What are you Looking for?
SHOPPING CART

No Products in the Cart
TOTAL:
0 Ft
PROCEED TO CHECKOUT
VIEW CART
img

title

  • details
qty X
price

Privacy Policy

INTRODUCTION
YM Design Ltd. (1037 Budapest Nyereg út 23., tax ID: 32404214-2-41, company registration number: 01-09-422365) (hereinafter referred to as the "Service Provider," data controller) adheres to the following information. In accordance with the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we provide the following information. This privacy policy regulates the processing of data on the following pages: www.yellowmelone.com The privacy policy is available at the following link: https://yellowmelone.com/pages/privacy-policy. Any amendments to the policy will become effective upon publication at the above address.
 
DATA CONTROLLER AND CONTACT DETAILS:
Name: YM Design Ltd.
Registered Office: 1037 Budapest, Nyereg út 23.
Email: hello@yellowmelone.com
 
DEFINITIONS 
  1. "Personal data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  2. "Data processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  3. "Data controller": a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  4. "Data processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  5. "Recipient": a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
  6. "Consent of the data subject": any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  7. "Data breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
 
PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
The processing of personal data should adhere to the following principles:
  1. It must be carried out lawfully, fairly, and in a transparent manner for the data subject ("lawfulness, fairness, and transparency").
  2. Data collection should only occur for specified, explicit, and legitimate purposes, and they should not be processed in a way that is incompatible with these purposes. Processing for further purposes such as public archiving, scientific and historical research, or statistical purposes, in accordance with Article 89(1), shall not be considered incompatible with the original purposes ("purpose limitation").
  3. Data processing must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ("data minimization").
  4. Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data are promptly deleted or corrected in view of the purposes for which they are processed ("accuracy").
  5. Data should be stored in a form that permits identification of data subjects only for the time necessary for the purposes for which the personal data are processed. Personal data may be stored for a longer period only if processed for archiving purposes in the public interest, scientific and historical research purposes, or statistical purposes, subject to the implementation of appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ("limited storage").
  6. Processing must be carried out in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, by implementing suitable technical or organizational measures ("integrity and confidentiality").
The data controller is responsible for ensuring compliance with the above, and must be able to demonstrate this compliance ("accountability").
 
DATA PROCESSING - DATA PROCESSING RELATED TO E-COMMERCE OPERATIONS
  1. The Fact of Data Collection, Scope of Processed Data, and Purpose of Data Processing:

Personal Data

 Purpose of Data Processing

User Name

 Identification, enabling registration.

Password

Ensuring secure access to the user account.

First and Last Name

Necessary for contact, purchase, and proper invoice issuance.

Email Address

 Communication purposes.

Phone Number

Contact purposes, efficient coordination of billing or delivery-related queries.

Billing Name and Address

Issuing proper invoices, creating, defining, and monitoring contracts, billing for associated fees, and enforcing related claims.

Shipping Name and Address

 Facilitating home delivery.

Date/Time of Purchase/Registration

 Execution of technical operations.

IP Address at the time of Purchase/Registration

 Execution of technical operations.
 
Note: For both the username and email address, it is not necessary to contain personal data. These data processing activities are conducted to fulfill the necessary functions related to the operation of the online store. The information collected is used for identification, communication, and the efficient execution of transactions, ensuring a secure and personalized experience for users.
Neither the username nor the email address needs to contain personal data.
  1. Scope of Data Subjects: All registered/purchasing individuals on the webshop website.
  2. Duration of Data Processing, Deadline for Data Deletion: Immediate upon deletion of registration, except for accounting documents, as according to Section 169(2) of Act C of 2000 on Accounting, such data must be preserved for 8 years.
Accounting documents, directly and indirectly supporting accounting reconciliation (including general ledger accounts, analytical, or detailed records), must be kept legible for a minimum of 8 years in a retrievable form based on references in accounting entries.
  1. Identity of Possible Data Processors Authorized to Access the Data, Recipients of Personal Data: Personal data may be processed by the sales and marketing staff of the data controller, while respecting the above principles.
  2. Explanation of Data Subject's Rights Regarding Data Processing:
  • The data subject may request access, correction, deletion, or restriction of processing related to their personal data, and may object to the processing of such personal data, as well as
  • has the right to data portability and the right to withdraw consent at any time.
  1. The data subject can initiate access to personal data, their deletion, modification, or processing restriction, data portability, and objections to data processing through the following means:
  1. Legal Basis for Data Processing:
    • Consent of the data subject, Article 6(1)(a), Section 5(1) of the Information Act.
    • Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter: Elker Act) Section 13/A(3): The service provider may process personal data that is technically essential for providing the service. The service provider must choose and operate tools used in providing information society services in a manner that personal data processing only occurs if absolutely necessary for providing the service and fulfilling other purposes specified in this law, and even then, only to the necessary extent and duration.
    • Issuing invoices in accordance with accounting regulations, Article 6(1)(c).
  2. We inform you that:
  • Data processing is based on your consent.
  • It is mandatory to provide personal data for order fulfillment.
  • Failure to provide data will result in the inability to process your order.
 
DATA PROCESSORS USED
Shipping
  1. Activity provided by the data processor: Delivery of products, transportation.
  2. Name and contact information of the data processor:
GLS General Logistics Systems Hungary Package Logistics Ltd.
2351 Alsónémedi, Európa u. 2.
Email: info@gls-hungary.com
Phone: +36 1 802 0265
https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat
DHL Express Hungary Ltd.
3200 Gyöngyös, Batsányi János utca 9.
Phone: 06-1-245-245
https://www.dhl.com/hu-hu/home/kapcsolatfelvetel.h...
  1. The fact of data processing, the scope of processed data: Shipping name, shipping address, phone number, email address.
  2. Scope of data subjects: All individuals requesting home delivery.
  3. Purpose of data processing: Delivery of the ordered product.
  4. Duration of data processing, deadline for data deletion: Until the completion of home delivery.
  5. Legal basis for data processing: User consent, Article 6(1)(a), Section 5(1) of the Information Act.
Online Payment
  1. Activity provided by the data processors: Online payment.
  2. Name and contact information of the data processors:
Stripe Payments UK, Ltd
Headquarters: 7th Floor, The Bower Warehouse, 211 Old Street, London EC1V 9NR, United Kingdom
Email: info@stripe.com
  1. PayPal Holdings Inc.
Headquarters: PayPal (Europe) S.à r.l. et Cie, S.C.A. Société en Commandite par Actions Registered Office: 22–24 Boulevard Royal, L-2449 Luxembourg RCS Luxembourg B 118 349
Email: service@intl.paypal.com
SimplePay – OTP Mobil Kft - https://simplepay.hu/vasarlo-aff/
  1. The fact of data processing, the scope of processed data: Billing name, billing address, email address.
  2. Scope of data subjects: All individuals requesting online purchases.
  3. Purpose of data processing: Processing online payments, confirming transactions, and conducting fraud monitoring to protect users against abuse.
  4. Duration of data processing, deadline for data deletion: Until the completion of online payment.
  5. Legal basis for data processing: User consent, Section 5(1) of the Information Act, Article 6(1)(a), and Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.
Web hosting service provider
  1. Activity provided by the data processor: Web hosting service.
  2. Name and contact information of the data processor:
Shopify Inc. - 150 Elgin Street, 8th Floor. Ottawa, ON K2P 1L4, Canada
  1. The fact of data processing, the scope of processed data: All personal data provided by the data subject.
  2. Scope of data subjects: All individuals using the website.
  3. Purpose of data processing: Making the website accessible and ensuring its proper operation.
  4. Duration of data processing, deadline for data deletion: Data processing continues until the termination of the agreement between the data controller and the web hosting service provider or until the data subject submits a deletion request to the hosting service provider.
  5. Legal basis for data processing: User consent, Section 5(1) of the Information Act, Article 6(1)(a), and Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.
Other data processors (accounting, invoicing):
NKSZ Adó Tanácsadó és Szolgáltató Korlátolt Felelősségű Társaság. Headquarters: 1145 Budapest, Korong utca 15, Basement 1.
Company providing online invoicing services: Billingo Technologies Zártkörűen Működő Részvénytársaság. Headquarters and central administration: 1133 Budapest, Árbóc utca 6. Company Registration Number: 01-10-140802. Tax Identification Number: 27926309-2-41
 
COOKIE MANAGEMENT
  1. Cookies typically used for online stores include the "password-protected session cookies," "shopping cart necessary cookies," and "security cookies," for which prior consent is not required from the data subjects.
  2. The fact of data processing, the scope of processed data: Unique identifier, dates, timestamps.
  3. Scope of data subjects: All visitors to the website.
  4. Purpose of data processing: Identification of users, tracking the "shopping cart," and monitoring visitors.
  5. Duration of data processing, deadline for data deletion: Cookie Type Legal Basis for Data Processing. Duration of Data Processing Processed Data. Session Cookies Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Elkertv.) Until the respective visitor's session is closed
  6. Possible data processors authorized to access the data: The data controller does not process personal data through the use of cookies.
  7. Explanation of the data subjects' rights related to data processing: Data subjects have the option to delete cookies in the browser's Tools/Settings menu, generally under the Privacy settings.
  8. Legal basis for data processing: Prior consent from the data subject is not required if the sole purpose of using cookies is the transmission of communications over an electronic communications network or if it is strictly necessary for providing a service expressly requested by the subscriber or user related to information society services.
  9. Additional information about cookies: https://www.shopify.com/legal/cookies
 
GOOGLE ADWORDS CONVERSION TRACKING USAGE
  1. The data controller uses the online advertising program called "Google AdWords" and, within its framework, utilizes the Google Conversion Tracking service. Google Conversion Tracking is an analytical service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google").
  2. When a user accesses a website through a Google advertisement, a conversion tracking cookie is placed on their computer. The validity of these cookies is limited, and they do not contain any personal data, making the user non-identifiable.
  3. If the user browses certain pages of the website while the cookie is still valid, both Google and the data controller can see that the user clicked on the ad.
  4. Each Google AdWords customer receives a different cookie, making it impossible to track them through the websites of other AdWords customers.
  5. The information obtained through conversion tracking cookies is used to create conversion statistics for customers who have opted for AdWords conversion tracking. This allows customers to learn about the number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, no information that could identify any individual user is accessible.
  6. If you do not want to participate in conversion tracking, you can refuse it by disabling the installation of cookies in your browser. In that case, you will not be included in the conversion tracking statistics.
  7. Further information and Google's privacy policy can be found on the following page: www.google.de/policies/privacy/
 
GOOGLE ANALYTICS APPLICATION
  1. This website uses the Google Analytics application, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies," text files stored on your computer, to help analyze your use of the website.
  2. The information created by cookies related to the use of the website by the user is usually transferred to and stored on a Google server in the USA. By activating IP anonymization on the website, Google shortens the user's IP address within EU member states or other countries that are party to the agreement on the European Economic Area.
  3. Full IP addresses are only transmitted to and shortened on Google servers in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how users use the website, generate reports for the website operator regarding website activity, and provide other services related to website and internet use.
  4. The IP address transmitted by the user's browser within the framework of Google Analytics will not be associated with other Google data. Users can prevent cookies from being stored by adjusting their browser settings; however, please note that, in this case, not all features of this website may be fully usable. Users can also prevent Google from collecting and processing data related to their website usage (including the IP address) through cookies by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu
 
NEWSLETTER, DIRECT MARKETING ACTIVITY
  1. Pursuant to Section 6 of Act XLVIII of 2008 on the essential conditions and certain limitations of economic advertising activities, the User can expressly and in advance consent to the Service Provider contacting them with advertising offers and other communications at the contact details provided during registration.
  2. Additionally, keeping the provisions of this information in mind, the Customer can consent to the Service Provider processing their personal data necessary for sending advertising offers.
  3. The Service Provider does not send unsolicited advertising messages, and the User can freely unsubscribe from receiving offers without restriction or justification. In this case, the Service Provider deletes all personal data necessary for sending advertising messages from its records and does not contact the User with further advertising offers. The User can unsubscribe from ads by clicking the link in the message.
  4. The fact of data collection, the scope of processed data, and the purpose of data processing: Personal data: Name, email address. Purpose of data processing: Identification, enabling subscription to the newsletter. Date of subscription: Execution of technical operations. IP address at the time of subscription: Execution of technical operations.
  5. The scope of data subjects: All individuals subscribing to the newsletter.
  6. Purpose of data processing: Sending electronic messages containing advertisements (email, SMS, push messages) to the data subject, providing information about current news, products, promotions, new features, etc.
  7. Duration of data processing, deadline for data deletion: Data processing lasts until the withdrawal of consent, i.e., until unsubscribing.
  8. Data processor used in data processing: MailChimp, The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA
  9. Possible data controllers authorized to access the data, recipients of personal data: The personal data may be processed by the sales and marketing employees of the data controller, respecting the above principles.
  10. Description of the rights of data subjects regarding data processing:
  • The data subject may request access to their personal data, correction, deletion, or restriction of processing from the data controller.
  • The data subject has the right to object to the processing of such personal data.
  • The data subject has the right to data portability and the right to withdraw consent at any time.
  1. Data subjects can initiate access to personal data, its deletion, modification, or restriction of processing, data portability, and objections to data processing in the following ways:
  • By mail at 1037 Budapest, Nyereg út 23.
  • By email at hello@yellowmelone.com
  1. The data subject can unsubscribe from the newsletter at any time, free of charge.
  2. The legal basis for data processing: the consent of the data subject, Article 6(1)(a), Section 5(1) of Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.), and Section 6(5) of Act XLVIII of 2008 on the essential conditions and certain limitations of economic advertising activities: Advertisers, advertising service providers, or publishers – within the scope determined by the consent – keep a register of personal data of persons making a consenting statement. Data recorded in this register related to the recipient of the advertisement can only be processed in accordance with the content of the consenting statement until its withdrawal, and can only be transferred to a third party with the prior consent of the person concerned.
  3. Please note that:
  • Data processing is based on your consent.
  • You are obliged to provide personal data if you want to receive newsletters from us.
  • Failure to provide data will result in the consequence that we cannot send you a newsletter.
 
COMPLAINT HANDLING
  1. The fact of data collection, the scope of processed data, and the purpose of data processing:

Personal Data

 Purpose of Data Processing

First and Last Name

 Identification, maintaining contact.

Email Address

Maintaining contact.

Phone Number

Maintaining contact.

Billing Name and Address

 Identification, handling quality issues, questions, and problems related to ordered products.
 
  1. Scope of Individuals: All individuals who make a purchase on the webshop website and those raising quality concerns or filing complaints.
  2. Duration of Data Processing, Deadline for Data Deletion: Records of complaints, transcripts, and copies of responses, based on the Consumer Protection Act CLV of 1997, must be retained for 5 years.
  3. Possible Data Processors and Recipients Authorized to Access the Data: Personal data may be handled by sales and marketing staff of the data controller, adhering to the principles mentioned above.
  4. Explanation of the Rights of Individuals Regarding Data Processing: Individuals have the right to request access, correction, deletion, or restriction of their personal data.
  • They have the right to object to the processing of personal data and the right to data portability.
  • Requests for access, deletion, modification, or restriction of data, as well as objections to data processing, can be initiated through postal mail to Nyereg út 23, 1037 Budapest, or via email to hello@yellowmelone.com.
  1. Legal Basis of Data Processing: The legal basis is the consent of the individual, Article 6(1)(c) of the GDPR, Article 5(1) of the Information Act, and Section 17/A(7) of Act CLV of 1997 on consumer protection.
  2. Additional Information: Providing personal data is based on a contractual obligation. The processing of personal data is a prerequisite for entering into a contract. It is mandatory to provide personal data for the processing of complaints; failure to do so will result in the inability to address the received complaint.
 
SOCIAL MEDIA
  1. The fact of data collection, the scope of processed data: Name and publicly available profile picture of individuals registered on social media platforms such as Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc.
  2. Scope of Individuals: All individuals registered on Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc., who have "liked" the website.
  3. Purpose of Data Collection: Sharing and promoting certain elements, products, promotions, or the website itself on social media platforms.
  4. Duration of Data Processing, Deadline for Data Deletion, Possible Data Processors, and Recipients Authorized to Access the Data: The regulations of each social media platform determine the duration, method, and possibilities for deletion and modification of data. The processing is carried out on social media platforms, and their regulations apply.
  5. Legal Basis of Data Processing: Data processing is based on the voluntary consent of individuals for handling their personal data on social media platforms. 
 
CUSTOMER RELATIONS AND OTHER DATA PROCESSING
  1. Contacting the Data Controller: Individuals can contact the data controller through various means (phone, email, social media) with questions or issues related to the use of services.
  2. Handling of Emails, Messages, and Other Contact Information: The data controller deletes emails, messages, and contact information provided via phone, Facebook, etc., along with the inquirer's name and email address, within 2 years of receipt.
  3. Unspecified Data Processing: Information about unspecified data processing will be provided at the time of data collection.
  4. Exceptional Requests or Authorities: In case of exceptional requests or authorities' requests based on legal provisions, the Service Provider is obligated to provide information, disclose data, or release documents.
  5. Rights of Data Subjects: Individuals have various rights, including the right to access, rectify, delete, or restrict their personal data, as well as the right to data portability and the right to object to processing.
 
RIGHTS OF THE INDIVIDUALS
  1. Right of Access: You are entitled to receive feedback from the data controller regarding whether the processing of your personal data is in progress. If such processing is ongoing, you have the right to access your personal data and the information listed in the regulation.
  2. Right to Rectification: You have the right to request the data controller to rectify inaccurate personal data concerning you without undue delay. Considering the purpose of data processing, you have the right to request the completion of incomplete personal data through, among other things, a supplementary statement.
  3. Right to Erasure: You are entitled to request the data controller to erase your personal data without undue delay, and the data controller is obliged to erase your personal data without undue delay under certain conditions.
  4. Right to Be Forgotten: If the data controller has made your personal data public and is obliged to erase it, they will take reasonable steps, including technical measures, to inform data processors managing the data that you have requested the deletion of links to, or copies or duplicates of, the personal data.
  5. Right to Restriction of Processing: You have the right to request the data controller to restrict processing if one of the following conditions is met:
  • You contest the accuracy of the personal data; in this case, the restriction applies for the period allowing the controller to verify the accuracy of the personal data.
  • The processing is unlawful, and you oppose the erasure of the data, requesting the restriction of their use instead.
  • The data controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims.
  • You have objected to processing; in this case, the restriction applies for the period until it is verified whether the controller's legitimate grounds override yours.
  1. Right to Data Portability: You have the right to receive your personal data provided to a data controller in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the initial controller (...).
  2. Right to Object: You have the right to object to the processing of your personal data for reasons related to your particular situation at any time, including profiling based on the mentioned provisions.
  3. Right to Object to Direct Marketing: If the processing of personal data is carried out for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling related to direct marketing. If you object to the processing for direct marketing purposes, the personal data will no longer be processed for such purposes.
  4. Automated Decision-Making, Including Profiling, in Individual Cases: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The previous paragraph does not apply if the decision:
Is necessary for the conclusion or performance of a contract between you and the data controller.
  • Is authorized by Union or Member State law applicable to the controller and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  • Is based on your explicit consent.
 
DEADLINE FOR ACTION
The data controller will promptly, but in any case within one month from the receipt of the request, inform you about the measures taken following the above requests.
If necessary, this period can be extended by two months. The data controller will inform you of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request.
If the data controller does not take measures following your request, without delay but no later than one month from the receipt of the request, they will inform you of the reasons for the lack of action and that you have the right to lodge a complaint with a supervisory authority and to seek judicial remedies.
 
DATA SECURITY
The data controller and the data processor shall implement appropriate technical and organizational measures, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of data security appropriate to the risk, including, where applicable:
  1. Pseudonymization and encryption of personal data;
  2. Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services for personal data;
  3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. A procedure for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
 
NOTIFICATION OF THE DATA SUBJECT ABOUT THE DATA BREACH
If a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject about the data breach without undue delay.
The information provided to the data subject must be clear and easily understandable, including a description of the nature of the data breach. It should also include the name and contact details of the data protection officer or other contact person providing further information, an outline of the likely consequences of the data breach, and a description of the measures taken or planned by the data controller to address the data breach, including, if applicable, measures to mitigate any potential adverse consequences of the breach.
The data subject does not need to be informed if any of the following conditions are met:
  • The data controller has implemented appropriate technical and organizational measures, such as encryption, making the data unintelligible to unauthorized persons, which have been applied to the data affected by the data breach.
  • The data controller has taken subsequent measures that ensure that the high risk to the data subject's rights and freedoms is likely not to materialize.
  • Informing the data subject would involve disproportionate effort. In such cases, data subjects shall be informed through publicly available information or similar measures ensuring effective information.
If the data controller has not yet notified the data subject of the data breach, the supervisory authority may order the data subject to be informed after considering whether the data breach is likely to result in a high risk.
 
REPORTING A DATA BREACH TO THE AUTHORITY
The data controller shall report a data breach to the supervisory authority without undue delay, and where feasible, no later than 72 hours after becoming aware of the data breach, in accordance with Article 55. This is unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification cannot be made within 72 hours, the reasons for the delay must be provided along with the notification.
 
COMPLAINT OPPORTUNITY
If there is a possible infringement by the data controller, a complaint can be lodged with the National Authority for Data Protection and Freedom of Information:
National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, P.O. Box: 5.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu
 
CLOSING REMARKS
During the preparation of this information, compliance with the following legal regulations was taken into account:
  • General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: Infotv.)
  • Act C of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (particularly Section 13/A)
  • Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers
  • Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Business Advertising (especially Section 6)
  • Act XC of 2005 on Electronic Information Freedom
  • Act C of 2003 on Electronic Communications (specifically Section 155)
  • Opinion 16/2011 on EASA/IAB Recommendations for Online Behavioral Advertising
  • Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.