Privacy statement
I. INTRODUCTION
The aim of this Prospectus is to provide the principles of protecting and processing data applied by the ÁLMOS VEZÉR Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (seat: 6767 Ópusztaszer, Pusztaszeri major 106., Cg.06-09-005206), which the organisation as a data controller, recognises as binding on itself.
In formulating the provisions of the Prospectus, the organisation took special account of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), Act CXII of 2011 on the right to informational self-determination and on the freedom of information (“Info Act”), Act V of 2013 on the Civil Code (“Ptk.”) and Act XLVIII of 2018 on the basic conditions and certain limitations of commercial advertising (“Grtv.”)
The scope of the present Prospectus on processing data shall be applied to the data processing activities related to the websites under the domains of www.opusztaszerimenes.hu and www.akhalstud.hu (hereinafter: Website). The Prospectus on data processing shall be valid until withdrawal.
II. INTERPRETATIVE PROVISIONS
Data subject: a natural person being identified or – directly or indirectly – identifiable based on any defined personal information.
Personal data: data being connectable to the data subject – especially the name, identifier or one or more physical, physiologic, mental, economic, cultural, or social factors specific to the data subject – and the result which derives from the data and is connectable to the data subject.
Sensitive data: the data relating to racial origin, national and ethnic origin, political opinion, party position, religious or other worldview, trade union membership, health situation, pathological passion, sexual life, and criminal personal data.
Consent: the freely given, specific indication of the data subject’s wishes, which is based on adequate information, by which he signifies agreement to – the comprehensive or limited, for certain operations – processing of personal data relating to him.
Objection: the indication of the data subject, by which he disputes the processing of his personal data, and he requests the termination of processing personal data and requests the deletion of the processed data.
Dataset: is all data processed in a single registry.
Controller: is the natural or legal person, or organisation having no legal personality, which, alone or jointly with others, determines the purposes of data processing, makes decisions concerning data processing (including the means used) and implements such decisions or has them implemented by a processor.
Processing: any operation or set of operations that is performed on data, regardless of the procedure applied; in particular collecting, recording, registering, organising, storing, modifying, using, retrieving, transferring, disclosing, synchronising or connecting, blocking, erasing and destroying the data, as well as preventing their further use; taking photos and making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples and iris scans).
Data transfer: providing access to the data for a designated third party.
Disclosure: making the data accessible to anyone.
Data erasure: making the data unrecognisable in such a way that its restoration is no longer possible.
Data blocking: making the transmission, disclosure, modification, alteration, destruction, erasure, interconnection, or coordination and use of data impossible definitively or for a limited period of time.
Data destruction: the complete physical destruction of the data or the data-storage medium that contains the data.
Technical processing: performing technical tasks related to data management operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data.
Processor: a natural or legal person, or an organisation not having legal personality which processes personal data based on a contract, included the contracts conducted based on a provision of law.
Data source: the organ performing public duties, which generated the data of public interest that is to be published through electronic means, or during the operations of which such data was generated.
Data publisher: the organ performing public duties which, if the data source itself does not publish the data, uploads the data sent to it by the data source to a website.
Third party: a natural or legal person, or an organisation having no legal personality, other than the data subject, controller, or the processor.
Personal data breach: unlawful processing or technical processing of personal data, in particular unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction and damage.
III. NAME OF THE CONTROLLER
III.1. For the purposes of this Data Protection and Data Security Policy, Data Controller is:
Name: ÁLMOS VEZÉR Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
Seat: 6767 Ópusztaszer, Pusztaszeri major 102.
Tax no.: 12122176-0143-113-06No. of company register: 06-09-005206Phone no.: +36-30-638-8318
E-mail: csat1996@gmail.com, cseppentoopuszta@gmail.comWebsite: https://www.opusztaszerimenes.hu
Represented by: Attila Cseppentő, Regő Cseppentő, Rita Cseppentő, Réka Cseppentő, Zsombor Cseppentő
The Controller is an organisation registered in Hungary.
The Controller operates the Website, which introduces the services provided and the products distributed by the Controller.
III.2. Processors
For the engagement of the processor, the prior consent of the data subject is not necessary, but his information is required. Based on this, we provide the following information:
Data processing activities related to web hosting services:
Name of the processor: C-Host Kft.
Seat of the processor: 1115 Budapest, Halmi utca 29.
Phone no. of the processor: +36 (1) 445-2040
E-mail address of the processor: info@nethely.hu
Processing of all personal data provided by the data subject on the website for the website to function properly. Duration of data management, deadline for deleting data: It lasts until the termination of the agreement between the Service Provider and the Hosting Provider, or until the cancellation request of the data subject to the Hosting Provider.
Data processing activities related to e-mail:
Name of the Processor: Google, Mountain View, California, United States
Seat of the Processor: Ireland, Dublin, Barrow Street 4
E-mail address of the Processor:
The Controller uses the Processor’s Google Mail service under a contract with the Processor, which helps the Controller to carry out electronic mailing.
Google Analytics data processing activities related to aggregate data analysis:
Name of the Processor: Google, Mountain View, California, United States
Seat of the Processor: Ireland, Dublin, Barrow Street 4
E-mail address of the Processor:
The Controller uses the Processor’s Google Analytics service under a contract with the Processor, which helps both the Controller and the Processor to get a more accurate picture of the activities of their visitors.
IV. GUARANTEEING THE LAWFULNESS OF THE DATA PROCESSING
If the Company wishes to perform data processing based on consent, the consent of the data subject for the processing of personal data shall be requested on the data request form. The Controller primarily records the data directly from the data subject. The Controller is not responsible for the authenticity and accuracy of the data provided by the data subject.
Consent shall also be deemed to have been given if the data subject has ticked the appropriate box when viewing the Company’s website, has made technical adjustments when using information society services, or any statement or action that clearly indicates in the context of the data subject’s consent to the intended processing of his or her personal data.
The consent shall cover all data processing activities carried out for the same purpose or purposes.
In the case of data processing based on a legal obligation, the scope of the data that can be processed, the purpose of the data processing, the duration of data storage, the recipients are regulated by the provisions of the underlying legislation. Data processing based on the fulfilment of a legal obligation is independent from the data subject’s consent, as the data processing is defined by law. The data subject shall be clearly and in detail informed of all facts relating to the processing of his or her data before the processing begins. The information shall also cover the data subject’s rights and the possibilities of remedies. In case of mandatory data processing, the information may also be provided by publishing a reference to the legal provisions.
The interests of the Company may provide a legal basis for data processing, provided that the interests, fundamental rights, and freedoms of the data subject do not take precedence. The reasonable expectations of the data subject based on his or her relationship with the Controller concerned shall be considered, so the processing of personal data for contact or even direct business purposes may be based on a legitimate interest.
The Company is obliged to ensure the exercise of the rights of the data subject during all data processing.
The place of data processing: Paper documents are kept in all cases by ÁLMOS VEZÉR Kft.
V. THE RANGE OF PROCESSED DATA
The Processor processes the following data of the data subject:
- Data necessary for identification: name, place and date of birth, mother’s name, domicile, place of residence, type of identification document and its number, nationality. Providing these data is mandatory in case of conducting a contract, the contract cannot be conducted in absence of these data.
- Data necessary for identification: name, place and date of birth, mother’s name, domicile, place of residence, type of identification document and its number, nationality. Providing these data is mandatory in case of conducting a contract, the contract cannot be conducted in absence of these data.
- Contact information: name, address, phone number, e-mail address, nationality. The provision of data is used to establish contact between the data controllers and the data subject. If the data subject does not provide any of his or her contact details, the data controllers will not be able to contact him or her and will not be able to provide the service.
Purpose of data processing: contacting, keeping in touch, communicating information, requesting information. - Data related to the reservation of and participation in (equestrian) programmes organised by the data controller: name, place and date of birth, mother’s name, domicile, place of residence, type of identification document and its number, nationality, social insurance number, body weight.
- Data related to education: name, address, phone number, place and date of birth, e-mail address.
- Data related to the reservation of accommodation: name, address, phone number, place and date of birth, e-mail address.
a) In case of booking an accommodation in person, in case of check-in, the guest’s data will be recorded on a registration form. The data is digitised based on the application form. Following the digitisation of customer data, the form will be erased within 1 year.
The following data will be recorded on the notification form: name, place and date of birth, citizenship, number of ID card, address, date of arrival, date of departure, vehicle registration number.
b) Through an e-mail: In case of an online registration: name, phone number, e-mail address, the purpose of data processing is to identify the user and then inform him or her by e-mail only and exclusively in connection with the given booking.
- Data required for ordering and delivery of goods: name, address, e-mail address, phone number, name of the company, delivery address.
The purpose of data processing: Taking orders, delivering the ordered goods. - Billing information: name, address, company name, seat, billing address.The purpose of data processing: Issuance of an invoice in accordance with the law and fulfilment of the obligation to keep accounting documents. Based on Section 169 paragraphs (1)-(2) of the Sztv., companies must keep accounting records directly and indirectly in support of their accounts.
- Data processing required for sending newsletters: name, e-mail address, phone number.
The purpose of data processing is to be informed about the latest and best offers and promotions. - Usage of website: When using the website, the IP address of the user’s computer, the start and end time of the visit and, in some cases, the type of browser and operating system, depending on the settings of the user’s computer, are recorded. This data is automatically logged. The Service Provider does not combine the data in the log file with other personal data. This data is retained by the Data Controller for a maximum of 90 days and is primarily used to investigate security incidents.
- Data referring to claims: in the event of a dispute between the data subject and the Data Controllers (in particular that the data subject does not pay the fee), the Data Controllers handle the data and evidence concerning the legal basis and nature of the claim.
- Regarding the employees of the Data Controller, it handles all the data that are relevant from the point of view of labour law, tax law and social security, so name, address, mother’s name, place and date of birth, social insurance number. The Data Controller handles the data specified in the assignment contract with respect to its agents (name, mother’s name, address, number of ID card, tax number, billing number).
VI. PROCESSING THE DATA OF THE VISITORS ON THE WEBSITE OF THE COMPANY – ON THE APPLICATION OF COOKIES
- The Company applies cookies on certain areas of the Website. Visitors to the website shall be informed that the website uses cookies and, with the exception of technically essential session cookies, consent must be sought.
- A cookie is a piece of data that a website you visit places in a browser on a visitor’s device. Cookies are therefore stored on the user’s computer. Cookies are widely used for the efficient operation of websites or the provision of web services and functions. Cookies may be “temporary” or “permanent”. The temporary cookie is stored by the browser only until the end of the current session, the temporary cookie is automatically deleted when the browser is closed. The persistent cookie is not deleted by the browser at the end of the given session, but is stored until a certain time, provided that the user does not delete it before the specified time expires.
Since individuals can be associated with online IDs, such as IP addresses and cookie IDs, provided by the devices, applications, devices, and protocols they use, this data, in combination with other information, is suitable and can be used to create a profile of natural persons and to identify that person.
Cookies are also suitable for remembering the settings, so the user does not have to re-record them when entering a new page, they remember previously entered data, so they do not need to be re-typed, analyse the use of the website in order to ensure that, as a result of the improvements made using the information thus obtained, it works as far as possible in accordance with the user’s expectations, the user can easily find the information they are looking for, and they monitor the effectiveness of our ads.
If the Data Controller displays various contents on the Website using external web services, this may result in the storage of some cookies that are not controlled by the Data Controller, so it has no influence on what data these websites or external domains collect. These cookies are described in the regulations for the given service. The user can set their web browser to accept all cookies, reject them all, or notify the user when a cookie arrives on their machine. The setting options are usually found in the “Options” or “Settings” menu of the browser. Detailed information at www.aboutcookies.org in English will also help with settings in different browsers.
Main features of cookies applied by the website:
A. Cookies necessary for the operation of the website: These cookies are essential for the usage of the website and allow you to use the basic functions of the website. The lifespan of these types of cookies is limited to the duration of the session only.
– WPML cookies – these are placed by the WPML module. Because our website is multilingual, the user’s preferred language is identified by these cookies.
Names of cookies: _icl_current_language
– Borlabs Cookies – these are placed by the Borlabs Cookies module. These cookies are used to manage cookies on our website in accordance with the GDPR.
Names of cookies: borlabsCookie, borlabsCookieUnblockContent
B. Cookies to improve the user experience: These cookies do not collect information that identifies the visitor, so they work with completely general, anonymous information. The lifespan of these types of cookies is limited to the duration of the session only.
– AddToAny cookies – these cookies are placed by the AddToAny service, these cookies allow the sharing of individual content of the website on the user’s social profiles (eg facebook, twitter, pinterest, etc.) if the user intends to, they do not store any personal data.
Names of cookies: uvc, __cfduid
C. Statistical/Marketing cookie-k: These cookies help website and application owners to get a more accurate picture of their visitors’ activities. These cookies allow the service to collect information and report statistics on the use of the website without individually identifying visitors. In addition to reporting from site usage statistics, Google Analytics can also be used to show more relevant ads on Google products (such as Google Search) and across the web.
– Cookies of Google Analytics: These allow Google Analytics to differentiate between users without being able to identify them; and control the frequency of the query
Names of cookies: _ga, _gid, _gat_gtag
D. Cookies of external media: These cookies are placed in certain content of the website when the media on the server of external service providers is displayed.
– YouTube cookies – these cookies are placed by YouTube if the user views content embedded from YouTube on the website. To view YouTube content on our website, the user must agree to YouTube’s Terms of Use, YouTube cookies will only be placed in this case.
Names of the cookies: CONSENT, NID, 1P_JAR, yt-player-bandwidth, yt-player-headers-readable, yt-remote-fast-check-period, yt-remote-session-name, yt-remote-cast-available, yt-remote-cast-installed, yt-remote-session-app, yt-remote-connected-devices, yt-remote-device-id, yt-player-volume
– NAVA cookies – these cookies are placed by the National Audio-visual Archive if the user views content embedded from NAVA. To view NAVA content on our website, the user must agree to the NAVA’s Terms of Use, NAVA cookies will only be placed in this case.
Names of cookies: jwplayer.bandwidthEstimate, jwplayer.captionLabel, jwplayerLocalId, visited, IDE, _ga, _gat, _gid
Information about the cookies of Google Analytics can be found on the following page: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Information on the cookies of A Google AdWords may be found on the following website: https://support.google.com/google-ads/answer/2407785
Accepting the usage of cookies and permitting them is not mandatory. Visitors to the website can reset their browser settings to reject all or to indicate when a cookie is being sent. It is important to note that it can occur that some website features or services may not work properly without cookies.
VII. THE RIGHTS OF THE DATA SUBJECT
The rights and possibilities of remedy of the data subject are determined and informed to the data subjects based upon Act CXII of 2011 and Regulation (EU) 2016/679 as follows. The Data Controller draws the attention of the data subjects to the fact that the data subject may exercise his or her rights by sending a request to the e-mail address csat1996@gmail.com or through other contact details of the Data Controller.
The Data Controller shall provide the data subject with all information and any information relating to the processing of personal data in a concise, transparent, comprehensible, and easily accessible form, in a clear and comprehensible manner. Information shall be given in a written or other form. The Data Controller shall facilitate the exercise of the data subject’s rights. The Data Controller shall, without undue delay, but in any case, within one month of receipt of the request, inform the data subject of the action taken on his or her request to exercise his or her rights. This period may be extended by a further two months under the conditions laid down in the Regulation. If the Data Controller does not act on the data subject’s request, it shall inform the data subject of the reason for the non-action without delay, but no later than within one month from the receipt of the request. Detailed rules may be found in Article 12 of the Regulation.
- Right to information (“right to access”)
Based on Act CXII of 2011 and Article 15 of Regulation (EU) 2016/679, the Data Controller shall provide information on the request of the data subject about every fact relating to the processing of the data subject’s personal data, in particular:
- data processing is based on his or her consent or is required by law,
- the aim of data processing and its legal basis,
- the person entitled to process or control personal data,
- the interval of data processing, and
- who can get to know the data.
- Right to rectification: The data subject may request that the Data Controller rectify inaccurate personal data concerning him or her, to have incomplete personal data completed. Article 16 of the Regulation contains these rules.
- Right to erasure (“right to be forgotten”). The data subject may withdraw his or her consent to the processing of his or her personal data, he or she may request the erasure of the data. The Data Controller shall only have the right to deny this request if the processing is based on law. If the provisions of point VIII.5. are met, the Data Controller is obliged to erase the personal data concerning the data subject without undue delay.
- Right to restriction of processing: Where processing has been restricted, personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The data subject shall have the right the right to restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject
b) the processing is unlawful
c) the controller no longer needs the personal data for the purposes of the processing
d) the data subject has objected to processing - Objection
The data subject shall have the right to object to processing his or her personal data, including profiling, if
a) the processing (transmission) of personal data is necessary only for the enforcement of the right or legitimate interest of the Data Controller or the data recipient, unless the data processing has been ordered by law;
b) the use or transfer of personal data is for the purpose of direct business acquisition, public opinion polling or scientific research;
c) the exercise of the right to object is otherwise permitted by an act.
With the simultaneous suspension of data processing, the Data Controller shall examine the objection as soon as possible, but not later than within 15 days from the submission of the request and shall inform the applicant in writing of the result.
If the applicant’s objection is justified, the Data Controller shall terminate the data processing, including further data collection and data transfer, and block the data, and notify all persons to whom the personal data concerned by the objection have previously been transmitted and who are obliged to take action in order to enforce the right to object to notify the objection and the measures taken on the basis thereof.
- Informing the data subject about a personal data breach
If the personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the personal data breach without undue delay. This information shall clearly and intelligibly describe the nature of the personal data breach and shall include at least the following:
- the name and contact details of the contact person providing the information
- the likely consequences of personal data breach
- measures taken or planned to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences arising from the personal data breach.
The data subject need not be informed if the controller has implemented adequate technical protection, has taken further action following the personal data breach to ensure that the high risk to the data subject’s rights is no longer likely to materialise, and information would require a disproportionate effort. Article 34 of the Resolution prescribes further provisions.
- Remedy
If the data subject considers that his or her rights have been infringed during the processing or processing of the data, he or she may lodge a complaint:
National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone no.: +36 (1) 391-1400
Fax: +36 (1) 391-1410
website: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu
These rules are prescribed in Article 77 of the Regulation.
All data subjects shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments or the outcome of the complaint lodged. Proceedings against the supervisory authority shall be brought before the courts of the Member State in which the authority is situated. These rules are prescribed in Article 78 of the Regulation.
If the data subject does not agree with the decision of the Data Controller, or the Data Controller fails to comply with the referred deadline, he or she is entitled to apply to a court within 30 days of its notification. The court shall hear such cases as a matter of priority. The Data Controller is obliged to prove that the data processing complies with the provisions of the law. These rules are prescribed in Article 79 of the Regulation.