Briefly

We collect and control personal data only in accordance with the laws.

We only send DM letters with the separate expression of consent. System message may be sent without such consent.

We store personal data as safely as possible.

Data are disclosed to a third party with the consent of the data subject.

Everyone is entitled to request information regarding his stored data, and the erasure of the data may be requested at any time.

Introduction

The Boook Publisher Kft. (hereinafter referred to as: Service Provider, Controller) is subject to the following information.
Subsection (1) of Section 20 of the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information specifies that, before processing operations are carried out, the data subject (in this case: the webshop user, hereinafter referred to as: User) shall be informed whether his consent is required or processing is mandatory.
Before processing operations are carried out, the data subject shall be clearly and elaborately informed of all aspects concerning the processing of his personal data, such as the purpose for which his data is required and the legal basis, the person entitled to control the data and to carry out the processing and the duration of the proposed processing operation.

On the basis of Subsection (1) of Section 6 of the Info Act, the data subject shall also be informed that personal data may also be processed if obtaining the data subject’s consent is impossible or it would give rise to disproportionate costs, and the processing of personal data is necessary:
• for compliance with a legal obligation pertaining to the data controller, or
• for the purposes of the legitimate interests pursued by the Controller or by a third party, and enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data.
Information provided shall also cover the data subject’s rights and available remedies.

If the provision of information to the data subject proves impossible or would involve disproportionate efforts (such as, in this case on a webshop), the obligation of information may be satisfied by the public disclosure of the following:
a) an indication of the fact that data is being collected;
b) the data subjects targeted;
c) the purpose of data collection;
d) the duration of the proposed processing operation;
e) the potential data controllers with the right of access;
f) the right of data subjects and remedies available relating to data processing; and
g) where the processing operation has to be registered, the number assigned in the data protection register.
This data processing information regulates the data processing of the following websites: http://www.boook.hu, and it is based on the above specification. The information is available on the following website: http://
The amendments of the information will come into force by its publication. The legislative references will also be displayed behind the chapter headings of the information.

Definitions (Section 3)

  1. Data subject/User: means a natural person who has been identified by reference to specific personal data, or who can be identified, directly or indirectly;
  2. Personal data: means any information relating to the data subject, in particular by reference to his name, an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, and any reference drawn from such information pertaining to the data subject;;
  3. Sensitive data:
    a) personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life,
    b) personal data concerning health, pathological addictions, or criminal record,
  4. Data subject’s consent: means any freely and expressly given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed without limitation or with regard to specific operations;
  5. Data subject’s objection: means an indication of his wishes by which the data subject objects to the processing of his personal data and requests that the processing of data relating to him be terminated and/or the processed data be deleted;
  6. Controller: means the natural or legal person, or unincorporated body which alone or jointly with others determines the purposes of the processing of data, makes decisions regarding data processing (including the means) and implements such decisions itself or engages a data processor to execute them;
  7. Processing of data: irrespective of the applied process, means any operation or set of operations that is performed upon data, whether or not by automatic means, such as in particular collection, recording, organization, storage, adaptation or alteration, use, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and blocking them from further use, photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images);
  8. Disclosure by transmission: means making data available to a specific third party;
  9. Public disclosure: means making data available to the general public;
  10. Erasure of data: means the destruction or elimination of data sufficient to make them irretrievable;
  11. Referencing: means the marking of stored data for the purpose of identification;
  12. Blocking of data: means the marking of stored data with the aim of limiting their processing in future permanently or for a predetermined period;
  13. Destruction of data: means the complete physical destruction of the medium containing data;
  14. Data processing: means the technical operations involved in data control, irrespective of the method and instruments employed for such operations and the venue where it takes place, provided that such technical operations are carried out on the data;
  15. Data processor: mean a natural or legal person or unincorporated organization that is engaged under contract in the processing of personal data, including when the contract is concluded by virtue of law;
  16. Data source: mean a body having public service functions, that is responsible for the inception – in the course of operations or otherwise – of any statutory public information to be published by way of electronic means;
  17. Data disseminator: means a body having public service functions, that shall publish data received from the data source on a website, unless it is published by the data source himself;
  18. Data set: means all data contained in a filing system;
  19. Third party: means any natural or legal person or unincorporated organization other than the data subject, the controller or the processor;
  20. Privacy incident: means the unlawful use or processing of personal data meaning, in particular, unauthorized access, alteration, transfer, disclosure by transmission or deletion as well as damage and accidental destruction.

Legal basis of the data processing (Section 5-6)

  1. Personal data may be processed under the following circumstances:
    • when the data subject has given his consent, or
    • when processing is necessary as decreed by law or by the decree of a local authority based on authorization conferred by law concerning specific data defined therein for the performance of a task carried out in the public interest.
  2. Personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise to disproportionate costs, and the processing of personal data is necessary:
    a) for compliance with a legal obligation pertaining to the data controller, or
    b) for the purposes of the legitimate interests pursued by the controller or by a third party, and enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data.
  3. If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time such reasons persist, to protect the vital interests of the data subject or of another person, or in order to prevent or avert an imminent danger posing a threat to the lives, physical integrity or property of persons.
  4. The statement of consent of minors over the age of 16 shall be considered valid without the permission or subsequent approval of their legal representative.
  5. Where processing under consent is necessary for the performance of or the entering into a contract with the controller in writing, the contract shall contain all information that is to be made available to the data subject under this Act in connection with the processing of personal data, such as the description of the data involved, the duration of the proposed processing operation, the purpose of processing, the transmission of data, the recipients and the use of a data processor. The contract must clearly indicate the data subject’s signature and explicit consent for having his data processed as stipulated in the contract.
  6. Where personal data is recorded under the data subject’s consent, the controller shall – unless otherwise provided for by law – be able to process the data recorded where this is necessary:
    • for compliance with a legal obligation pertaining to the controller, or
    • for the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data,
    without the data subject’s further consent, or after the data subject having withdrawn his consent.

The purpose limitation of data processing (Subsection [1]-[2] of Section 4)

  1. Personal data may be processed only for specified and explicit purposes, where it is necessary for the implementation of certain rights or obligations. The purpose of processing must be satisfied in all stages of data processing operations; recording of personal data shall be done under the principle of lawfulness and fairness.
  2. The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.

Other principles of data processing (Subsection [3]-[4] of Section 4)

In the course of data processing, the data in question shall be treated as personal as long as the data subject remains identifiable through it. The data subject shall – in particular – be considered identifiable if the data controller is in possession of the technical requirements which are necessary for identification.
The accuracy and completeness, and – if deemed necessary in the light of the aim of processing – the up-to-dateness of the data must be provided for throughout the processing operation, and shall be kept in a way to permit identification of the data subject for no longer than is necessary for the purposes for which the data were recorded.

Functional data processing

  1. On the basis of Subsection (1) of Section 20 of the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the following shall be specified relating to the functionality of the website of the webshop:
    a) an indication of the fact that data is being collected,
    b) the data subjects targeted,
    c) the purpose of data collection,
    d) the duration of the proposed processing operation,
    e) the potential data controllers with the right of access,
    f) the right of data subjects relating to data processing.
  2. The fact that data is being collected, the type of the data processed: User name, password, first name and family name, e-mail address, phone number, delivery address, delivery name, billing address, billing name, amount payable, time of registration.
  3. The data subjects targeted: Every relevant person registered on the website of the webshop.
  4. The purpose of data collection: Personal data of the data subject will be handled by the Service Provider for the purpose of the entire usage of the website, e.g. conclusion of a contract for providing the services, determining or amending the content, monitoring its compliance, billing of the prices thereof, and the establishment of the related claims, as well as for providing newsletters.
  5. The duration of the proposed processing operation, deadline for deletion of data: Immediately after the deletion of registration. Except for accounting documents, as they shall be kept for 8 years based on Subsection (2) of Section 169 of the Act C of 2000 on Accounting.

The accounting report directly or indirectly supporting the bookkeeping (including the general ledger accounts, analytical and detailed accounts) must be kept in a form that allows verification of the original document based on the reference in the accounting records in a readable form for at least 8 years.

  1. The potential data controllers with the right of access of data: Personal data may be processed by the sales and marketing assistants of the controller, while respecting the principles referred to above.
  2. The right of data subjects relating to data processing. The following data may be modified on the websites: User name, password, first name and family name, e-mail address, phone number, delivery address, delivery name, billing address, billing name. The deletion or modification of personal data may be initiated by the data subjects in the following ways:
    – by post to Boook Publisher Kft., H-1095, Budapest, Mester utca 87.
    – by e-mail on info@boook.hu e-mail address.
  3. Data of the data processor (Service Provider storing information) used in relation to the data processing:

Name: RetteSoft Bt.

Address: H-1211 Budapest, Kiss J. altb u 63. IV/42.

E-mail: rettesoft@rettesoft.hu

Phone number: +36 30 9142833

  1. The registration number of the data processing: NAIH-90659/2015.
  2. Legal basis of the data processing: the consent of the User, Subsection (1) of Section 5 of the Info Act, and Subsection (3) of Section 13/A. of the Act CVIII of 2001 on certain aspects of electronic commerce and information society services (hereinafter referred to as Electronic Commerce Act):

The personal data may be processed by the Service Provider for the purpose of providing services that are essential and necessary to achieve its purpose. Should other conditions be identical, the Service Provider shall select and operate the means applied in the course of providing information society service at all times, so that personal data be processed only if it is absolutely indispensable for providing the service or achieving other objectives stipulated in the Electronic Commerce Act, and only to the required extent and duration.

For functional data processing, Subsection (3) of Section 13/A. of the Electronic Commerce Act applies.

  1. For the purpose of billing the charges arising under the contract for the information society service, the Service Provider may process personal data related to the use of such service, provided that such data are indispensable for establishing and billing the charge, thus, especially, the person identification data, address and the data regarding the time, duration and place of using the service.
  2. The personal data may be processed by the Service Provider for the purpose of providing the service that is essential and necessary to achieve its purpose. The Service Provider may – for the purpose of providing the service – process personal data indispensable for providing the service for technical reasons. Should other conditions be identical, the Service Provider shall select and operate the means applied in the course of providing information society service at all times, so that personal data be processed only if it is absolutely indispensable for providing the service or achieving other objectives stipulated in the Electronic Commerce Act, and only to the required extent and duration.
  3. The Service Provider may process data related to the use of the service for purposes – thus, in particular, for the purposes of enhancing the efficiency of the service, forwarding of electronic advertisements or other direct communications addressed to the recipient of the service, or market surveys – only with the prior specification of the objective thereof and subject to the consent of the recipient of the service.
  4. Recipient of the services shall be allowed, at all times, prior to and during the course of using the information society service to prohibit the data processing.
  5. Data processed shall be deleted if the contract is not concluded, is terminated and after the billing. Data processed shall be deleted if the objective of data processing has ceased or upon the instruction of the recipient of the service to this effect. Unless provided otherwise by law, deletion of the data shall take place without delay.
  6. The Service Provider shall ensure that the recipient of the service of the information society service may, at any time prior to and in the course of using the service, get acquainted with the types of data processed by the Service Provider and the objective of processing such data, including the processing of data directly not associated with the recipient of the service.

 

Cookies handling

  1. On the basis of Subsection (1) of Section 20 of the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the following shall be specified relating to the data processing of cookie of the website of the webshop:
  2. a) an indication of the fact that data is being collected,
    b) the data subjects targeted,
    c) the purpose of data collection,
    d) the duration of the proposed processing operation,
    e) the potential data controllers with the right of access,
    f) the right of data subjects relating to data processing.
  3. The cookies typical of webshops are the so-called “cookies for password-protected work management”, “cookies necessary for shopping basket”, and “safety cookies”, for the use of which prior consent of the data subject is not necessary.
  4. An indication of the fact that data is being collected, the data targeted: unique identifier, date and time.
  5. The data subjects targeted: All data subjects visiting the website.
  6. The purpose of data collection is to identify the users for registration of the “shopping basket”, and the track visitors.
  7. The duration of the proposed processing operation, deadline for deletion of data: The duration of data processing in case of session cookies is the end of visiting the website.
  8. The potential data controllers with the right of access of data: The data processor will not process personal data by using cookies.
  9. The right of data subjects to data processing: The data subject may delete cookies in browser settings Tools/Options usually under Data Protection Menu.
  10. Legal basis of the data processing: Data subject may not give his consent, if cookies are used exclusively for the transmission of a communication over an electronic communications network or if the Service Provider providing an information society service specifically requested by the subscriber or user.
  11. [optional] Results of website monitoring are produced by the Google Analytics services by the Service Provider. Data is transferred while using the service. Transferred data do not enable data subject to be identified. For further information on Google Data Protection Policy visit: http://www.google.hu/policies/privacy/ads/
  12. [optional] The website uses the remarketing tag of the GoogleAdwords. Remarketing is a function that assists the website to display. The remarketing tag uses cookies for indicating the visitors. The users visiting the webshop may block these cookies, and other information related to data management of the Google can be found on the following addresses: http://www.google.hu/policies/technologies/ads/ and https://support.google.com/analytics/answer/2700409. When the users deny the remarketing cookies, specialized offers will not be displayed for them from the website.

 

Newsletter, DM activity

  1. For the purposes of Section 6 of the Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, User may express prior consent to the Provider to be addressed by his advertisements, other mails through the contact details given at the date of registration (electronic mail or phone number).
  2. Recognising the provisions of the present information, Client may also express his consent to the Provider to process his personal data necessary for sending advertisement offers.
  3. No advertisements may be sent by direct solicitation to the person concerned by the Service Provider, and statements of consent may be withdrawn cost free at any time without any limitation and without the need for the withdrawal to be reasoned. In this case Service Provider must delete all recorded personal data used for advertising and shall not contact User with further communication. The User may unsubscribe from advertisements by clicking on the link in the communication.
  4. On the basis of Subsection (1) of Section 20 of the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the following shall be specified relating to the data processing of sending newsletters:
  5. a) an indication of the fact that data is being collected,
    b) the data subjects targeted,
    c) the purpose of data collection,
    d) the duration of the proposed processing operation,
    e) the potential data controllers with the right of access,
    f) the right of data subjects relating to data processing.
  6. Indication of the fact that data is being collected, targeted data: name, e-mail address, (phone number), date, time.
  7. The data subjects targeted: All the persons concerned who subscribed to the newsletter.
  8. The purpose of data collection: sending of electronic message advertisements (e-mail, sms, push message) to the data subject, providing information on the relevant information, products, special offers and new functions etc.
  9. The duration of the proposed processing operation is the withdrawal of data subject’s consent, which means data processing is terminated when the User is unsubscribed.
  10. The potential data controllers with the right of access: Personal data may be processed by the assistants of the Controller, while respecting the principles referred to above.
  11. The right of data subjects relating to data processing. Data subjects may unsubscribe from advertisements any time and free of charge.
  12. Legal basis of the data processing: the data subject’s consent, Subsection (1) of Section 5 of the Info Act, and Subsection (5) of Section 6 of the Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.

Advertisers, advertising service providers and publishers of advertising shall maintain
records on the personal data of persons who provided the statement of consent to the extent specified in the statement. The data contained in the aforesaid
records – relating to the person to whom the advertisement is addressed – may be processed
only for the purpose defined in the statement of consent, until withdrawn, and may be
disclosed to third persons subject to the express prior consent of the person affected.

 

Social networks

  1. On the basis of Subsection (1) of Section 20 of the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the following shall be specified relating to the data processing of social networks:
  2. a) an indication of the fact that data is being collected,
    b) the data subjects targeted,
    c) the purpose of data collection,
    d) the duration of the proposed processing operation,
    e) the potential data controllers with the right of access,
    f) the right of data subjects relating to data processing.
  3. The fact that data is being collected, the type of the data processed: the User name and photo publicly available of the registered on Facebook/Youtube/Instagram social networking sites.
  4. The data subjects targeted: All data subjects registered on Facebook/Youtube/Instagram social networking sites and liked the website.
  5. The purpose of data collection: Sharing of certain contents and products of the website, special offers or even the website on social networking sites and their like and promotion.
  6. The duration of the proposed processing operation, deadline for deleting data, the potential data controllers with the right of access and the right of data subjects relating to data processing. The data subject may find information on the source of the data, its handling and the way of transmission and legal basis on the social networking sites. The data processing is carried out on the social networking sites, thus, concerning the duration and method of the proposed processing operation, and the possibility for deletion and amendment of data, the regulation of the specific social networking site applies.
  7. Legal basis of the data processing: the data subject’s voluntary consent to the processing of personal data on the social networking sites.

 

Transmission of data
1. On the basis of Subsection (1) of Section 20 of the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the following shall be specified relating to the transmission of data of the website of the webshop:

  1. a) an indication of the fact that data is being collected,
    b) the data subjects targeted,
    c) the purpose of data collection,
    d) the duration of the proposed processing operation,
    e) the potential data controllers with the right of access,
    f) the right of data subjects and remedies available relating to data processing.
  2. An indication of the fact that data is being collected, scope of data collected.
    a) Scope of data transmitted in the interest of management of delivery: Shipping name, shipping address, phone number, amount payable.
    b) Scope of data transmitted in the interest of management of online payment: Invoicing name, invoicing address, amount payable.
  3. The data subjects targeted: All data subjects requesting home delivery/online purchase.
  4. The purpose of the data processing: The delivery of goods ordered/management of online purchase.
  5. The duration of the proposed processing operation, deadline for deletion of data: Runs until the delivery of goods/online payment handling.
  6. The potential data controllers with the right of access: Personal data may be processed by the following persons, while respecting the principles referred to above:

Name: Magyar Posta Zrt.
Address: H-1138 Budapest, Dunavirág utca 2-6.
Information on data processing: https://www.posta.hu

  1. The right of data subjects relating to data processing. The data subject may request the early deletion of his personal data from the controller providing the delivery of goods/online payment.
  2. Legal basis of the data transmission: the User’s consent, Subsection (1) of Section 5 of the Info Act, and Subsection (3) of Section 13/A of the Act CVIII of 2001 on certain aspects of electronic commerce and information society services.

 

Customer relationships and other data processing

  1. In case the data subject raises a question during the use of services of the Controller or on grounds of a problem, he may contact with the Controller in ways provided through the website (phone, e-mail, social networking site).
  2. Received e-mails, messages, data provided on phone and Facebook etc. together with the name, e-mail address and other voluntary provided personal data of the interested data subject will be deleted by the Controller no sooner than 2 years after providing information.
  3. Information will be given on the data processing not listed in this information at the time of the recording of data.
  4. The Service Provider shall not be obliged to provide or make available information, data or documents in exceptional request from a competent authority, or as allowed under other legislation, from other bodies.
  5. In those cases, Service Provider will provide personal data to the requesting authority, when the objective and list of data is identified, only to a limited extent that is absolutely essential for achieving the objectives of the request.

 

Data security (Section 7)

  1. The Controller makes arrangements and carries out data processing operations in a way so as to ensure full respect for the right to privacy of data subjects.
  2. The Controller implements adequate safeguards and appropriate technical and organizational measures to protect personal data (be protected by password, antivirus), as well as adequate procedural rules to enforce the provisions of the Info Act and other regulations concerning confidentiality and security of data processing.
  3. Data must be protected by means of suitable measures against
  • unauthorized accesss,
    • alteration,
    • transmission,
    • public disclosure,
    • deletion or destruction,
    • damage and accidental loss, and
    • to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.
  1. Suitable technical solutions shall be introduced by the Controller to prevent the interconnection of data stored in filing systems and the identification of the data subjects.
  2. In order to protect personal data against unauthorized access, alteration or to ensure blocking them from further use, the Controller shall ensure:
  • the establishment and operation of the adequate information and technical context,
    • the approved selection and supervision of the participating staff,
    • the publication of the detailed risk management, operational and service procedures.
  1. Based on the above, the Service Provider shall ensure that the data processed by him
  • is available for the data subject,
    • its authenticity and verification is provided,
    • may be verifiable regarding the keeping it unchanged.
  1. The Controller and the IT system of its service provider storing information protects, inter alia, against
  • cyber fraud,
    • espionage,
    • computer viruses,
    • spams,
    • hacks,
    • and other attacks.

 

Rights of data subjects (Section 14-19)

  1. The data subject may request from the Service Provider to provide information when his personal data is being processed, the rectification of his personal data, and the erasure or blocking of his personal data, save where processing is rendered mandatory.
  2. Upon the data subject’s request, the data controller shall provide information concerning the data relating to him, including those processed by a data processor hired by the data controller or by others based on its instructions, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, the circumstances surrounding the privacy incident, its impact, and the actions taken to rectify the situation, and – if the personal data of the data subject is made available to others – the legal basis and the recipients.
  3. The data controller shall keep records – by way of an internal data protection officer where applicable – for the purpose of monitoring actions taken in connection with privacy incidents and for information of the public and of data subjects, containing the data subjects’ personal data, the data subjects involved and their number affected by the privacy incident, the time when the privacy incident took place, its circumstances and impacts, the actions taken to rectify the situation, and other data provided for in the legislation on data processing.
  4. With a view to exercising communication control and for the information of the data subject, the data controller shall maintain a transmission log, showing the date of time of transmission, the legal basis of transmission and the recipient, description of the personal data transmitted, and other information prescribed by the relevant legislation on data processing.
  5. Data processors must comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the data subject’s request, within not more than 30 days. The information shall be provided free of charge.
  6. Upon the User’s request, the Service Provider shall provide information concerning the data relating to him, its sources, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and – if the personal data of the data subject is transmitted – the legal basis of data transmission and its recipient. The Service Provider must comply with requests for information without any delay, and provide the information requested in writing, within not more than 30 days. The information shall be provided free of charge.
  7. The Service Provider may order the revision of any personal data that is deemed inaccurate and if the accurate personal data is available for the Provider.
  8. Personal data shall be blocked instead of erased by the Service Provider if so requested by the User, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall be processed only for the purpose which prevented their erasure.
  9. The Service Provider shall erase the personal data if it is processed unlawfully, so requested by the User, incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision, or the purpose of processing no longer exists or the legal time limit for storage has expired, or so instructed by court order or by the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság).
  10. If the accuracy of an item of personal data is contested by the data subject and its accuracy or inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of referencing.
  11. When a data is rectified, blocked, marked or erased, the data subject to whom it pertains and all recipients to whom it was transmitted for processing shall be notified. Notification is not required if it does not violate the rightful interest of the data subject in light of the purpose of processing.
  12. If the data controller refuses to comply with the data subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing, or electronically with the data subject’s consent, within twenty-five days of receipt of the request. Where rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.

 

Remedies

  1. The User shall have the right to object to the processing of data relating to him:
    a) if processing or disclosure is carried out solely for the purpose of discharging the Service Provider’s legal obligation or for enforcing the rights and legitimate interests of the Service Provider, the recipient or a third party, unless processing is mandatory;
    b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
    c) in all other cases prescribed by law.
  2. In the event of objection, the Service Provider shall investigate the cause of objection within the shortest possible time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of its decision. If, according to the findings of the Service Provider, the data subject’s objection is justified, the Service Provider shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.
  3. If the User disagrees with the decision taken by the Service Provider, the User shall have the right to bring action in the court of law within 30 days of the date of delivery of the decision. The court shall hear such cases in priority proceedings.
  4. A complaint may be filed in connection with any infringement of the controller, to the National Authority for Data Protection and Freedom of Information.

National Authority for Data Protection and Freedom of Information
H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Mailbox: 5.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

Judicial remedy (Section 22)

  1. The burden of proof to show compliance with the law lies with the data controller. The burden of proof concerning the lawfulness of receiving data lies with the data recipient.
  2. The action shall be heard by the competent general court. If so requested by the data subject, the action may be brought before the general court in whose jurisdiction the data subject’s home address or temporary residence is located.
  3. Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such actions. The Authority may intervene in the action on the data subject’s behalf.
  4. When the court’s decision is in favour of the plaintiff, the court shall order the controller to provide the information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated data-processing systems, to honour the data subject’s objection, or to disclose the data requested by the data recipient.
  5. If the court rejects the petition filed by the data recipient, the controller shall be required to erase the data subject’s personal data within three days of delivery of the court ruling. The controller shall erase the data even if the data recipient does not file for court action within the specified time limit.
  6. The court may order publication of its decision, indicating the identification data of the controller as well, where this is deemed necessary for reasons of data protection or in connection with the rights of large numbers of data subjects.

 

Liability and restitution (Section 23)

  1. Where a data controller violates the rights of the data subject relating to personality as a result of unlawful processing or by any breach of data security requirements, the data subject shall be entitled to claim for restitution from the data controller.
  2. The data controller shall also be liable for any damage caused by the data processor acting on its behalf, as well as for any restitution payable to the data subject for any violation by the data processor of his rights relating to personality. The data controller may be exempted from liability for damages or for payment of restitution if he proves that the damage was caused by or the violation of the rights of the data subject relating to personality is attributable to reasons beyond his control.
  3. No compensation shall be paid and no restitution may be demanded where the damage was caused by or the violation of rights relating to personality is attributable to intentional or negligent conduct on the part of the data subject.

 

Afterword
When preparing this information, we took into account the following laws:

– Act CXII of 2011
on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: Info Act)
– Act CVIII of 2001 on Certain Aspects of Electronic Commerce and Information Society Services (mainly Section 13/A.),
– Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices
against Consumers,
– Act XLVIII of 2008
on the Basic Requirements and Certain Restrictions of Commercial
Advertising Activities (mainly Section 6),
– Act XC of 2005 on the Freedom of Information by Electronic Means,
– Act C of 2003 on Electronic Communications (specifically Section155),
– Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online
Behavioural Advertising.