pose a risk to the rights of natural persons and freedom. If the notification is not filed within 72 hours, the reasons for proving the delay must also be enclosed.

Complaint Opportunity

 You can lodge a complaint against a possible infringement of the data controller with the National Data Protection and Information Authority:

 National Data Protection and Information Authority

• H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
• Post address: 1530 Budapest, Postafiók: 5.
• Phone number: +36 -1-391-1400
• Fax: +36-1-391-1410
• E-mail: ugyfelszolgalat@naih.hu

 Closing Remarks

During the preparation of the prospectus we have been following the following legislation:

• REGULATION (EEC) No 2016/67 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 2016) on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46 (General Data Protection Regulation) 27.)
• 2011 CXII. Act on Information Self-Destruction and Freedom of Information (hereinafter: Info Act).
• CVIII. Act on Electronic Commerce Services and Information Society Services (in particular Section 13 / A)
• 2008 XLVII. Act on the Prohibition of Unfair Commercial Practices against Consumers;
  
• XLVIII of 2008. of the Act on the Basic Conditions and Limitations of Commercial Advertising Activity (in particular Article 6)
• 2005 XC. Law on Electronic Freedom of Information
• Act C of 2003 on Electronic Communications (specifically Article 155)
• 16/2011. s. an opinion on the EASA / IAB Recommendation on Best Practice in Behavioral Online Advertising
• Recommendation of the National Data Protection and Information Authority on the data protection requirements for prior information
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46.