Adatvédelmi tájékoztató

DATA PROCESSING POLICY

This Policy is published by Hype Média Group Korlátolt Felelősségű Társaság (1073 Budapest, Kertész utca 42-44. I.em.4., Cg. 01-09-400273, Tax No.: 27843321-1-42, represented by Péter Nizák, Managing Director) contains the internal rules of data management activities for compliance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation).

The Executive Director is responsible for establishing and amending the Rules.

Budapest, 15 May 2022.

Péter Nizák

Managing Director

I. GENERAL PROVISIONS

§ 1 Purpose and scope of the Rules

(1) The purpose of this Policy is to establish the internal rules and measures to ensure that the Company's data management and processing activities comply with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of personal data.Regulation) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter "the Regulation") - and the provisions of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter "the Infotv.").

The personal scope of this Privacy Policy extends to the controller and to the natural persons whose data are included in the processing covered by this Notice, as well as to persons whose rights or legitimate interests are affected by the processing.

The scope of the Policy covers all processing of data that occurs in the course of the controller's activities on the website www.hypegroup.hu. This Policy shall enter into force on the date of its approval and shall remain in force indefinitely until further notice.

§ 2 The controller and contact details:

Name: Hype Média Group Kft.

Headquarters: 1073 Budapest, Kertész utca 42-44. I.em.4.

E-mail: info@hypegroup.hu

Phone: +3670-4352205

Contact details of the Data Protection Officer:

Name: Péter Nizák

E-mail: nizak.peter@hypegroup.hu

Phone: +3630-5472508

§ 3 Definitions

For the purposes of these Regulations, definitions of terms are set out in Article 4 of the Regulation. Accordingly, we highlight the main definitions:

(1) "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, consultation, consultation,

use, disclosure by transmission, distribution or otherwise making available, alignment or combination, restriction, erasure or destruction;

(3) "restriction of processing" means the marking of stored personal data for the purpose of restricting their future processing;

(4) "profiling" means any form of automated processing of personal data whereby personal data are used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with the performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person;

(5) "pseudonymisation" means the processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relate without further information, provided that such further information is kept separately and technical and organisational measures are taken to ensure that no natural person who is identified or identifiable can be linked to that personal data;

(6) "filing system" means a set of personal data, structured in any way, whether centralised, decentralised or structured according to functional or geographical criteria, which is accessible on the basis of specified criteria;

(7) "controller" means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;

(8) "processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

(9) "recipient" means a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the framework of an individual investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing;

(10) "third party" means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;

(11) "data subject's consent" means a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;

(12) "Data breach" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

II. PRINCIPLES GOVERNING THE PROCESSING OF PERSONAL DATA

§ 4 Personal data:

(1) be lawful, fair and transparent for the data subject ("lawfulness, fairness and transparency");

(2) be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the original purpose in accordance with Article 89(1) ('purpose limitation');

(3) be adequate, relevant and limited to what is necessary for the purposes for which the data are processed ("data minimisation");

(4) be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes for which they are processed are erased or rectified without undue delay ("accuracy");

(5) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods only if the personal data will be processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures as provided for in this Regulation to safeguard the rights and freedoms of data subjects ('limited storage');

(6) be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage ("integrity and confidentiality"), by implementing appropriate technical or organisational measures. The controller shall be responsible for compliance with the above and shall be able to.

to justify your actions ("accountability").

III. Data processing

§ 5 Labour and personnel records

(1) Only data which are necessary for the establishment, maintenance and termination of the employment relationship and for the provision of social welfare benefits and which do not infringe the employee's individual rights may be requested from employees and kept.

(2) The Company shall process the following data of the employee for the purposes of the establishment, performance or termination of the employment relationship for the purposes of the legitimate interests of the employer (Article 6(1)(f) of the Regulation):

- name,

- birth name,

- date of birth,

- mother's name,

- your address,

- your nationality,

- tax identification number,

- Social security number,

- a pensioner's permanent number (in the case of a retired worker),

- phone number,

- e-mail address,

- your bank account number,

- the starting and finishing dates of your employment,

- job title,

- a copy of a document certifying your education and vocational training,

- CV,

- the amount of your salary, wages and other benefits,

- the amount of the debt to be deducted from the employee's wages, or the right to deduct it, on the basis of a final decision or a legal provision or written consent,

- an evaluation of the employee's work,

- how and for what reasons the employment relationship is terminated,

- a certificate of good character, depending on the job,

- a summary of the occupational aptitude tests,

- in the case of membership of private pension funds and voluntary mutual insurance funds, the name of the fund, its identification number and the employee's membership number,

- data recorded in the records of accidents to workers;

(3) The employer shall process data relating to sickness and trade union membership only for the purpose of fulfilling a right or obligation under the Labour Code.

(4) The recipients of personal data are: the head of the employer, the person exercising the employer's authority, the Company's employees and data processors performing labour and payroll functions.

(5) Only personal data of employees in managerial positions may be transferred to the owners of the Company.

(6) Duration of storage of personal data: after the termination of the employment relationship, documents resulting from the fulfilment of employment, payroll and social security obligations may not be discarded.

(7) The data subject shall be informed before the processing is started that the processing is based on the Labour Code and the legitimate interests of the employer.

(8) The employer shall inform the employee of the processing of his/her personal data and of his/her personal rights by providing him/her with the Information Notice as set out in Annex 3 to these Regulations at the time of the conclusion of the employment contract.

(9) In order to ensure the accurate processing of the employee's personal data, the employer shall make copies of the documents containing the employee's identity, address, tax identification number, driving licence number, passport number for the purpose of and in connection with the processing, and shall keep and process the copies for a period of time as specified in paragraph (6), in accordance with the security requirements of the law, both electronically and on paper.

(10) Description of data subjects' rights in relation to data processing:

- The data subject may request the controller to access, rectify, erase or restrict the processing of personal data relating to him or her, and the data subject shall have the right to data portability and to withdraw consent at any time.

- The data subject may request access to, deletion, modification, restriction of processing or portability of personal data by e-mail to hello@hypegroup.hu or by telephone to +36 70 435 2205.

(11) Legal basis for processing: article 6(1)(b) and (c) of the GDPR.

6.§ Processing of data of applicants for recruitment, applications, CVs

(1) The scope of personal data that may be processed: the name, date of birth, place of birth, address, qualification data, telephone number, employer's record (if any) of the natural person. The Company shall inform the applicant for employment about the processing and storage of his/her data before the conclusion of the employment contract.

(2) The purpose of the processing of personal data is: application, evaluation of the application, conclusion of an employment contract with the selected person. The data subject shall be informed if the employer has not selected him/her for the job in question.

(3) Legal basis for processing: consent of the data subject.

(4) Recipients or categories of recipients of personal data: managers and employees performing labour-related tasks who are entitled to exercise employer rights at the Company.

(5) Duration of storage of personal data: until the application or tender is assessed. Personal data of unsuccessful applicants will be deleted. Data of those who withdraw their application or candidature shall also be deleted.

(6) The employer may retain applications only on the basis of the express, unambiguous and voluntary consent of the data subject, provided that the retention is necessary for the purposes of the processing in accordance with the law. Such consent shall be requested from candidates after the recruitment procedure has been completed.

(7) Description of data subjects' rights in relation to data processing:

- The data subject may request access to, deletion, modification, restriction of processing or portability of personal data by e-mail to hello@hypegroup.hu or by telephone to +36 70 435 2205.

(8) Legal basis for processing: article 6(1)(b) and (c) of the GDPR.

7.§ Data management of contracting partners - register of subcontractors, principals

(1) For the purpose of the conclusion, performance and termination of the contract, the Company shall process the name, name at birth, date of birth, mother's name, address, tax identification number, tax number, social security number, entrepreneur's number, address, registered office address, telephone number, e-mail address of the natural person contracted with it as a subcontractor, principal, customer. Such processing is also lawful if it is necessary for the purposes of taking steps at the request of the data subject prior to the conclusion of the contract. Recipients of personal data: employees of the Company, employees performing accounting and tax tasks, and data processors. Duration of storage of personal data: 5 years after termination of the contract.

(2) The natural person concerned shall be informed before the processing starts that the processing is based on the legal basis of the performance of a contract, which information may also be given in the contract. The data subject shall be informed of the transfer of his or her personal data to a processor.

(3) In the event that a third party requests an offer from the Data Controller and the offer is not accepted and a contract is not concluded, the Data Controller shall delete the personal data of the natural persons relating to the request within 1 year of the request at the latest.

(4) Description of data subjects' rights in relation to data processing:

- The data subject may request access to, deletion, modification, restriction of processing or portability of personal data by e-mail to hello@hypegroup.hu or by telephone to +36 70 435 2205.

(5) Legal basis for processing: article 6(1)(b) and (c) of the GDPR.

8.§ Contact details of the natural person representatives of legal entity customers, subcontractors, principals

(1) The scope of personal data that may be processed: the name, address, telephone number and e-mail address of the natural person.

(2) Purpose of the processing of personal data: performance of a contract with a legal entity partner of the Company, business relations, legal basis: the data subject's consent.

(3) Recipients or categories of recipients of personal data: employees of the Company.

(4) Duration of the storage of personal data: 5 years after the business relationship or the data subject's capacity as a representative has been established.

(5) Description of data subjects' rights in relation to data processing:

- The data subject may request access to, deletion, modification, restriction of processing or portability of personal data by e-mail to hello@hypegroup.hu or by telephone to +36 70 435 2205.

(6) Legal basis for processing: article 6(1)(b) and (c) GDPR.

§ 9 Contacting us

(1) In case of contact, the data processed and the purposes of the processing are the following:

- Name - identification

- E-mail address - Contact, send reply messages

- Phone number - Contact

- Message content - Required to reply

- Time of contact - Performing a technical operation.

- IP address at the time of connection - Performing a technical operation.

(2) The e-mail address does not need to contain personal data.

(3) Data subjects: all data subjects who send a message via the contact form. Duration of processing, deadline for erasure of data.

(4) Persons who may have access to the data, recipients of the personal data: personal data may be processed by the authorised staff of the controller.

(5) Description of data subjects' rights in relation to data processing:

- The data subject may request the controller to access, rectify, erase or restrict the processing of personal data relating to him or her, and

- the data subject has the right to data portability and the right to withdraw consent at any time.

- The data subject may request access to, deletion, modification, restriction of processing or portability of personal data by e-mail to hello@hypegroup.hu or by telephone to +36 70 435 2205.

(6) Legal basis for processing: article 6(1)(b) and (c) GDPR.

10.§ Customer relationship

(1) In the case of a customer relationship, the scope of the data processed and the purpose of the processing are as follows:

Name, email address, phone number - Contact, identification, fulfilling contracts, business purpose.

(2) Data subjects: all data subjects who are in contact with the controller by telephone/e-mail/in person or have a contractual relationship with the controller.

(3) Duration of data processing, deadline for deletion of data: data processing lasts until the termination of the legal relationship between the controller and the data subject or, in the case of claims, until 5 years after the contract.

(4) Potential data controllers entitled to access the data, recipients of personal data: personal data may be processed by authorised staff of the controller, in compliance with the principles set out above.

(5) Description of data subjects' rights in relation to data processing:

- The data subject may request access to, deletion, modification, restriction of processing or portability of personal data by e-mail to hello@hypegroup.hu or by telephone to +36 70 435 2205.

(6) Legal basis for processing: article 6(1)(b) and (c) GDPR.

11.§ Visitor data management on the Company's website - Information on the use of cookies

(1) A cookie is a piece of data that the visited website sends to the visitor's browser (in the form of a variable name value) so that it can store and later load the content of the same website.

(2) Data may be stored or accessed on the electronic communications terminal equipment of a user only on the basis of the clear and full consent of the user concerned, including the purpose of the data processing (Act C of 2003, § 155/4/).

On this basis, a brief summary of the use of cookies should be provided to the visitor on the Company's website on the first visit and a link should be provided to the full information. By means of this information, the Company ensures that the visitor can find out, before and at any time during the use of the information society services of the website, which types of data are processed by the Company for which purposes, including the processing of data that cannot be directly linked to the user.

(3) Pursuant to Article 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Elkertv.), the service provider may process personal data that are technically indispensable for the provision of the service. The provider must, other things being equal, choose and in any case operate the means used in the provision of the information society service in such a way that personal data are processed only if absolutely necessary for the provision of the service and for the fulfilment of the other purposes specified in this Act, but in this case only to the extent and for the duration necessary.

(4) Legal basis for processing: article 6(1)(b) and (c) of the GDPR.

12.§ Data processing for the purpose of meeting tax and accounting obligations

(1) The Company shall process the data of natural persons doing business with the Company as customers and suppliers as defined by law for the purpose of fulfilling its legal obligations, tax and accounting obligations (accounting, taxation). A kezelt adatok az általános forgalmi adóról szóló 2017. évi CXXVII. tv. 169.§, és 202.§-a alapján különösen: adószám, név, cím, adózási státusz, a számvitelről szóló 2000. évi C. törvény 167.§-of the Act of 2000 on Accounting: name, address, designation of the person or organisation ordering the transaction, signature of the person ordering the transaction and the person certifying the execution of the order, and, depending on the organisation, the signature of the controller; on the stock movement vouchers and cash management vouchers, the signature of the recipient, and on the counterfoils, the signature of the payer, and, pursuant to Act CXVII of 1995 on Personal Income Tax: entrepreneur's identity card number, farmer's identity card number, tax identification number.

(2) The period of storage of personal data shall be 8 years after the termination of the legal relationship giving rise to the legal basis.

(3) Recipients of personal data: employees of the Company performing tax, accounting, payroll and social security functions.

(4) Legal basis for processing: article 6(1)(b) and (c) of the GDPR.

13.§ Payer data processing

(1) The Company shall process the personal data of the data subjects - employees, their family members, workers, recipients of other benefits - with whom it has a relationship as a paying agent (Act CL of 2017 on the Rules of Taxation (Art.), § 7.31.), for the purposes of fulfilling its legal obligations, tax and contribution obligations prescribed by law (assessment of tax, tax advances, contributions, payroll, social security, pension administration). The scope of the data processed is defined in Art. Article 50 of the Act defines the data handled, specifically highlighting: the natural person's natural identity data (including previous name and title), gender, nationality, and the natural person's tax identification number,

social security identification number (social security number). If the tax laws impose a legal consequence, the Company may process data on employees' health care (Section 40 of the Social Security Act) and trade union membership (Section 47(2) b) of the Social Security Act) for the purposes of tax and contribution obligations (payroll accounting, social security administration).

(2) The period of storage of personal data shall be 8 years after the termination of the legal relationship giving rise to the legal basis.

(3) Recipients of personal data: employees of the Company performing tax, payroll, social security (payroll) functions.

(4) Legal basis for processing: article 6(1)(b) and (c) of the GDPR.

IV. THE DATA PROCESSORS USED

14.§ Hosting provider

(1) Activity provided by the processor: Hosting

(2) Name and contact details of the data processor:

Name: Wix.com Ltd

Postal address:Israel 6350671 Tel Aviv, 40 Namal Tel Aviv Street

Headquarters address: Israel 6350671 Tel Aviv, 40 Namal Tel Aviv Street

Telephone: +972 03 5454900

email: privacy@wix.com

(3) Fact of processing, scope of data processed: all personal data provided by the data subject.

(4) Data subjects: all data subjects using the website.

(5) Purpose of data processing: to make the website available and to ensure its proper operation.

(6) Duration of data processing, deadline for deletion of data: data processing shall continue until the termination of the agreement between the data controller and the hosting provider or until the data subject's request for deletion to the hosting provider.

(7) The legal basis for data processing: the User's consent, the Infotv. Article 5(1), Article 6(1)(a), and Article 13/A(3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services.

15.§ Online payment

(1) Activity performed by the processor: online payment

(2) Name and contact details of the data processor:

OTP Mobil Szolgáltató Kft.

Head office: 1093 Budapest, Közraktár u. 30-32.

E-mail: ugyfelszolgalat@simple.hu

Phone: +36 1/20/30/70 3-666-611

(3) The fact of data processing, the scope of data processed: billing name, billing address, e-mail

title.

(4) Data subjects: all data subjects requesting an online purchase.

(5) Purpose of data processing: to process online payments, confirm transactions and perform fraud-monitoring to protect users.

(6) Duration of data processing, deadline for deletion of data: until the online payment is completed.

16.§ Accounting tasks, invoicing

(1) Activity carried out by the processor: accounting tasks

(2) Name and contact details of the data processor:

Name: Dezső Consultancy, Computer and Search Analysis Ltd.

Company registration number: 01-06-740442

Address: 1034 Budapest, San Marco u. 31.

Tax number: 20974002-2-41

(3) Fact of processing, scope of data processed: name, billing name, billing address.

(4) Data subjects: all data subjects who use the Company's services.

(5) Purpose of processing: accounting tasks

(6) Duration of data processing, deadline for deletion of data: 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting.

(7) The legal basis for the processing of data is Article 6(1)(c) of the GDPR and Article 13/A(3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services.

§ 17.Billing

(1) Activity performed by the processor: invoicing

(2) Name and contact details of the data processor:

Name: KBOSS.hu Kft

Company registration number: 01-09-303201

Address: 1031 Budapest, Záhony utca 7

Tax number: 13421739-2-41

E-mail: info@szamlazz.hu

(3) Fact of processing, scope of data processed: name, billing name, billing address.

(4) Data subjects: all data subjects who use the Company's services.

(5) Purpose of processing: issuing an invoice

(6) Duration of data processing, deadline for deletion of data: 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting.

V. SOCIAL NETWORKING SITES

18.§ Social networking sites: Facebook/Twitter/Pinterest/Youtube/Instagram etc.

(1) Fact of data collection, scope of data processed: name registered on Facebook/Twitter/Pinterest/Youtube/Instagram etc. social networking sites, and public profile picture of the user.

(2) Data subjects: all data subjects who have registered on the social networking sites Facebook / Twitter / Pinterest / Youtube / Instagram etc. and have "liked" the Company's social networking site or contacted the data controller via the social networking site.

(3) Purpose of the data collection: to share or "like", follow or promote certain content, products, promotions or the website itself on social networking sites.

(4) Duration of data processing, time limit for deletion of data, the identity of the possible controllers entitled to access the data and the rights of the data subjects in relation to data processing: the data subject can find out about the source of the data, the processing of the data and the method and legal basis of the transfer on the relevant Community site. The processing of data takes place on the social networking sites and therefore the duration of the processing, the way in which the data are processed, the deletion and modification of the data, the source of the data and the legal basis for the processing, are all regulated by the social networking sites.

is governed by the rules of the relevant social networking site.

(5) Legal basis for processing: the data subject's voluntary consent to the processing of his or her personal data on social networking sites.

VI. HANDLING OF DATA BREACHES

19.§ Security of data processing

The controller and the processor shall take into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the

taking into account the risk to the rights and freedoms of natural persons, with varying degrees of likelihood and severity, implements appropriate technical and organisational measures to ensure a level of data security appropriate to the level of risk, including, where appropriate:

(1) the pseudonymisation and encryption of personal data;

(2) the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data;

(3) in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;

(4) a procedure for the regular testing, evaluation and assessment of the effectiveness of the technical and organisational measures taken to ensure the security of processing.

§ 20 Definition of a personal data breach

(1) Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed; (Article 4.12.)

(2) The most common reported incidents include: loss of laptop or mobile phone, unsecured storage of personal data (e.g. payment slips thrown in the trash); unsecured transmission of data, unauthorized copying and transmission of customer and customer partner lists, server attacks, website hacking.

§ 21 Handling and remediation of data protection incidents

(1) The prevention and handling of data protection incidents and compliance with the relevant legal provisions shall be the responsibility of the Company's management.

(2) Access and attempted access to information systems shall be logged and analysed on an ongoing basis.

(3) If employees of the Company who are authorised to carry out audits discover a data protection incident in the course of their duties, they shall immediately notify the head of the Company.

(4) Company employees must report to the Company's manager or the person exercising the employer's rights if they become aware of a data protection incident or an event that may indicate such an incident.

(5) A data protection incident can be reported to the Company's central e-mail address, telephone number, where employees, contracting partners, data subjects can report the underlying events, security weaknesses.

(6) In the event of a data breach notification, the Company's manager, with the involvement of the IT, finance and operations manager, shall immediately investigate the notification, identify the incident and decide whether it is a genuine incident or a false alarm. It should be investigated and determined:

a. the time and place of the incident,

b. the description, circumstances and effects of the incident,

c. the scope and quantity of data compromised in the incident,

d. the persons affected by the compromised data,

e. a description of the measures taken to remedy the incident,

f. a description of the measures taken to prevent, remedy or reduce the damage.

(7) In the event of a data breach, the systems, persons and data involved shall be contained and segregated and care shall be taken to collect and preserve evidence that the breach occurred. Damage restoration and return to lawful operations can then begin.

22.§ Records of data protection incidents

(1) Records of data protection incidents shall be kept, which shall include:

a) the scope of the personal data concerned,

b) the scope and number of data subjects affected by the data breach,

c) the date of the data breach,

d) the circumstances and effects of the personal data breach,

(e) the measures taken to remedy the personal data breach,

(f) other data specified in the legislation requiring the processing.

(2) Data relating to data protection incidents in the register shall be kept for 5 years.

VII. RIGHTS OF THE DATA SUBJECT

Data subjects may at any time request information in writing from the controller about the way their personal data are processed, request erasure or modification, and withdraw their consent. The data subject may not exercise his or her right of erasure in the case of processing which is mandatory by law.

Article 23.Content of the right to information: at the request of the data subject, the controller shall provide the data subject with the information listed in Articles 13 and 14 of the GDPR and the information referred to in Articles 15 to 22 and 34 of the GDPR in a concise and plain language.

Article 24.Content of the right of access: upon request of the data subject, the controller shall provide information on whether or not data processing relating to him or her is in progress at the controller. If the controller is currently processing data relating to the applicant, the data subject shall have the right of access to the following information:

1. Personal data relating to him/her;

2. the purpose(s) of the processing;

3. the categories of personal data concerned;

4. the persons to whom the data subject's data have been or will be disclosed;

5. the duration of data storage;

6. the right to rectification, erasure and restriction of processing;

7. the right to apply to a court or supervisory authority;

8. the source of the data processed;

9. details and practical implications of profiling and/or automated decision-making and its use;

10. the transfer of processed data to a third country or international organisation.

In the event of a request for data as described above, the controller shall provide the data subject with a copy of the data processed by the controller in accordance with the request. Upon specific request, it is possible to request the controller to deliver the data by electronic means. The deadline for providing the requested data is 30 days from the receipt of the request.

25.Right to rectification: the data subject may request the rectification of inaccurate data relating to him/her processed by the controller.

Right to erasure:If any of the following grounds apply, the controller shall, at the request of the data subject, erase the data relating to the data subject as soon as possible and in any event within 5 working days:

1. The data was processed unlawfully (without legal authorisation or personal consent);

2. the processing is unnecessary for the achievement of the original purpose;

3. the data subject withdraws his or her consent to the processing and the controller has no other legal basis for the processing;

4. the data in question were collected in connection with the provision of information society services;

5. the personal data must be erased in order to comply with the legal obligations applicable to the controller.

The erasure of data will not be possible if the processing is still necessary for any of the following:

1. The additional processing is necessary to meet the legal requirements applicable to the controller;

2. necessary for the exercise of the right to freedom of expression and information;

3. in the public interest;

4. for archiving, scientific, research or statistical purposes;

5. to assert or defend legal claims.

27.Right to restriction of processing: where any of the following grounds apply, the controller shall restrict processing at the request of the data subject:

1. The data subject contests the accuracy of the data relating to him or her, in which case the restriction shall apply for the period of time until the accuracy or correctness of the data in question can be verified to the satisfaction of the data subject;

2. the processing is unlawful, but the data subject requests that the data not be erased, but only that the processing be restricted;

3. the data are no longer necessary for the purposes of processing, but the data subject requests their retention for the purpose of exercising or defending legal claims;

Where the controller imposes a restriction on any data processed, it shall process the data concerned during the period of the restriction only if and to the extent that:

1. The data subject consents to;

2. necessary to assert or defend legal claims;

3. necessary to assert or defend the rights of another person;

4. necessary for the protection of the public interest.

Article 28 Right of withdrawal: the data subject has the right to withdraw his or her consent given to the controller at any time, in writing. In the event of such a request, the controller shall immediately and permanently erase all data which it has processed in relation to the data subject and the further storage of which is not required by law or is not necessary for the exercise or defence of legitimate interests. The lawfulness of the processing carried out until the withdrawal of consent shall not be affected by such withdrawal.

Article 29.Right to data portability: the data subject has the right to request the controller to transfer data relating to him/her to another controller in a commonly used format readable by computer software. The controller shall comply with the request as soon as possible and in any case within 30 days at the latest.

Article 30.Automated decision-making and profiling: the data subject shall have the right not to be subject to a decision based solely on automated processing (such as profiling) which would have legal effects concerning him or her or otherwise adversely affect him or her. This right shall not apply if:

1. the processing is necessary for the conclusion or performance of a contract between the data subject and the controller;

2. the data subject explicitly consents to the use of such a procedure;

3. is authorised by law;

4. necessary to assert or defend legal claims.

VIII. FINAL PROVISIONS

§ 31 Amendment of the Rules

The Managing Director of the Company is authorised to amend the Rules.

§ 32.Measures to make the rules known

The provisions of this Code shall be made known to all employees of the Company and shall be required in employment contracts to be complied with and enforced as an essential part of the employment duties of all employees. A model of the employment contract clause is set out in Annex 6 to these Regulations.

33.§ Possibility to lodge a complaint

Complaints against possible violations by the Company may be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Postal address: 1530 Budapest, P.O. Box 5.

Phone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

§ 34 In preparing this information we have taken into account the following legislation:

- REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation)

- Act CXII of 2011 - on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.)

- Act CVIII of 2001 - on certain aspects of electronic commerce services and information society services (in particular § 13/A)

- Act XLVII of 2008 - on the prohibition of unfair commercial practices against consumers;

- Act XLVIII of 2008 - on the basic conditions and certain restrictions of economic advertising (in particular § 6)

- Act XC of 2005 on Electronic Freedom of Information

- Act C of 2003 on Electronic Communications (specifically § 155)

- Opinion No 16/2011 on the EASA/IAB Recommendation on best practice on behavioural online advertising

- Recommendation of the National Authority for Data Protection and Freedom of Information on data protection requirements for prior information

- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC

Budapest, 15 May 2022.

Péter Nizák

Hype Média Group Kft.