DATA PROCESSING STATEMENT AND INFORMATION

Introduction

ROCK OIL Trading and Service Limited Liability Company (registered office: 3530 Miskolc, Erzsébet tér 4., tax number: 12639294-2- 05, registered before the Miskolc Court of First Instance as the Commercial Court under company registration number Cg.05-09- 008876, represented by: Gábor Mohácsi, managing director), as data controller, (hereinafter referred to as Data Controller), based on the provisions of Act CXII of 2011 on the right to information self-determination and freedom of information (Information Act), hereby publishes its data protection principles, which it recognizes as binding on itself and at the same time undertakes to ensure that its data management activities comply in all respects with the provisions of the applicable laws.
This data management statement and information also qualify as a data management policy.
The data controller respects the personal data and personal rights of all visitors to the www.erzsebetfurdo.hu website (hereinafter: website). In the event of registration, the data under its control will be processed exclusively in the manner and to the extent to which the express consent of the data subject has been received.
Based on the relevant provisions of the effective Hungarian legislation set out in point 2, by registering on the Rock Oil Kft. website and subscribing to the newsletter, the User consents to Rock Oil Kft. processing and using the User’s data for editing work, market research, direct business acquisition or sending advertisements as necessary, in compliance with the referenced legal provisions.
We draw the User’s attention to the fact that the provision of data is voluntary, the User has the right to request information about data management at any time, as well as to request the correction or deletion of data. By accepting this Data Management Statement and Information, the User (data subject) consents to the Data Manager’s data management as specified therein.

2. Laws applied during data processing

The laws applied during data processing are as follows:
The right to the protection of personal data as set out in Chapter VI, Sections 2 and 3 of the Constitution of Hungary (Constitution)
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Information Act)
Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Data of Public Interest (Data Protection Act)
Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Electronic Commerce Act)
Act V of 2013 on the Civil Code (Civil Code),
Act C of 2012 on the Criminal Code (Criminal Code)

3. Explanation of basic terms according to the Information Act:

Data subject:
Any natural person identified or identifiable, directly or indirectly, based on specific personal data, in this case the user of the website. Personal data:
Data relating to the data subject – in particular the name, identification number of the data subject and one or more specific physical, physiological, mental, economic, cultural or social characteristics of the data subject – and any inferences that can be drawn from the data concerning the data subject.
Special data:
personal data relating to racial origin, nationality, political opinion or party affiliation, religious or other ideological beliefs, membership in an interest-representative organization, asexual life, personal data relating to health status, pathological passion, and criminal personal data.
Consent:
The voluntary and definite declaration of the data subject’s will, based on adequate information, by which he gives his unambiguous consent to the processing of personal data concerning him, in full or in relation to certain operations.
Objection:
A statement by the data subject objecting to the processing of their personal data and requesting the termination of data processing or the deletion of the processed data.
Data Controller:
the natural or legal person or organisation without legal personality who, alone or jointly with others, determines the purposes of the processing of data, makes and carries out decisions relating to the processing of data (including the means used), or has them carried out by the data processor.
Data management:
Any operation or set of operations performed on data, regardless of the method used, including in particular collection, recording, recording, organisation, storage, alteration, use, consultation, transmission, disclosure, alignment or combination, blocking, erasure and destruction, as well as preventing further use of the data, taking photographs, audio or video recordings and recording physical characteristics suitable for identifying a person (e.g. fingerprints or palm prints, DNA samples, iris images).
Data transmission:
Making the data available to a specific third party.
Disclosure:
Making data accessible to anyone.
Data deletion:
Making data unrecognizable in such a way that its recovery is no longer possible.
Data marking:
providing the data with an identification mark in order to distinguish it.
Data blocking:
Providing the data with an identification mark in order to limit its further processing permanently or for a specific period of time.
Data destruction:
Complete physical destruction of the data medium containing the data.
Data processing:
Performing technical tasks related to data processing operations, regardless of the method and means used to perform the operations, and the place of application, provided that the technical task is performed on the data.
Data set:
The set of data managed in a register.

4. Protection of personal data

4.1. According to the Information Act, personal data may only be processed for specific purposes, in order to exercise rights and fulfill obligations. All stages of data processing must comply with the purpose of data processing, and the collection and processing of data must be fair and lawful. Only personal data that is indispensable for the achievement of the purpose of data processing and suitable for achieving the purpose may be processed. Personal data may only be processed to the extent and for the period necessary to achieve the purpose. Personal data shall retain this quality during data processing until the relationship with the data subject can be restored. The contact with the data subject may be restored if the data controller has the technical conditions necessary for the restoration. During data processing, the accuracy, completeness and – if necessary in view of the purpose of the data processing – up-to-dateness of the data must be ensured, and the data subject must be identified only for the period necessary for the purpose of the data processing. The processing of personal data shall be considered fair and lawful if, in order to ensure the freedom of expression of the data subject, a person wishing to obtain the data subject’s opinion visits the data subject at his or her place of residence or residence, provided that the data subject’s personal data are processed in accordance with the provisions of this Act and the personal inquiry is not for commercial purposes. Personal inquiries may not be made on a holiday as defined by the Labor Code.
Pursuant to §5 paragraph 1 of the Information Act, personal data may be processed if
a) the data subject consents to it, or
b) it is ordered by law or – based on the authorization of law, within the scope specified therein – by a local government decree for purposes based on public interest (hereinafter: mandatory data processing).
4.2. Personal data may only be processed with informed consent. The data subject must be informed – clearly, intelligibly and in detail – of all facts related to the processing of his or her data, in particular the purpose and legal basis of the data processing, the person authorised to process and manage the data, the duration of the data processing and who may have access to the data. The information must also cover the rights and remedies of the data subject in relation to data processing. The data controller shall plan and implement data processing operations in such a way as to ensure the protection of the privacy of the data subjects in the application of this Act and other rules relating to data processing. The data controller and, within the scope of its activities, the data processor shall ensure the security of the data and shall take the technical and organisational measures and establish the procedural rules necessary for the enforcement of this Act and other data protection and confidentiality rules. The data shall be protected by appropriate measures, in particular against unauthorised access, alteration, transmission, disclosure, erasure or destruction, as well as against accidental destruction and damage, and against inaccessibility resulting from changes in the technology used. In order to protect the data files managed electronically in various registers, it must be ensured by means of an appropriate technical solution that the data stored in the registers – unless permitted by law – cannot be directly linked and assigned to the data subject. During the automated processing of personal data, the data controller and the data processor shall ensure additional measures.
4.3. A data controller or data processor subject to the Information Act may transfer personal data to a data controller carrying out data processing in a third country, or to a data processor carrying out data processing in a third country, if the data subject has expressly consented to this, or if it is permitted by law, and an adequate level of protection of personal data is ensured in the third country during the handling and processing of the transferred data. An adequate level of protection of personal data is ensured if a binding legal act of the European Union establishes this or an international agreement is in force between the third country and Hungary containing guarantee rules on the enforcement of the rights of data subjects, the right to legal remedy, and the independent control of data processing and data processing. Data transfer to an EEA state shall be considered as if data transfer were taking place within the territory of Hungary.

5. Process, legal title, and duration of data processing

All data recording, processing and transmission on this website is based solely on voluntary consent.
When downloading the website, the Data Controller records the data subject’s data in order to improve the service and prevent abuse, which includes the data subject’s IP address and the name of the downloaded page.
The legal basis for data processing is § 13/A, paragraphs 1-4, of Act CVIII of 2001 on electronic commerce services and certain issues of information society services (Electronic Communications Act), and the duration of data processing is determined in accordance with the provisions of paragraph 7.
If you do not wish to provide personal information, please do not register on the website.
The external service providers involved in the operation of the website are the following:
Hosting provider details: Tárhelypark LLC 1119 Budapest Mohai köz 4. 4/1. www.tarhelypark.hu
Domain registrar: Tárhelypark LLC
Mailing service provider: Tárhelypark LLC
All external service providers act in accordance with this and their own data protection regulations, as well as with applicable legal requirements.
The Data Controller reserves the right to terminate the contract(s) concluded with external service providers and to involve new service providers.

5.1. Anonymous user ID (cookie) placement

In order to provide customized service, the service provider and the designated external service providers place and read back a small data package, called a cookie, on the user’s computer.
If the browser sends back a previously saved cookie, the cookie management service provider has the opportunity to link the user’s data saved during current visits with previous ones, but only with regard to its own content.
Cookies are small programs or files that are saved and stored by the data subject’s internet browser from our website, solely to facilitate user identification and to personalize the page visited.
Most internet browsers accept cookies by default, but it is also possible for the user to disable or reject them. Please note that disabling cookies by the user does not prevent you from browsing or visiting the website, however, you may not be able to visit certain parts of the website or receive customized information.
The user can delete the cookie from their computer or disable its use in their browser. Cookies can usually be managed in the Tools/Settings menu of browsers under Privacy settings, under the name cookie.

Change my cookie settings.

5.2. Purpose of data processing

The purpose of the automatically recorded data is to prepare statistics, develop IT systems, and protect users’ rights.
The data controller does not use or may use the personal data provided for purposes other than those described in these points. The disclosure of personal data to third parties or authorities – unless otherwise required by law – is only possible with the prior, express consent of the user.
The data controller does not verify the personal data provided to it. The person providing the data is solely responsible for the accuracy of the data provided. When providing an email address, any User assumes responsibility for ensuring that the service is used exclusively by the User from the provided email address. In view of this responsibility, any liability related to logins made using a given email address lies solely with the user who registered the email address.

5.3. The user database

The purpose of the automatically recorded data is to prepare statistics, develop the IT system, and protect the rights of users.
The data controller does not use or may use the personal data provided for purposes other than those described in these points.
The disclosure of personal data to third parties or authorities – unless otherwise required by law – is only possible with the prior, express consent of the user.
The data controller does not verify the personal data provided to it. The person providing the data is solely responsible for the accuracy of the data provided. When providing an email address, any User assumes responsibility for ensuring that the service is used exclusively by the User from the provided email address. In view of this responsibility, any liability related to logins made using a given email address lies solely with the user who registered the email address.

5.4. The user database

The website’s health treatment-related services are available to both registered and unregistered users.
Registration is required for the regular newsletter service, which is only possible electronically, online.
The purpose of data management is to ensure the provision of services available on the website.
The Service Provider stores the data provided by the Data Subject for a specific purpose, exclusively for the purpose of sending newsletters.
The legal basis for data processing is the consent of the data subject and sections 13/A and 14 of the Electronic Communications Act.
Scope of managed data: The processed data includes all data that is necessary for the conclusion and fulfillment of the purchase contract. These are:
name,
username,
password,
e-mail address,
telephone number
Duration of data management: 18 months from the last login, 8 days for unconfirmed registrations.
Data transfer: based on the express consent and authorization of the data subject, for the purpose of sending a newsletter.
Upon registration, the user consents to being contacted electronically by Rock Oil LLC for the purpose of direct business acquisition. The data subject may withdraw their consent at any time in the Profile menu.
The data subject can also modify their personal data in the Profile menu. The data subject can delete their registration at any time.
Changing data or deleting registration takes up to 3 business days, depending on the service and server load.

The name of the data processor of the newsletter used by Erzsébet Bath: Shoprenter LLC Address: 4028 Debrecen, Kassai út 129.

5.5. Data processing during the service

By registering on the website and uploading your personal data, you expressly consent to the processing of your data.
In case of questions, difficulties or complaints related to the service, the data subject may contact the Data Controller’s customer service by telephone or electronically, where they will receive appropriate information.

Use of email addresses

The Data Controller pays special attention to the legality of the use of the electronic mail addresses it manages, so it only uses them for sending newsletters in the manner specified below.
The Data Controller will only send letters containing advertisements or commercials (newsletters) to the e-mail addresses provided during registration with the express consent of the User, in cases and in a manner that complies with legal requirements. The User can unsubscribe from the newsletter at any time using the link at the bottom of the newsletter.

5.6. Other data management

The data subject will receive the necessary information regarding any data processing not mentioned in this Statement upon collection of data.
Authorities (court, prosecutor’s office, investigative authority, misdemeanor authority, administrative authority, etc.) or other bodies authorized by law may contact the Data Controller for the purpose of providing information, communicating or transferring data, or making documents available.
The data controller will only disclose personal data to the authorities – if the legal conditions are met – to the extent and scope that is proportionate to the purpose of the request and is essential for the conduct of the official procedure.

6. Data security

The data controller’s IT systems and other data storage locations are located at its headquarters and in the server room specified by the hosting provider.
Within the framework of data security, the Data Controller guarantees, in relation to the operation of electronic communication tools used to process personal data during the provision of services, that the processed data is accessible only to those authorized to do so (availability), that the authenticity and authentication of the data are ensured (authenticity of data processing), that the data are unchangeable (data integrity), and that the data are protected against unauthorized access (data confidentiality).
The data controller ensures the security of data processing by taking appropriate technical, organizational and organisational measures, within the framework of which the protection level established represents the level of protection necessary at all times to minimize and eliminate the risks associated with data processing.
The data controller ensures the security of data management processes with server-level and application-level protection procedures.
The data controller protects the processed personal data against unauthorized access and misuse with appropriate organizational and technical (IT) measures. Within the framework of data security, only persons with the appropriate level of access rights may operate IT systems that process personal data. An appropriate level of access rights can be considered access whose scope is aligned with the so-called “need to know” principle, the essence of which is that only such scope of access may be granted as is absolutely necessary for the performance of the work and only to such persons whose job responsibilities include the management/processing of the data. The Data Controller reviews access rights and their use at specified intervals.

7. Data controller’s company details

Name: Rock Oil LLC Registered office: 3530 Miskolc, Erzsébet tér 4. Represented by: Gábor Mohácsi, managing director Company registration number: 05-09-008876 Tax number: 12639294-2-05

8.1. Rights of data subjects and their enforcement

The data subject may request the Data Controller to inform them about the processing of their personal data, to correct their personal data, and to delete or block their personal data – with the exception of mandatory data processing.
At the request of the data subject, the Data Controller shall provide information about the data subject’s data processed by it or by a data processor commissioned by it or at its request, their source, the purpose of the data processing, legal basis, duration, the name, address and activity of the data processor related to the data processing, and – in the case of the transfer of the data subject’s personal data – the legal basis and recipient of the data transfer. The Data Controller shall provide the information in writing and in a plain language as soon as possible after the request is submitted, but no later than 30 days. This information is free of charge if the person requesting the information has not yet submitted a request for information to the data controller in the current year regarding the same area. In other cases, the Data Controller may determine reimbursement of costs.
If the personal data does not correspond to the reality, and the personal data corresponding to the reality is available to the Data Controller, the personal data will be corrected by the Data Controller.
It is at the disposal of the Data Controller, the personal data is corrected by the Data Controller.
The Data Controller deletes personal data if
– its processing is unlawful,
– the data subject requests it,
– the data is incomplete or incorrect – and this condition cannot be legally remedied – provided that deletion is not precluded by law,
– the purpose of data processing has ceased to exist or the statutory period for storing the data has expired,
– it was ordered by the court or the National Data Protection and Freedom of Information Authority (hereinafter: Authority).
The Data Controller shall notify the data subject and all those to whom the data was previously transmitted for data processing purposes of the rectification, blocking, marking and deletion. If the Data Controller does not comply with the data subject’s request for rectification, blocking or deletion, it shall provide the factual and legal reasons for rejecting the request for rectification, blocking or deletion in writing within 30 days of receipt of the request. If the request for correction, deletion or blocking is rejected, the Data Controller will inform the data subject about the possibility of legal recourse in court and of contacting the Authority.

8.2. Requirement for prior information of the data subject

Before commencing data processing, the data controller informs the data subject that the data processing is based on consent.
Before commencing data processing, the Data Controller shall clearly and in detail inform the Data Subject of all facts related to the processing of his/her data, in particular the purpose and legal basis of data processing, the person authorized to manage and process the data, the duration of data processing, and who may access the data. The information also covers the data subject’s rights and legal remedies related to data processing.

8.3. Objection to the processing of personal data

The data subject may object to the processing of his or her personal data if the processing or transmission of the personal data is necessary solely for the fulfillment of a legal obligation to which the controller is subject or for the purposes of the legitimate interests of the controller, the data recipient or a third party, except in the case of mandatory data processing, if the personal data are used or transmitted for the purpose of direct marketing, public opinion polling or scientific research, and if permitted by law.
The data controller shall examine the objection within the shortest possible time from the submission of the application, and at the latest within 15 days, and shall make a decision on its validity and shall inform the applicant of its decision in writing.
If the Data Controller determines that the data subject’s objection is well-founded, it will terminate the data processing – including further data collection and transmission – and block the data, and will notify all those to whom it previously forwarded the personal data affected by the objection, and who are obliged to take measures to enforce the right to object, of the objection and the measures taken based on it.
If the data subject disagrees with the decision made by the Data Controller as above, or if the Data Controller fails to meet the 15-day deadline, the data subject may apply to court within 30 days of the notification of the decision or the last day of the deadline.

8.4. Enforcement before the court

The data subject may take legal action against the Data Controller in the event of a violation of their rights. The court is proceeding with the case out of turn.
The Data Controller is obliged to prove the lawfulness of data processing.
The adjudication of the lawsuit falls within the jurisdiction of the court with jurisdiction. The lawsuit may also be initiated – at the choice of the person concerned – before the court of the data subject’s place of residence. A person who otherwise does not have legal capacity can be a party to the lawsuit. The Authority may intervene in the case in order to ensure the success of the data subject.
If the court grants the request, it obliges the data controller to provide information, correct, block, delete the data, annul the decision made through automated data processing, and take into account the data subject’s right to object. The court may order the publication of its judgment – by publishing the data controller’s identification data – if this is required by the interests of data protection and the rights of a larger number of data subjects protected by this Act.
The data controller compensates for damage caused to others by unlawful processing of the data subject’s data or by breaching data security requirements. The Data Controller is also liable to the data subject for any damage caused by the data processor. The data controller is exempt from liability if it proves that the damage was caused by an unavoidable cause outside the scope of data processing. Damage does not have to be compensated to the extent that it resulted from the intentional or grossly negligent conduct of the injured party.
You can file a complaint with the Authority through:

Name: National Authority for Data Protection and Freedom of Information
Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c. – delete, replace with 1055 Budapest, Falk Miksa u.9-11.
Mailing address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c. – delete, replace with 1363 Budapest Pf 9.
Telephone: 06-1-391-1400
Telefax: 06-1- 391-1410 E
-mail: ugyfelszolgalat@naih.hu

Effective date of data processing:  05.25.2018.

9. Other

By registering on the website, the data subject expressly consents to the Data Controller processing and using his/her personal and other data to improve and develop the quality of the service, as well as to monitor and enforce user interests and to implement information activities related to the provision and use of the service.
9.2. Upon expiry of the data processing period, the Data Controller will delete the data subject’s personal data in a manner that makes it impossible to identify the data subject in the future.
9.3. The data controller undertakes to ensure the security of the data, and furthermore takes technical measures to ensure that the data recorded, stored and processed are fully protected, and does everything possible to prevent their destruction, unauthorized use and unauthorized alteration. You also undertake to call on all third parties to whom you may transmit or transfer the data to fulfill their obligations in this regard.
9.4. The Data Controller reserves the right to unilaterally amend this Statement and the Regulations without prior notice to the Users. After the amendment enters into force, the User accepts the amended Regulations by using the service.
Effective date of the Data Protection Statement: May 9, 2016

. május 25