Last updated: 2026.01.16.

1. GENERAL INFORMATION

The scope of activities of Miskolci Fürdők Korlátolt Felelősségű Társaság (the “Controller”) includes the provision of spa, sauna, and steam bath services.
In connection with these activities, the Controller processes information that qualifies as “personal data” within the meaning of Article 4(1) of Regulation (EU) 2016/679 on the General Data Protection Regulation (the “GDPR”) relating to its contractual partners, as well as their representatives, contact persons, and other individuals specified in this data protection notice (the “Notice”) (collectively referred to as the “data subject(s)”).

This Notice provides information on the processing of such personal data, as well as on the rights of the data subjects and the legal remedies available to them in relation to data processing.

In this Notice, you will find information on the purposes for which, the legal bases on which, and the duration for which we process the personal data of the data subjects, as well as to whom such data are disclosed, and other characteristics of our data processing activities. Furthermore, we inform data subjects of their rights and legal remedies to which they are entitled in connection with our data processing activities.

Please read this Notice carefully. Should you have any questions or requests regarding the data processing activities carried out by the Controller, please feel free to contact us using the contact details provided below.

Contact Details of the Controller:

Miskolci Fürdők Korlátolt Felelősségű Társaság

Registered office of the Controller: 3519 Miskolc, Aradi sétány 1., Hungary

Company registration / registry number of the Controller: 05-09-014955

Email address of the Controller: titkarsag@miskolcifurdok.hu 

Website of the Controller: miskolcifurdok.hu (the “Website”).

We emphasize that the provisions set out in this Notice shall be interpreted in conjunction with the relevant terms of other contracts concluded by the Controller with certain of its customers, partners, and subcontractors.

What Data Qualify as Personal Data?

Personal data means any information relating to an identified or identifiable natural person (the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Accordingly, personal data include, for example, the name and email address of the data subject (such as a user, customer, or representative of a contractual partner), as well as, potentially, data relating to a contract concluded with the given user or customer (such as the existence and nature of the contract).

Which Personal Data Fall within the Special Categories of Personal Data?

Personal data falling within the special categories of personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data or biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, and personal data concerning a natural person’s sex life or sexual orientation.

Given that the activities of the Controller do not require the provision of the above-mentioned data, the Controller expressly requests data subjects to refrain from providing any special categories of personal data. If, despite this, such data nevertheless come to the attention of the Controller (for example, if such data are unlawfully disclosed to the Controller by a third party in relation to a data subject), the Controller shall delete such data without delay.

Who May Qualify as a Data Subject?

The Controller may process the personal data of the following natural persons, in particular, but not limited to:

• The customers of the Controller, as well as their authorised representatives, agents, and contact persons, in connection with the activities of the Controller and the performance of orders.
• The other partners of the Controller (such as subcontractors), as well as their authorised representatives, agents, and contact persons, in connection with the performance of contracts concluded between the Controller and its partners;
• The personal data of data subjects, as well as their authorised representatives, agents, and contact persons, processed in connection with enquiries, complaints, and the enforcement of claims submitted to the Controller;
• The personal data of data subjects processed in connection with the Controller’s marketing communications
• Personal data processed in connection with the facilitation of the exercise of data protection rights, measures taken in response to data subject requests, and incident management
• The personal data of visitors to the Website, processed within the scope defined in the separate COOKIE NOTICE available on the Website

 

What Do We Do to Protect the Personal Data of Data Subjects?

We are committed to the protection of personal data and therefore make every effort to ensure that the personal data of data subjects are processed in compliance with the applicable laws and regulations. As a data controller, we adhere to the following principles in the course of our data processing activities:

• We process personal data lawfully only.
• We process personal data for specified purposes, in a data‑minimised manner, and for a limited period of time.
• We safeguard the personal data of data subjects and apply the technical and organisational measures necessary to ensure data security.
• We assist data subjects in exercising their rights related to data processing.

2. UPDATES TO THIS NOTICE AND ITS AVAILABILITY

The Controller reserves the right to amend this Notice unilaterally, with effect from the date of such amendment, subject to the limitations set out in the applicable legislation and, where necessary, by providing the data subjects with prior notice in due time.

 

This Notice may be amended in particular where such amendment is required due to changes in legislation, data protection authority practice, business needs, the introduction of new data processing purposes, newly identified security risks, or feedback received from data subjects. In connection with this Notice or data protection matters, as well as in the course of communications with data subjects in general, the Controller may use the contact details of data subjects available to it for the purposes of contacting and communicating with them. Upon request, the Controller shall, for example, provide data subjects with the location of the version of the Notice currently in force on the Website or confirm that the Notice has been made accessible to the data subjects.

3. DATA PROTECTION PROVISIONS

In the course of its data processing activities, the Controller is required to comply – primarily, in addition to its other legal obligations – with the legal obligations set out in the following legislation:

• “Accounting Act” – Act C of 2000 on Accounting

• “Tax Administration Act” – Act CL of 2017 on the Rules of Taxation

• “Info Act” – Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information

• „GDPR” - Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)

 

These laws define in detail and comprehensively operations that involve the processing of personal data. The purpose of this Notice is to present these data processing operations in a clear and understandable manner. However, due to space limitations, it is not possible to describe certain detailed rules in full; therefore, only a summarized description is provided, to the extent required to ensure clear information for data subjects, or by way of reference to the relevant legal provisions. For detailed information on the data processing operations defined by the above regulations, as well as on any other data processing activities, the Controller can provide further information via the contact details indicated above or upon personal consultation.

The Controller primarily obtains any personal data relating to data subjects directly from the data subject through voluntary data disclosure, or from a third party entitled to disclose such data with regard to the data subject. The source of the data processed by the Controller may also include, for example, public registers, courts, authorities, or other data subjects.

If a person is not independently entitled to provide certain personal data, they are required to obtain the consent of the relevant third party (such as a legal representative, guardian, or other person on whose behalf they act), or to ensure another appropriate legal basis for the disclosure of the data, and to comply with any other applicable data protection and data security requirements. In this context, the person providing the data is obliged to assess whether the disclosure of the given personal data requires the consent of a third party. It may occur that the Controller does not enter into direct personal contact with the data subject; in such cases, compliance with this provision must be ensured by the person transferring the data relating to the data subject. Notwithstanding the foregoing, the Controller is at all times entitled to verify whether an appropriate legal basis exists for the processing of any personal data. For example, if the person providing the data acts on behalf of a third party, the Controller is entitled to request a power of attorney and/or the data subject’s appropriate consent to the relevant data processing activity.

4. DESCRIPTION OF INDIVIDUAL DATA PROCESSING OPERATIONS

The categories of personal data processed by the Controller, the purposes of the data processing, the legal basis for the data processing, the duration of the data processing, as well as other relevant circumstances of the data processing are set out in detail in the table contained in the ANNEX to this Notice.

Please scroll to the ANNEX at the end of this Notice to view the table describing the individual data processing operations.

5. DATA PROCESSORS

For the performance of tasks related to its data processing operations, the Controller engages the following contractual partners. Such contractual partners act as so-called “data processors” and, by virtue of this status, process certain personal data specified in this Notice on behalf of and in accordance with the instructions of the Controller.

The Controller engages only data processors that provide sufficient guarantees – in particular with regard to expertise, reliability, and resources – to implement appropriate technical and organisational measures ensuring compliance with the applicable data protection legislation, in particular the requirements of the GDPR, including measures to ensure the security of data processing. Upon completion of the processing of personal data on behalf of the Controller, the data processor shall, at the choice of the Controller, return or delete the personal data, unless Union or Member State law applicable to the data processor requires the storage of such personal data.

Name of Data Processor: Forrás SQL (GriffSoft Informatikai Zrt.)

• Registered office: 1041 Budapest, Görgey Artúr utca 69-71.
• Email address: info@griffsoft.hu
• Activity: invoice management services
• Website: griffsoft.hu

Name of Data Processor: Miskolc Holding Önkormányzati Vagyonkezelő Zártkörűen Működő Részvénytársaság

• Registered office: 3530 Miskolc, Petőfi Sándor utca 1-3.
• Email address: info@miskolcholding.hu
• Activity: Website hosting service provider
• Website: miskolcholding.hu

Name of Data Processor: Miskolc Városi Közlekedési Zártkörűen Működő Részvénytársaság

• Registered office: 3530 Miskolc, Szemere Bertalan utca 5.
• Email address: mail@mvkzrt.hu
• Activity: courier services
• Website: mvkzrt.hu

Name of Data Processor: Magyar Posta Zártkörűen Működő Részvénytársaság

• Registered office: 1138 Budapest, Dunavirág utca 2-6.
• Email address: ugyfelszolgalat@posta.hu
• Activity: postal services
• Website: posta.hu

Name of Data Processor: PannonSet Korlátolt Felelősségű Társaság

• Registered office: 1237 Budapest, Hrivnák Pál u. 165/3.
• Email address: ps@ps.hu
• Activity: operator of the document management system
• Website: ps.hu

6. TRANSFER OF DATA TO OTHER DATA CONTROLLERS

The Controller may transfer personal data to the following additional data controllers. These organizations act as data controllers, meaning that they may independently or jointly determine the purposes of the processing of personal data, make and implement decisions regarding the processing (including the means of processing), or execute it through a data processor engaged by them. The legal basis for such data transfers is, in all cases, Article 6(1)(f) of the GDPR, i.e., the legitimate interests of the Controller or a third party, in particular the relevant client/user.

With regard to the solutions listed below, the following service providers have access to the data of data subjects related to the use of the respective solution:

• Microsoft acts as a data processor for the Controller in relation to the following services: Outlook, Office, and Microsoft Teams. The Microsoft Data Protection Officer can be contacted at: Microsoft EU Data Protection Officer, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland, phone: +353 (1) 706-3117. We emphasize that in certain cases, Microsoft acts as a data controller (including, in particular, processing activities carried out by Microsoft on the basis of its own legitimate business interests). Furthermore, we note that the contractual terms applicable to certain Microsoft services and users include the Standard Contractual Clauses, which provide appropriate safeguards for transfers of personal data to third countries outside the European Union. Questions regarding Microsoft’s data processing practices can be submitted at the following page: Submit your questions regarding Microsoft’s privacy practices. Additional information is also available at the following links: Microsoft Privacy Statement; Protecting personal data in Microsoft cloud services.
• Meta Platforms Ireland Limited (address: Merrion Road, Dublin 4, D04 X2K5, Ireland) acts as a joint data controller together with the Controller in connection with the Controller’s social media pages (Facebook, Instagram), and as an independent data controller in relation to other data processing activities concerning the Facebook social networking site, in accordance with Meta’s own Privacy Policy.

7. DATA PROTECTION RIGHTS AND REMEDIES OF DATA SUBJECTS

Data protection rights and remedies

The data protection rights and remedies available to data subjects are set out in detail in the relevant provisions of the GDPR (in particular Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80 and 82 of the GDPR). The following summary outlines the most important provisions, and the Controller hereby provides information to data subjects on their rights and remedies related to the processing of their personal data in accordance with these provisions. The Controller specifically draws the attention of data subjects to the exercise of the right to object (see below).

Information shall be provided in writing or by other means, including, where appropriate, by electronic means. At the request of the data subject, information may also be provided orally, provided that the identity of the data subject has been verified by other means.

The Controller shall inform the data subject without undue delay and in any event within one month of receipt of the data subject’s request relating to the exercise of their rights (see Articles 15–22 of the GDPR) of the measures taken in response to such request. Where necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months. The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject has submitted the request by electronic means, the information shall, where possible, be provided by electronic means, unless the data subject requests otherwise.

Where the Controller does not take action on the data subject’s request, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and of the possibility for the data subject to lodge a complaint with a supervisory authority and to seek a judicial remedy.

The Controller specifically draws the attention of data subjects to the exercise of the right to object as set out below. It should be emphasized that, in the case of data processing based on the legitimate interests of the Controller or a third party, the Controller shall, at the request of the data subject, provide its relevant legitimate interests assessment (balancing test) serving to substantiate the legitimate interest relied upon.

Right of Access of the Data Subject

The data subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning them is being processed. Where such processing is taking place, the data subject has the right to access the personal data and the following information:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data has been or will be disclosed by the Controller;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the data subject’s right to request from the Controller the rectification or erasure of personal data concerning them, or the restriction of processing, and the right to object to such processing;
• the right to lodge a complaint with a supervisory authority;

• where the personal data were not collected from the data subject, any available information as to their source.

 

If personal data is transferred to a third country or to an international organization, the data subject has the right to be informed about the transfer, including the relevant information and appropriate safeguards.

The Controller shall provide the data subject with a copy of the personal data subject to processing. For any additional copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.

The Controller emphasizes that it does not carry out automated decision-making, nor does it create profiles of data subjects based on the available data. Should automated decision-making or profiling be carried out in the future, the Controller will inform the data subjects by updating this Notice or through separate information in accordance with the GDPR and other applicable legal provisions.

Right to Rectification

The data subject has the right to obtain from the Controller the rectification of inaccurate personal data concerning them without undue delay upon request. The data subject also has the right to request the completion of incomplete personal data, for example by means of providing a supplementary statement.

Right to Erasure (“Right to be Forgotten”)

The data subject has the right to obtain from the Controller the erasure of personal data concerning them without undue delay upon request, where one of the following grounds applies:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed by the Controller;
• the data subject withdraws consent on which the processing is based, and there is no other legal basis for the processing;
• the data subject objects to the processing of their personal data, and there are no overriding legitimate grounds for the processing;
• the personal data have been unlawfully processed;
• the personal data must be erased to comply with a legal obligation under Union or Member State law applicable to the Controller; or
• the personal data were collected in connection with the offer of information society services.

If the Controller has made the personal data public and, in accordance with the above, is obliged to erase it, the Controller shall—taking into account the available technology and the cost of implementation—take all reasonably expected steps, including technical measures, to inform other controllers processing the data that the data subject has requested the deletion of any links to such personal data, or of copies or replications of such personal data.

The above provisions of this section shall not apply where the processing of data is necessary, including but not limited to:

• for exercising the right to freedom of expression and information;
• for compliance with a legal obligation which requires the processing of personal data under Union or Member State law to which the Controller is subject;
• for reasons of public interest in the area of archiving, scientific or historical research purposes, or statistical purposes, where the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
• for the establishment, exercise or defence of legal claims.

Right to Restriction of Processing

The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

• the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the Controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead;
• the Controller no longer needs the personal data for the purposes of the processing, but the data are required by the data subject for the establishment, exercise or defence of legal claims; or
• the data subject has objected to processing; in such a case, the restriction shall apply for the period during which it is verified whether the legitimate grounds of the Controller override those of the data subject.

Where processing has been restricted pursuant to the above paragraph of this section, such personal data shall, with the exception of storage, only be processed with the data subject’s consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the EU or of a Member State.

The Controller shall inform the data subject in advance of the lifting of the restriction of processing, where the restriction was applied at the data subject’s request.

Obligation to notify rectification or erasure of personal data or restriction of processing

The Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, the Controller shall inform the data subject about those recipients.

Right to Data Portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format, and shall have the right to transmit those data to another controller without hindrance from the Controller, where both of the following conditions are met:

• the processing is based on consent or on a contract; and
• the processing is carried out by automated means.

In exercising his or her right to data portability as described above, the data subject shall have the right—where technically feasible—to request the direct transmission of the personal data between controllers (including between the Controller and other controllers).

The exercise of the right to data portability shall not adversely affect the provisions relating to the right to erasure (“right to be forgotten”), nor shall it negatively affect the rights and freedoms of others.

Right to object

The data subject shall have the right, on grounds relating to his or her particular situation, to object at any time to the processing of personal data concerning him or her which is based on the legitimate interests of the Controller. In such a case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or which relate to the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing purposes.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right to lodge a complaint with a supervisory authority

The data subject shall have the right to lodge a complaint with a supervisory authority—particularly in the EU Member State of his or her habitual residence, place of work or place of the alleged infringement—if the data subject considers that the processing of personal data relating to him or her infringes the provisions of the GDPR. Further information on supervisory authorities competent in each Member State can be found on the website of the European Data Protection Board by clicking here. In Hungary, the competent supervisory authority is the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság – NAIH) (website: http://naih.hu/; address: 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf. 9.; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu).

Right to an effective judicial remedy against a supervisory authority

The data subject shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.

The data subject shall have the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the data subject within three months of the progress or outcome of the complaint lodged.

Proceedings against a supervisory authority shall be brought before the courts of the EU Member State where the supervisory authority is established.

Right to an effective judicial remedy against the Controller

Without prejudice to any available administrative or non-judicial remedies— including the right to lodge a complaint with a supervisory authority— the data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of personal data that does not comply with the GDPR.

Proceedings against the Controller shall be brought before the courts of the EU Member State in which the Controller is established (Hungary). Such proceedings may also be brought before the courts of the EU Member State where the data subject has his or her habitual residence. In Hungary, such cases fall within the competence of the regional court. The data subject may initiate proceedings - at his or her choice - before the regional court competent for his or her place of residence or habitual residence. Information on the jurisdiction and contact details of courts (regional courts) can be found at the following website: www.birosag.hu.

Charging a reasonable fee or refusing to act in relation to providing the requested information or taking the requested action

The Controller shall provide the information relating to the processing of personal data (pursuant to Articles 13 and 14 of the GDPR), the information and measures relating to the exercise of data subject rights (Articles 15–22 of the GDPR), as well as the notification of data subjects concerning a personal data breach (Article 34 of the GDPR), free of charge. However, where the data subject’s request is manifestly unfounded or excessive— in particular due to its repetitive nature— the Controller may, taking into account the administrative costs of providing the requested information or communication or taking the requested action:

• charge a reasonable fee; or
• refuse to act on the request.

It shall be for the Controller to demonstrate that the request is manifestly unfounded or excessive.

8. COOKIES AND TERMS OF USE

Further information regarding the cookies used on the Website and the terms of use of the Website can be found in the COOKIE NOTICE and TERMS OF USE documents available on this Website.

ANNEX: TABLES DESCRIBING SPECIFIC DATA PROCESSING ACTIVITIES

Processing of the personal data of the Controller’s clients, as well as their authorised representatives, agents and contact persons, as data subjects, in connection with the activities of the Controller and the fulfilment of orders

For what purpose do we process your personal data?	For the purpose of fulfilling the orders of you or the organisation you represent (for example, the company employing you or the company for which you act as a representative), as well as for performing the contracts concluded in this context. Further information on our services is available on the Website and in the contractual terms applicable to the specific service. In the course of performing the contract and carrying out our activities, it may also be necessary for us to contact you in relation thereto (for example, for providing an offer or for assisting you in connection with our services), including where the contact is initiated by you. In the course of providing its services, the Controller may also process the personal data of other individuals who are not considered clients.
On what legal basis do we process your personal data?	For individual (natural person) partners: the Controller processes your personal data for the above purpose because such data are necessary for the performance of the contract concluded with you or for taking steps at your request prior to entering into such a contract (Article 6(1)(b) of the GDPR). If you act on behalf of a legal person or another organisation (for example, the company employing you or a company in which you hold an executive position), the Controller processes your personal data on the basis of its own legitimate business interest and the legitimate business interest of the party you represent (the Controller’s contractual partner as a legal entity, or a potential partner intending to enter into a contract with the Controller), pursuant to Article 6(1)(f) of the GDPR. The legitimate business interest is the establishment and proper performance of the contract between the Controller and the (potential) partner, as well as the strengthening of the business relationship between the parties. If you or the person or organisation you represent provide the Controller with the personal data of another individual, you are responsible for obtaining that individual’s consent to the collection and transfer of such personal data to the Controller, or for identifying another appropriate legal basis for the related processing, and for drawing the individual’s attention to the data processing carried out by the Controller (for example, by directing the individual to the link or the text of this Privacy Notice available on the Controller’s Website). However, if the person referred to above is a representative or employee of you or of the person or organisation you represent, the legal basis for the processing is the legitimate business interest of the Controller and of the party you represent, as described above. It should be emphasised that where the personal data of another individual have been provided to the Controller on the basis of that individual’s consent, the legal basis for the processing is the data subject’s consent (Article 6(1)(a) of the GDPR). The data subject shall have the right to withdraw his or her consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Are you required to provide your personal data?	You are free to decide whether to use the services of the Controller (where you are acting in your own name). Where your personal data have been provided in the context of using the services of the Controller, such data are processed for the purposes of the Controller’s activities and the fulfilment of orders as described above, or on the basis of the legitimate business interest of the Controller and the party you represent. Naturally, in light of the applicable legal basis for processing, you may withdraw your previously given consent (where the processing is based on your consent), or you may object to the processing (where the processing is carried out on the basis of legitimate interest). In addition, the Controller processes your personal data for the purpose of complying with its legal obligations (Article 6(1)(c) of the GDPR), including obligations arising under tax and accounting laws. Further information on this is provided below.
What personal data do we process?	The data necessary for the performance and verification of the contract, including in particular the data subjects’: ·       name, ·       email address, ·       where required for the performance of this contract, other contact details, ·       the characteristics of the contract and the relevant contractual documentation, ·       the data of the person or organization represented by the data subject, to the extent necessary for the performance of the contract
For how long do we store your personal data?	Personal data processed for the purpose of performing contracts concluded with clients / users are retained for 5 years from the termination of the relevant contract (pursuant to Section 6:22 (1) of the Hungarian Civil Code, claims lapse after 5 years unless otherwise provided by the Civil Code).   If your data are required for the fulfilment of the Controller’s tax obligations, we retain such data for 5 years, calculated from the last day of the calendar year in which the tax return, data report or notification should have been submitted, or—if no tax return, data report or notification was filed—from the year in which the tax should have been paid (pursuant to Sections 78 (3) and 202 (1) of the Tax Administration Act).   If your data are required for the fulfilment of the Controller’s accounting obligations, we retain such data for 8 years (pursuant to Sections 168–169 of the Accounting Act). In practice, this applies where the data form part of the documents supporting the accounting records, for example in documents related to an order or the conclusion of the contract between the Controller and its contractual partner, or where the data appear on an issued invoice.
To whom do we disclose your personal data?	The Controller’s data processor providing web hosting services in connection with the Website, which accesses personal data to the extent necessary for the provision of the hosting service:   Miskolc Holding Önkormányzati Vagyonkezelő Zártkörűen Működő Részvénytársaság ·       Registered office: 3530 Miskolc, Petőfi Sándor utca 1-3. ·       Email: info@miskolcholding.hu ·       Activity: Web hosting service provider ·       Website: miskolcholding.hu   Data processor providing invoicing services to the Controller, which has access to the personal data contained in invoices:   Forrás SQL (GriffSoft Informatikai Zrt.) ·       Registered office: 1041 Budapest, Görgey Artúr utca 69-71. ·       Email: info@griffsoft.hu ·       Activity: Invoicing services ·       Website: griffsoft.hu

 

The processing of personal data of the Controller’s other partners (such as subcontractors) and their authorised persons, representatives or contact persons as data subjects is carried out in connection with the performance of the contract concluded between the Controller and its partner

For what purpose do we process your personal data?	For the purpose of the Controller’s use of the services provided by you or the organisation you represent (for example, the company employing you or represented by you), for the performance of the contracts concluded with the Controller in this context, as well as for conducting any pre‑contractual and contractual negotiations. We emphasise that, with regard to data processing related to the contracts concluded between the Controller and its customers/clients, the provisions set out in the above section shall apply, not this one.
On what legal basis do we process your personal data?	In the case of natural‑person partners, the Controller processes your personal data for the above purpose because such data are necessary for the performance of the contract concluded with you, or for taking steps at your request prior to entering into such contract (Article 6(1)(b) of the GDPR). If you act on behalf of a legal person or other organisation (for example, the company employing you, or a company in which you serve as an executive officer) and engage in related contractual communication, the Controller processes your personal data on the basis of its own and the party you represent’s legitimate business interest (the Controller’s contractual partner or a prospective partner intending to conclude a contract with the Controller) pursuant to Article 6(1)(f) of the GDPR. The legitimate business interest in such cases is the establishment and proper performance of the contract between the Controller and its (potential) partner, as well as the strengthening of the business relationship between the parties.
Are you required to provide your personal data?	You are free to decide whether to enter into a contract with the Controller if you are acting in your own name. It should be emphasised that, without the processing of the personal data necessary for the performance of the contract (including for maintaining contact), it is not possible to conclude a contract between you or the party you represent and the Controller, as the Controller would not be able to perform the contract without such data. In addition, the Controller also processes your personal data for the purpose of complying with its legal obligations (Article 6(1)(c) of the GDPR), including obligations relating to taxation and accounting, for which further details are provided below.
What personal data do we process?	The data necessary for the performance of the contract, including in particular the following data of the data subjects: ·       name, ·       e-mail address, ·       where required for the performance of the contract, their other contact details, ·       the characteristics of the contract and the relevant contractual documentation, ·       the data of the person or organisation represented by the data subject, to the extent necessary for the performance of the contract
For how long do we store your personal data?	Personal data processed for the purpose of performing the relevant contract are retained for 5 years from the termination of that contract (pursuant to Section 6:22(1) of the Hungarian Civil Code, claims lapse after 5 years unless otherwise provided in the Civil Code).   If your data are required for the fulfilment of the Controller’s tax obligations, such data are retained for 5 years, calculated from the last day of the calendar year in which the tax return, data report or notification should have been submitted, or—if no tax return, data report or notification was filed—from the year in which the tax should have been paid (pursuant to Sections 78(3) and 202(1) of the Tax Administration Act).   If your data are required for the fulfilment of the Controller’s accounting obligations, such data are retained for 8 years (pursuant to Sections 168–169 of the Accounting Act). In practice, this applies where the data form part of the documents supporting the accounting records, for example in documents relating to the conclusion of the contract between the Controller and its contractual partner (such as an order), or where the data appear on an issued invoice.
To whom do we disclose your personal data?	Data processor providing invoicing services to the Controller, which has access to the personal data contained in invoices:   Name of Data Processor: Forrás SQL (GriffSoft Informatikai Zrt.) ·       Registered office: 1041 Budapest, Görgey Artúr utca 69-71. ·       Email address: info@griffsoft.hu ·       Activity: invoice management services ·       Website: griffsoft.hu

 

Processing of the personal data of data subjects, as well as their authorised persons, representatives and contact persons, in connection with enquiries, complaints and claims submitted to the Controller

For what purpose do we process your personal data?	Responding to inquiries received by the Controller (such as interest related to the Controller’s services/products or the exercise of data protection rights), as well as replying to complaints or any comments, problem‑solving, and—in the case of consumer complaints—fulfilling the relevant legal obligations applicable to the Controller, enforcing the Controller’s legal claims (for example, the enforcement of receivables), or defending against claims or legal demands.
On what legal basis do we process your personal data?	In the case of handling consumer complaints: in order to fulfill the legal obligations applicable to the Controller (Article 6(1)(c) of the GDPR), and in accordance with Section 17/A of Act CLV of 1997 on consumer protection (“Consumer Protection Act”), personal data of the data subjects are processed in connection with complaint management, responding to consumer complaints, and the retention of the record of the consumer complaint and a copy of the response to the complaint. In the case of handling general (non-consumer) complaints and inquiries, data processing is necessary for the legitimate interests of the Controller (Article 6(1)(f) of the GDPR). In this case, the legitimate interest is nothing other than the handling of inquiries received by the Controller, responding to possible questions, taking necessary actions, asserting the Controller’s potential claims, submitting legal claims, and defending against claims or legal demands of the data subjects or third parties.
Are you required to provide your personal data?	You are, of course, not obliged to submit inquiries or complaints (including consumer complaints); however, if you send an inquiry or complaint to the Controller, the Controller will process your related data in accordance with this Privacy Notice and for the duration specified herein. Your personal data may also be processed to the extent necessary in connection with the assertion of legal claims or the resolution of legal disputes.
What personal data do we process?	Personal data related to inquiries or complaints submitted to the Controller, including the contact information of the data subjects or the persons they represent (in particular: name, address, e-mail address), the claims (complaints) presented by the data subjects, the content of the inquiries, the steps taken in connection with the inquiry, and, in the case of consumer complaints, the record prepared under Section 17/A of the Consumer Protection Act and a copy of the response to the complaint. For the purpose of asserting legal claims or defending against such claims, we process your name and other data necessary for the given procedure, including in particular the following: ·       According to Section 7(3) of Act CXXX of 2016 on the Code of Civil Procedure (“CcP”), the identifying data of a natural person include: place of residence (or, if absent, place of stay), delivery address (if different from the residence or place of stay), place and date of birth, and mother’s name. Pursuant to Section 170(1)(b) of the CcP, the introductory part of the statement of claim must include the names of the parties, their procedural status, the claimant’s identifying data, and the known identifying data of the defendant, at least their place of residence. This list is supplemented by Annex 1 of Decree 6/2019 (III. 18.) of the Ministry of Justice on forms to be used in civil and administrative court proceedings, which also requires the parties’ e-mail addresses. ·       Based on Section 20(1)(a) of Act L of 2009 on Payment Order Procedures, the debtor’s personal data required to initiate a payment order procedure include the debtor’s name and identifying data according to the CcP, at least their place of residence. ·       Sections 11(2)-(3) of Act LIII of 1994 on Court Enforcement specify which personal data the applicant must provide when submitting an enforcement request. These data include: the debtor’s name, identifying data (place and date of birth, mother’s name), and, depending on the circumstances of the case, the debtor’s place of residence, workplace, and the location of the assets subject to enforcement, or, in the case of real estate enforcement, the property registry data. Possession of these data enables the court enforcement officer to carry out the enforcement procedure. ·       Other personal data arising in or recorded during court or authority proceedings (e.g., personal data recorded in a court or authority decision, which is processed as necessary for the Controller to defend its rights or assert its claims).
For how long do we store your personal data?	Your data will be retained for 5 years from the date of recording (pursuant to Section 6:22(1) of the Civil Code, unless otherwise provided by the Civil Code, claims become statute-barred within 5 years). The Controller must also retain the record of the consumer complaint and a copy of the response for 5 years (Section 17/A(7) of the Consumer Protection Act).
To whom do we disclose your personal data?	In the event of a legal dispute with the Controller, your personal data may be accessed by the Controller’s legal representative, as well as by the competent court and the authority handling the case.

 

Processing of Personal Data of Data Subjects in Relation to the Controller’s Marketing Communications

For what purpose do we process your personal data?	Sending marketing materials to the Controller’s clients.
On what legal basis do we process your personal data?	The legal basis of the data processing is the data subject’s voluntary consent (Article 6(1)(a) of the GDPR), which is given by sending a declaration of consent to the Controller (for example, by requesting via email that the Controller send marketing materials to the data subject). The data subject has the right to withdraw consent at any time (by sending a withdrawal of consent as described above to the Controller), which does not affect the lawfulness of processing based on consent before its withdrawal.   It should be emphasized that the Controller is entitled to send marketing materials relating to services similar to those previously used by its clients/users (except where the given client has indicated that they do not wish to receive marketing materials, or where a legal dispute has arisen between the client and the Controller, or where the contract with the given client was not concluded or not performed) on the basis of its legitimate business interest (Article 6(1)(f) of the GDPR). The legitimate interest is the promotion of the Controller and its services and activities through direct marketing, as well as the sharing of information on new services, discounts, promotions, and news relating to the Controller with potential interested parties. It should also be emphasized that certain contracts concluded with partners or clients may contain additional provisions regarding the sending of marketing materials, which shall be taken into account with respect to the given partner.
Are you required to provide your personal data?	You are not obliged to provide your personal data or to consent to the sending of marketing materials; however, without this, the Controller will not be able to send you marketing materials. If, in accordance with the above, the marketing materials are sent on the basis of the Controller’s legitimate business interest, you are entitled to object to the processing at any time.
What personal data do we process?	The name and email address of you or the person/organization you represent, as well as the characteristics and nature of the service previously used by you.
For how long do we store your personal data?	Data processed on the basis of our legitimate business interest is processed until the termination of the contract concluded with the respective client.
To whom do we disclose your personal data?	The Controller does not use any data processors for its data processing activities related to marketing communications.

 

Data processing related to facilitating the exercise of data protection rights, actions taken in response to data subject requests, and incident management

For what purpose do we process your personal data?	The handling of data subject requests received by the Controller, the adoption of measures taken in response to such requests, the facilitation of data subjects’ exercise of their data protection rights, and data processing related to incident management.
On what legal basis do we process your personal data?	The data processing is necessary for the purpose of complying with the legal obligations applicable to the Controller (Article 6(1)(c) of the GDPR).   The Controller is obliged to facilitate the exercise of data subjects’ data protection rights (Article 12(2) of the GDPR), as well as to investigate any potential personal data breaches (for example, a hacking attack or the disappearance of documents containing personal data during a potential burglary) and, depending on the severity of the personal data breach, to notify the supervisory (data protection) authority and the data subject (Articles 33–34 of the GDPR).
Are you required to provide your personal data?	In order to enable you to exercise your data protection rights, to fulfil your related request, and in connection with a potential personal data breach, it may be necessary to process your personal data (in particular your name and the contact details you have provided to us).
What personal data do we process?	The request submitted to the Controller, the data subject’s name, and their contact details (in particular: postal address and email address).
For how long do we store your personal data?	We process your data for 5 years from the date of recording (Section 6:22 (1) of the Civil Code – unless otherwise provided by the Civil Code, claims lapse after 5 years). The Controller also creates and stores security backups, which are retained by its hosting provider for 6 months in order to avoid data loss (Miskolc Holding Önkormányzati Vagyonkezelő Zártkörűen Működő Részvénytársaság; 3530 Miskolc, Petőfi Sándor utca 1–3.; info@miskolcholding.hu; miskolcholding.hu).
To whom do we disclose your personal data?	In the event of a procedure initiated by the competent data protection authority, we may transfer your personal data to such authority (particularly in the case of a personal data breach, where its severity and nature require this), as well as to our legal representative, both of whom act as independent data controllers.