DATA PROCESSING INFORMATION
(hereinafter also “Information”)
1 Basic provisions
1.1 Antecedents
In addition to domestic legislation, the new data protection regulation of the European Union No. 2016/679 (General Data Protection Regulation, GDPR, hereinafter “Regulation” or “GDPR”) will also become directly applicable in Hungary. Pursuant to the Regulation, the Company qualifies as a controller, i.e. the Regulation also applies to data managed by the Company, so the Company performs its data processing activity in accordance with this Information.
1.2 The purpose of this Information
The purpose of this Information is to establish the data protection and data management provisions and principles followed and applied by Wallis British Motors Korlátolt Felelősségű Társaság (seat: 1044 Budapest, Váci út 76-80.; registration number: 01-09-356841, registered by Company Registry Court of the Budapest-Capital Regional Court) (hereinafter also “Controller” or “Company”), as well as the Company’s data protection and data management policy.
1.3 Legislation
When compiling the contents of this Information, in addition to the Regulation, the Company took special account of the provisions of Act CXII of 2011 on the right of informational self-determination and freedom of information (“Infotv.”) and Act V of 2013 on the Civil Code (“Ptk.”), as well as Act XLVIII of 2008 on essential conditions of and certain limitations to business advertising (“Grtv.”).
1.4 Scope
This Information applies to data management activities related to the commercial activities of the Company (including the website operating under the domains https://britishmotors.hu/,https://britishmotors.jaguar.hu/ and https://britishmotors.landrover.hu/ hereinafter the “Websites”).
The Website is owned by Wallis British Motors Korlátolt Felelősségű Társaság and is operated through the server of WAE Autóforgalmazási és Szolgáltató Korlátolt Felelősségű Társaság and Ingressius Ltd.
This Information does not apply to services and data management activities related to promotions, sweepstakes, services, other campaigns of third parties advertising on the Website or appearing on it in any other way or the content published by them.
Furthermore, this Information does not apply to services and data management activities of legal entities and websites referred to on the Website(s) operated by the Company or data management activities of legal entities from whose information, newsletter or advertising letter the Data Subject first heard about the existence of the Website.
1.5 Amendments to this Information
1.5.1 The Company reserves the right to amend this Information unilaterally. The Company makes the current version of this Information available on the Website.
1.5.2 By accessing the Website, the Data Subject accepts the currently valid provisions of this Information, without any further consent of the Data Subject.
2 Definitions
The terms used in this Information have the following meanings:
2.1 Processing: any operation or set of operations that is performed on Personal Data or on files of Personal Data, whether or not by automated means, especially collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.2 Controller: the Company;
2.3 Personal Data or data: any information relating to the Data Subject, making the Data Subject identifiable, whether directly or indirectly, in particular by reference to an identifier, especially a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the Data Subject;
2.4 Processor: a natural or legal person, public authority, agency or service provider that processes Personal Data on behalf of the Controller by agency.
2.5 Data Subject: a natural person who provides his or her Personal Data, or whose Personal Data is provided, to the Company.
2.6 Manufacturer: The manufacturers of the parts and vehicles sold by the Company, including, in particular, Jaguar Land Rover Limited (registered address: Abbey Road, Whitley, Coventry, CV3 4LF).
2.7 External Service Provider: third party service partners used by the Controller or the Website operator in connection with the provision of certain services, either directly or indirectly, to whom personal data is or may be transferred to facilitate the provision of their services, or who may transfer Personal Data to the Company. External service providers also include service providers who do not cooperate with the Company or the operators of the services but, by accessing the Website, they collect information on Data Subjects which may be suitable for their identification, either independently or in combination with other data. When providing the hosting service, the Company also considers the Data Subject to be an External Service Provider with respect to the data management activities performed on the hosting area used by it.
2.8 Information: this data processing information of the Company.
3 Identity of the Controller
Name: Wallis British Motors Korlátolt Felelősségű Társaság
Registered address: 1044 Budapest, Váci út 76-80
Registration authority: Company Registry Court of Budapest Capital Regional Court
Company registration number: 01-09-356841
Phone: +36 (1) 380-1350
E-mail: info@britishmotors.hu
4 Basic data processing principles
4.1 Lawfulness, fairness
Data must be processed lawfully and fairly, in a way that is transparent to the Data Subject. The Company only processes the data specified by law or provided by the Data Subjects for the purposes specified below. The scope of the Personal Data processed is commensurate with the purpose of processing and may not extend beyond it.
4.2 Accuracy
The data must be necessary and relevant for the purposes of Processing, and it must be accurate and, where necessary, up-to-date.
4.3 Purpose limitation
In all cases where the Company wishes to use the Personal Data for a purpose other than the original purpose of data collection, it shall inform the Data Subject thereof and obtain prior express consentfrom him or her, or allow him or her to prohibit the use of such data.
4.4 Compliance
The Company does not verify the content or genuineness of the Personal Data provided to it. The responsibility for the adequacy of the Personal Data provided is borne solely by the person who
provided it.
4.5 Limited storability:
Storage must be in a form that makes the identification of Data Subjects only possible for a period that is necessary for the purposes of Personal Data processing.
4.6 Protection of the data of persons under 16
The data of Data Subjects under 16 may only be processed with the consent of an adult exercising parental responsibility for him or her. The Company is not able to verify the entitlement of the person giving consent or the content of his or her statement, so the Data Subject or the person exercising parental responsibility for him or her guarantees that the approval complies with the applicable regulations. If the statement of consent according to this Section is missing, the Company will not collect Personal Data relating to a person under 16.
4.7 The Company will not transfer the Personal Data processed by it to third parties, except for the Processors and External Service Providers specified in this Information. The data must be processed in such a way that the appropriate security of the Personal Data is ensured by means of adequate technical and/or organisational measures.
The provision in this Section does not apply to the use of the data in a statistically aggregated form, which may not contain in any form any other information suitable for the identification of the Data Subject.
In certain cases, the Company will make the available Personal Data of the Data Subject accessible to third parties, e.g. in the case of a formal request by a court or the police, legal proceedings due to copyright, property or other infringements or a reasonable suspicion thereof, violation of the Company’s interests, endangering the provision of the Services, etc.
4.8 The Company will notify the Data Subject, as well as those to whom the Personal Data has previously been transferred for processing, of the correction, restriction or deletion of the Personal Data managed by it. Such notification may be omitted if this does not violate the legitimate interests of the Data Subject regarding the purpose of processing.
4.9 Based on the Regulation, the Company is not obliged to appoint a data protection officer, because the Company does not qualify as a public authority or body, the Company’s main activities do not include operations that require regular and systematic monitoring of Data Subjects on a large scale, and the Company does not process special data or Personal Data on criminal offences or decisions relating to criminal convictions.
5 Legal basis for Processing
5.1 Article 6 of the GDPR defines the cases in which the Personal Data of the Data Subjects may be processed:
“(a) the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.”
5.2 Taking into consideration the nature of the Company’s activities, the legal basis for Processing is primarily the freely given, informed express consent of the Data Subject (Section 5(1)(b) of the Infotv.) and, during the preparation and after the establishment of any contractual obligation between the Company and the Data Subject, Article 5(1)(b) and/or Article 5(1)(c) of the Regulation. The Data Subject contacts the Company voluntarily, registers voluntarily, and uses the services of the Company or wishes to purchase its products voluntarily. Without consent from the Data Subjects, the Company processes data only if authorised to do so by law.
5.3 If data processing is based on consent, the Data Controller must be able to prove that the Data Subject has given consent to the processing of his or her Personal Data.
5.4 The Data Subject is entitled to withdraw his or her consent at any time with respect to all processing, the legal basis of which is provided by Article 5.1(a) of the Regulation. The withdrawal of consent does not affect the lawfulness of processing based on consent, before the date of withdrawal, or pursuant to Articles 5.1(b) and/or (c).
5.5 Data transfer to the Processors specified in this Information is permissible without specific consent from the Data Subject. Unless otherwise provided by law, the release of Personal Data to third parties or authorities is only allowed on the basis of a final official decision or prior express consent from the Data Subject.
5.6 When the Data Subject accesses the Website, the Data Controller will store the IP address of the Data Subject without specific consent from him or her for the purposes of providing the service,
taking into consideration the legitimate interest of the Controller and for the lawful provision of the service (e.g. to filter out illegal use or illegal content).
5.7 By providing his or her e-mail address or any other data entered during registration (registration means filling in an electronic form published on the Website), the Data Subject guarantees that the e-mail address and other data provided by him or her will only be used to facilitate the use of the services by him or her.
6 Purpose of Processing
Data must be processed in accordance with the principles set forth in Section 4, in a way that is transparent to the Data Subject. The Company makes its best efforts to process only such Personal Data that is essential for the purpose of processing and suitable for the achievement of that purpose. Personal Data may only be managed to the extent and as long as necessary to achieve the purpose.
Based on the above, the purpose of processing is
• identification of and communication with the Data Subject;
• providing concise, transparent, easy to understand and easily accessible information to the Data Subject;
• establishing and performing legal transactions between the Company and the Data Subject within the Company’s scope of activities (in particular quotations, test drives, purchase of parts, purchase of vehicles, vehicle repair);
• collection of fees and invoicing in the case of services subject to a charge;
• performing the obligations and exercising the rights of the Controller;
• preparing analyses and statistics, improving the services - for this purpose, the Controller will
only use anonymised data and aggregated information unsuitable for personal identification;
• advertising, research, subject to specific consent from the Data Subject;
• protection of the Company’s assets;
• protection of the Data Subject’s rights;
7 Source of data
The Company will only process Personal Data provided by the Data Subjects and will not collect data from other sources.
8 Scope of processed data
The Company will only process Personal Data provided by the Data Subjects according to the following rules.
The data processed by the Company can be classified into the following groups based on the purpose of Processing:
• Data necessary for registration: the name, first name, e-mail address and telephone number of the Data Subject. The legal basis of the processing is the consent of the Data Subject, the primary purpose of the processing is registration, identification of the user contacting, processing of inquiries, orders on the Website and the provision of other services.
• Data necessary for purchases and the use of services: the name, surname, first name, e-mail address, telephone number and address of the Data Subject. The legal basis for data processing is the consent of the Data Subject, the primary purpose of data processing is the processing of enquiries, orders and the provision of other services.
• Processing for marketing purposes: the first name, surname, e-mail adress, phone number and adress of the Data Subject. The legal basis for processing is consent from the Data Subject, while the primary purpose of processing is keeping contact and providing information for marketing purposes, providing services, or sending newsletters or direct inquiries according to Section 6(1) of Act XLVIII of 2008. Furthermore, the Company may forward the names, phone numbers and e-mail addresses of the Data Subjects using any of the Company’s services to the Manufacturer based on the contractual obligations of the Company towards such parties.
• Data necessary for guarantee reports: the first name, surname, phone number and e-mail adress of the Data Subject. The Company will forward the name, phone number and e-mail address of the Data Subject to the Manufacturer. The primary purpose of processing is the performance of the Company’s contractual obligations and the provision of information and services.
• Invoicing data: If the Data Subject is supposed to pay a consideration to the Company, the Company will process data related to payment and invoicing: method of payment, details of device used for payment, or, in the case of invoicing, name, address and tax number of the customer. The legal basis for Processing is partly consent from the Data Subject and partly legal regulations on taxation and accounting. The purpose of Processing is invoicing and the collection of fees.
• Data, documents provided for authentication: The Data Subjects are entitled and, in the cases specified by the Company, obliged to authenticate themselves according to Section 11 below. The data is processed according to Section 11. The purpose of processing is the verification of the identity of the Data Subject.
• Protection of the Company’s assets: the Company may operate or install surveillance cameras at its registered seat for the reasons specified in Articles 6(d) and (f) of the Regulation, i.e. the security of the Data Subject’s database(s) and property protection. The cameras may only record images. The Company may view the recorded images and use them for property protection purposes, even without any further permission from the Data Subject.
In addition to the above, the Company manages the technical data required for the use of the Website, including IP addresses, as described in Section 13.
9 Description of the Processing procedure
The source of the data is the Data Subject, who provides the data during registration on the Website. It is mandatory to provide the information included in the registration form, unless explicitly indicated otherwise.
The Data Subject provides the data independently, without any mandatory guidelines or content expectations from the Company in this regard. The Data Subject expressly consents to the Processing of the data provided by him or her. In addition to the data requested by the Company, the Data Subject is entitled to provide further data in his or her profile, in which case the legal basis for the processing of data is also voluntary consent from the Data Subject.
If the Data Subject registers for a promotion organised by the Company (e.g. on Facebook) and provides the data requested there, he or she accepts the data processing information related to the relevant promotion. In this case, the provision of data does not result in registration on the Website, but the Data Subject consents to the processing of his or her data provided in the way specified in the promotional information.
10 Authentication
The purpose of the authentication process is to allow the Company to verify the authenticity of the Data Subject. The Company checks whether the Data Subject indicating the declared intention to enter into a contract is really a natural person and/or is really entitled to represent the given legal entity. After the verification, the Company will store the photos and data until the legal basis for processing ceases to exist. The purpose of processing is the verification of the identity of the Data Subject, as well as the establishment of the legal transaction and, subsequently, the facilitation of its lawful performance.
11 Data processing for advertising, sending newsletters
If approved by the Data Subject, the Company will contact the Data Subject using the provided contact details and send him or her an advertisement using the method of direct inquiry. The advertisement may be sent by regular mail, telephone (including SMS) or e-mail (including Messenger), in each case subject to prior consent from the Data Subject. The Data Subject may withdraw his or her consent at any time without giving reasons.
12 Cookies
The Company’s system may automatically store the IP address of the Data Subject’s computer, the start time of the visit and, in certain cases, depending on the settings of the computer, the type of the browser and the operating system. The data recorded in this way may not be combined with other Personal Data. The processing of such data may only serve statistical purposes.
Cookies allow the Website to recognise, identify and keep a record of previous visitors. With the help of cookies, the Company, as the operator of the Website, is able to optimise the Website and to develop the services of the Website in line with the usage patterns of the Data Subjects. Furthermore, cookies are capable of
• remembering settings so that Data Subjects do not need to enter them again when visiting a new page,
• remembering previously entered data so that it does not need to be typed in again,
• analysing the use of the Website to ensure that, as a result of the improvements carried out using the information acquired in this way, it operates, as far as possible, in accordance with the expectations of the Data Subject and the Data Subject can easily find the requiredinformation, and
• monitoring the effectiveness of the advertisements placed on the Website.
If the Company displays various content on the Website with the help of external web services, this may result in the storage of certain cookies beyond the Company’s control, meaning that the Company cannot influence what data is collected by such websites or external domains. These cookies are described in the regulations related to the relevant service.
The Company uses cookies to display advertisements for Data Subjects via Google and Facebook. Data processing takes place without human intervention. Data Subjects have the option to delete cookies in their browser (depending on the browser, usually under the privacy settings). By disabling the use of cookies, the Data Subject acknowledges that the operation of the Website is incomplete without cookies.
13 Data transfer
The Company will transfer Personal Data to a third party only if the Data Subject has expressly consented to such transfer - knowing the scope and recipient of the data transferred - or the data transfer is permitted by a legal regulation.
The Company is entitled and obliged to transfer all Personal Data available to it and properly stored by it to the competent authorities if it is obliged by law or a final official decision to transfer such Personal Data. The Company cannot be held liable for such data transfer and the consequences arising from it.
The Data Subject acknowledges and expressly agrees that the Company may transfer the Data Subject’s Personal Data to the Manufacturer based on their obligations set forth in the contracts between the Company and the Manufacturer. The Company ensures the security of the Personal Data transferred in this way by means of data processing agreements between the Company and the Manufacturer.
The Company will document the data transfers in all cases and keep a record of data transfers.
The Company shall forward data only to those third parties who are established in the European Union, and who are within the territorial and material scope of the Regulation. To those third parties, who are not established in the European Union or otherwise are not within the territorial or material scope of the Regulation, the Company shall not forward data.
14 Processing
The Company is entitled to use a processor to perform its activities. Processors do not make independent decisions, they are only entitled to act according to the contract concluded with and the instructions received from the Company. The Company supervises the work of processors. Processors are entitled to use further data processors only with the consent of the Company. The Company may only use processors who provide adequate guarantees for the implementation of appropriate technical and organisational measures to ensure the compliance of processing and the protection of the rights of Data Subjects.
The processor may not use an additional data processor without prior written individual or general authorisation from the Company. In the case of general written authorisation, the processor will inform the Company of any planned changes that affect the use or replacement of further data processors, thereby providing an opportunity to the Company to object to these changes.
The Company will name the processors used in the Information. Processors used by the Company:
• Klikkrám Kft. ( 1098 Budapest, Távíró utca 11/3.)
• WAE Kft. (2040 Budaörs, Szabadság utca 117.)
15 External Service Providers
The Company uses External Service Providers, with which the Company cooperates.
The External Service Providers’ own data protection regulations are applicable with respect to Personal Data managed in the systems of External Service Providers. The Company will make its best efforts to ensure that the External Service Provider manages the Personal Data transmitted to it in accordance with the applicable regulations and uses them only for the purpose specified by the Data Subject or designated in the Information.
The Company informs the Data Subjects about data transfer to External Service Providers by means of the Information as follows.
External Service Providers:
• Magyar Posta Zrt. (1138 Budapest, Dunavirág utca 2-6.)
• Facebook (Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
• Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, United States of America)
• Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-7329, USA)
• R & R Software (1038 Budapest, Ráby Mátyás utca 7.)
16 Tasks related to data security
The Company ensures the security of data and implements all technical and organisational measures and establishes all procedural rules necessary to enforce compliance with the applicable legislation and data protection and confidentiality regulations. The Company protects the data through appropriate measures against unauthorised access, modification, transfer, publication, deletion or destruction, accidental destruction or damage, as well as becoming inaccessible due to changes in the technology used.
The Company and the processors will implement appropriate technical and organisational measures to guarantee a level of data security commensurate with the extent of risk, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of processing and the risks of varying likelihood and severity to the rights and freedoms of natural persons.
Considering the above, the Company will:
• implement measures ensuring protection against unauthorised access, including protection of software and hardware devices and physical protection (access protection, network protection);
• implement measures ensuring the possibility of data restoration and regular backups;
• make arrangements for virus protection.
The Company does not perform automated data management and data processing, therefore the Data
Subjects shall not be entitled to the right of data portability.
17 Period of Processing
The Company processes the Personal Data until the legal basis set out in the paragraph 5.2. ceases to exist, i.e. until the account created by the Data Subject by registration is deleted or terminated, but for a maximum period of 8 (Eight) years.
The Company will delete Personal Data
a) if the data turns out to be processed unlawfully, the Company will carry out the deletion immediately;
b) if requested by the Data Subject (except for processing on the basis of legal regulations);
The Data Subject may at any time request the deletion of data processed on the basis of voluntary consent from the Data Subject. In this case, the Company will delete the data. Deletion may only be refused if data processing is authorised by legal regulations. The Company will in each case provide information on the refusal of the request for cancellation and on the legal regulation allowing the processing of data.
The Data Subject acknowledges that in the event of deleting data upon request, the Company may refuse to provide certain services until the Personal Data required for such services is made available again by the Data Subject.
c) if the data turns out to be incomplete or incorrect, and this condition cannot be lawfully remedied, provided that deletion is not precluded by legal regulations;
d) if the purpose of processing has ceased to apply, or the data storage period specified by law has expired;
Deletion may be refused (i) if the processing of Personal Data is permitted by a legal regulation; and (ii) the Personal Data is necessary for legal protection or enforcement.
e) it has been ordered by a court or the National Authority for Data Protection and Freedom of Information.
If a court or the National Authority for Data Protection and Freedom of Information issues a binding order requiring the deletion of data, the Processor will carry out the deletion.
Instead of deletion, the Company will, subject to informing the Data Subject, block the Personal Data if requested by the Data Subject or if, based on available information, it can be assumed that deletion would violate the Data Subject’s legitimate interests. Personal data blocked in this way may only be processed as long as the data processing purpose preventing the deletion of Personal Data applies.
The Company will mark the Personal Data processed by it if the Data Subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established.
In the case of processing required by legal regulations, the provisions of the relevant law are applicable to the deletion of data.
In the event of deletion, the Company will make the data incapable of personal identification. Where required by law, the Company will destroy the data carrier containing the Personal Data. The Company will in each case inform the Data Subject of the refusal of the request for cancellation, stating a reason for such refusal. Once a request for the deletion of Personal Data has been fulfilled, previous (deleted) data can no longer be recovered.
Newsletters sent by the Company may be unsubscribed via the unsubscribe link contained in them. In the event of unsubscription, the Company will delete the Data Subject’s Personal Data in the newsletter database.
18 Data Subjects’ rights in connection with Processing
18.1 Simultaneously with establishing contact, the Company informs the Data Subject about the processing of data. Furthermore, the Data Subject is entitled to request information on processing at any time.
The Data Subject is entitled to receive feedback from the Company on whether his/her Personal Data is being processed, and if such processing is in progress, he/she is entitled to obtain access to his/her Personal Data and receive information on the purpose of processing, the categories of Personal Data concerned, the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, the intended storage period of the Personal Data or, if that is not possible, the criteria for determining that period. The Data Subject is entitled to request the Controller to rectify, delete or restrict the processing of Personal Data concerning him or her and to object to the processing of such Personal Data. Furthermore, he or she is entitled to lodge a complaint with a supervisory authority and, where the Personal Data is not collected from the data subject, to obtain any available information regarding its source.
18.2 The Data Subject is entitled to request the Controller to rectify any inaccurate Personal Data pertaining to him or her without undue delay. Taking into consideration the purpose of processing, the Data Subject is entitled to have incomplete Personal Data completed, including by means of providing a supplementary statement.
18.3 The Data Subject is entitled to request the Controller to cancel any Personal Data pertaining to him or her without undue delay, except for processing based on legal regulations. The Company informs the Data Subject about the cancellation.
18.4 The Data Subject may object to the processing of his or her Personal Data as specified in the Infotv.
18.5 The Data Subject may submit his or her request for information, rectification or cancellation in writing, in a letter addressed to the registered address or premises of the Company or in an email sent to the Company’s address info@britishmotors.hu.
18.6 The Data Subject may request the Company to restrict the processing of his or her Personal Data if he or she disputes the accuracy of the processed Personal Data. In this case, the restriction applies to a period of time allowing the Company to verify the accuracy of the Personal Data in question. The Company will mark the Personal Data processed by it if the Data Subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established.
The Data Subject may also request the Company to restrict the processing of his or her Personal Data if processing is unlawful, but the Data Subject objects to the deletion of the processed Personal Data and requests restricted use instead.
The Data Subject may also request the Company to restrict the processing of his or her Personal Data if the purpose of processing has been achieved, but the Data Subject requires further Processing by the Company in order to submit, enforce or protect legal claims.
18.7 The Data Subject is entitled to receive the Personal Data pertaining to him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format, as well as to transmit such data to another Controller without hindrance from the Controller to which the Personal Data has been provided.
18.8 If the Company does not fulfil the Data Subject’s request for rectification, blocking or deletion, it will, within 30 days of receiving the request, specify in writing the reasons for rejecting the request for rectification, blocking or deletion. If a request for rectification, deletion or blocking has been rejected, the Controller will inform the Data Subject of the possibility of legal remedy and recourse to the National Authority for Data Protection and Freedom of Information.
18.9 The Data Subject may make the above-mentioned statements regarding the exercise of his or her rights via the contact details of the Controller specified in Section 2.
18.10 The Data Subject may also lodge his or her complaint directly to the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11., phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu). If the rights of the Data Subject have been violated, he or she may apply to a court pursuant to Section 22(1) of the Infotv. The lawsuit falls within the jurisdiction of the court. At the Data Subject’s option, the lawsuit may also be launched before the court competent at the Data Subject’s place of residence or stay.
Upon request, the Controller will provide detailed information to the Data Subject about the possibilities and methods of legal remedy.