Privacy Policy • OPEN.ioting

DATA CONTROLLER AND DATA PROCESSORS

T.E.L.L. SOFTWARE HUNGARIA Kft.

and T.E.L.L. Biztonságtechnikai Rendszerek Kft. Privacy Policy

We hereby inform visitors to the website and Customers of the Web Store about the practices followed in the processing of personal data, the organizational and technical measures taken to protect data, as well as the related rights of visitors and the possibilities for enforcing them.

Data controller:

T.E.L.L. Biztonságtechnikai Rendszerek Kft. (registered office: 4034 Debrecen, Vágóhíd utca 2.; company registration number: 09-09-027345; company registration court: Debrecen Court of Justice; tax number: 25406812-2-09; telephone number: +36-52/530-130, fax number: +36-52/530-131, email address: info@tell.hu, hereinafter referred to together as: Company) and

T.E.L.L. SOFTWARE HUNGARIA Szoftver-fejlesztő és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 4034 Debrecen, Vágóhíd utca 2.; company registration number: 09-09-005193; company registration court: Debrecen Court of Justice; tax number: 17783790-5-09; telephone number: +36-52/530-130, email address: info@tell.hu, website: www.tell.hu ) and

as joint Data Controllers (hereinafter collectively referred to as: Company).

Data processors:

The Data Controller informs the data subjects that it uses the following data processors to carry out its activities:

Data processing activity related to marketing activities: T.E.L.L. Műszaki Fejlesztő Korlátolt Felelősségű Társaság (registered office: 4034 Debrecen, Vágóhíd utca 2.; company registration number: 09-09- 027969; company registration court: Debrecen Court of Justice; tax number: 25590395-2-09; telephone number: +36-52/530-130, email address: info@tell.hu,

Data processing activities related to transportation activities:

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (2351 Alsónémedi, GLS Európa u. 2., info@gls-hungary.com, (+36 29) 88 66 70) Data processing activities related to transport activities

TNT Express Hungary Kft. (1185 Budapest, II. Logistics Center - Office Building, BUD International Airport 283. building, 06 8031 3131, https://www.tnt.com/express/hu_hu/site/support/contact.html)

The courier service assists in the delivery of the ordered goods based on a contract concluded with the Data Controller. The courier service processes the personal data received in accordance with the data processing information available on its website.

Data processing activities related to the operation of the CRM system:

MiniCRM Zrt. (Company registration number: 01-10-047449, EU tax number: HU 23982273, help@minicrm.hu, +36 (1) 999 0401)

The Data Processor cooperates in the registration of orders based on a contract concluded with the Data Controller. In doing so, the Data Processor processes the name, address, telephone number, number and date of orders of the data subject within the civil law limitation period.

Customer service call system (https://www.liveagent.com/" https://www.liveagent.com/, +421 2 33 456 826, info@liveagent.com, Quality Unit, sro, Vajnorská 100/A, 831 04 Bratislava, SLOVAKIA

Hosting provider : Wix Online Platforms Limited, 1 Grant's Row, Dublin 2 D02HX96, Ireland. Registered office: 1 Grant's Row, Dublin 2 D02HX96, Ireland. Website: https://wix.com Provider's privacy statement: https://www.wix.com/about/privacy

The Data Processor stores personal data based on a contract concluded with the Data Controller. It is not authorized to view personal data.

Activity related to the popup information window appearing on the website:

The data controller uses the Poptin software to manage pop-up windows and data collection forms on its website. The purpose of data management is market research and marketing activities. In all cases, data management is based on the information provided by visitors and their consent, if they have accepted the use of cookies requiring consent.

Data processed: name, email address, other data provided by the visitor. In addition to the above, it collects and stores information about the use of the website, such as pages visited, links clicked, non-sensitive text entered and mouse movements, as well as more commonly collected information, such as your IP address, referring URL, browser, operating system, cookies

information, your Internet Service Provider and any other information from the visitor relating to your use of your website ("Visitor Information"). Visitor Information may, in the aggregate, identify the visitor, however, the Poptin system will not identify the visitor while browsing the website if you disable cookies.

The Poptin system is operated by Poptin LTD. Registered office: Wework, Aluf Kalman Magen St 3, Tel Aviv Yafo, Israel)

Website: https://www.poptin.com/

The provider's privacy statement: https://www.poptin.com/gdpr/

The Data Processor stores and processes personal data based on a contract concluded with the Data Controller.

Data processing activities related to sending newsletters:

The Mailchimp system is operated by The Rocket Science Group, LLC (675 Ponce de Leon Avenue, Suite 5000, Atlanta, GA 30308 USA).

The Data Processor participates in the sending of newsletters based on a contract concluded with the Data Controller. In doing so, the Data Processor processes the name and e-mail address of the data subject to the extent necessary for sending the newsletter.

Data transfer to the Data Processor specified in this Notice may be carried out without the specific consent of the Data Subject. The Data Controller shall not transfer the Personal data processed by it to any third party other than the Data Processors specified in this Notice.

The Data Processor does not make independent decisions, it is only entitled to act in accordance with the contract concluded with the Data Controller and the instructions received. The Data Processor records, manages and processes the Personal Data transmitted to it by the Data Controller and managed or processed by it in accordance with the provisions of the GDPR, and makes a statement to the Data Controller about this.

The Data Controller monitors the work of the Data Processor.

The Data Processor is entitled to use additional data processors only with the consent of the Data Controller.

VISITOR DATA PROCESSING ON THE COMPANY'S WEBSITE

• Visitor data management on the Company's website

Information about the use of cookies

In accordance with general Internet practice, our Company also uses cookies on its website. A cookie is a small file containing a series of characters that is placed on the visitor's computer when they visit a website. When they visit the given website again, the cookie allows the website to recognize the visitor's browser. Cookies can store user settings (e.g. chosen language) and other information. Among other things, they collect information about the visitor and their device, remember the visitor's individual settings, and can be used, for example, when using online shopping carts. Cookies generally make the website easier to use, help the website provide a real web experience for users and be an effective source of information, and also ensure that the website operator can monitor the operation of the website, prevent abuse, and provide the services provided on the website without interruption and at an appropriate level.

Our company's website records and processes the following data about the visitor and the device they use for browsing when using the website:

- internal identifier of the last viewed product

The system automatically generates statistical data from this data. The operator does not link this data to personal data.

Accepting or allowing the use of cookies is not mandatory. You can reset your browser settings to refuse all cookies or to indicate when a cookie is being sent. Most browsers automatically accept cookies by default, but these can usually be changed to prevent automatic acceptance and offer you the choice each time.

You can find information about the cookie settings of the most popular browsers at the following links • Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu • Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn

• Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete manage-cookies#ie=ie-11

• Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete manage-cookies#ie=ie-10-win-7

• Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete manage-cookies#ie=ie-9

• Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete manage-cookies#ie=ie-8

• Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq • Safari: https://support.apple.com/hu-hu/HT201265

However, please note that certain website features or services may not function properly without cookies.

The cookies used on the website are not capable of identifying the user by themselves.

Cookies used on the Company's website:

1. Technically necessary session cookies.

These cookies are necessary to enable visitors to browse the website, to use its functions smoothly and to the full extent, to use the services available through the website, and to - among other things - in particular to remember the actions taken by the visitor on the given pages during a visit. The duration of data management of these cookies is 2 hours.

The data handled:

- The displayed language

- Currency internal identifier

- User's address

- Selected delivery and payment method

- VAT rate

- Coupon details

- Current country

- Cart contents

- Can the user make purchases?

- User's internal identifier

- Username

The legal basis for this data processing is Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Elkertv.).

The purpose of data management is to ensure the proper functioning of the website.

2. Cookies requiring consent:

These enable the Company to remember the user's choices regarding the website. The visitor may prohibit this data processing at any time before and during the use of the service. These data cannot be linked to the user's identification data and cannot be transferred to a third party without the user's consent.

Duration of data processing: 1 day

2.1. Cookies that facilitate use:

The legal basis for data processing is the visitor's consent.

Purpose of data management: Increasing the efficiency of the service, enhancing user experience, and making the use of the website more convenient.

Duration of data processing: 2 hours

2.2. Performance cookies:

Google Analytics cookies – you can find out more about this here:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Google AdWords cookies - you can find out more about this here:

https://support.google.com/adwords/answer/2407785?hl=en

The Company informs its Visitors that the www.openioting.hu website and its subpages are used to measure traffic and monitor the behavior of its visitors, to prepare statistics and to monitor the effectiveness of its advertisements.

-Google Analytics,

- Google AdWords Conversion Tracking,

- Hotjar

- Poptin and

- Uses Facebook Remarketing programs.

The programs referred to place so-called cookies on the user's computer, which collect user data. Visitors to the website allow the Company to use the Google Analytics, AdWords Conversion Tracking, and Facebook Remarketing, Hotjar and Poptin programs. They also consent to the Company monitoring and tracking their user behavior and using all services provided by the programs. In addition, the visitor has the option to disable the recording and storage of cookies for the future at any time as described below.

We inform our visitors that the settings and use of Google Analytics, AdWords Conversion Tracking, and Facebook Remarketing, Hotjar and Poptin programs fully comply with the requirements of the data protection authority.

According to Google, Google Analytics uses primarily first-party cookies to report visitor interactions on your site. These cookies only record non-personally identifiable information. Browsers do not share their own cookies across domains. You can find more information about cookies in the Google Ads and Privacy FAQ.

Google Analytics: The Data Controller uses the Google Analytics program primarily to generate statistics, including measuring the effectiveness of its campaigns. By using the program, the Company mainly obtains information about how many visitors have visited the website and how much time the visitors have spent on the website. The program recognizes the visitor's IP address, so it can track whether the visitor is a returning or new visitor, and it can also track the path the visitor has taken on the website and where they have entered.

Google AdWords Conversion Tracking: The purpose of Google AdWords Conversion Tracking is to enable the Company to measure the effectiveness of AdWords advertisements. It does this by using cookies placed on the Visitor's computer, which exist for 30 days and do not collect personal data.

Blocking cookies: If you want to manage your cookie settings or disable the feature, you can do so in your own browser. This option can be found in the cookies/cookies/tracking feature placements menu item, depending on your browser toolbar. You can usually set which tracking features you enable/disable on your computer under Tools > Settings > Privacy Settings. If you do not want Google Analytics to report your visits, you can install the Google Analytics Opt-out Browser Add-on. This add-on instructs Google Analytics JavaScript scripts not to send visit information to Google. If you have installed the opt-out browser add-on, you will not participate in content experiments either. If you want to

To opt out of Google Analytics for your web activity, visit the Google Analytics opt-out page and install the add-on for your browser. For more information on installing and removing the add-on, see the help for your specific browser.

In addition to Google services, the Company also uses the Hotjar analytics service: Hotjar Ltd. (“Hotjar”) (http://www.hotjar.com, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe). Through Hotjar analytics, the Company has the opportunity to learn and evaluate the habits of Visitors on the website (e.g. how much time they spend on certain subpages, what links they click on, etc.). During the operation of this function, the information collected about the visit to the website is transmitted to Hotjar’s servers located in Ireland, where it is stored by Hotjar.

The following information may be recorded from the visitor's device and browser: - The IP address of the user's device (collected and stored in an anonymous format) - The screen size of the user's device

- The type of device the user has and the type of browser they use

- User location (country only)

Hotjar is used to analyze the visit and use of the website, which is reported separately. In the course of this function, Hotjar also uses the services of third parties, such as Google Analytics and Optimizely. Through data transmission, these third parties may store information that the user's browser sends when viewing the website (e.g. cookies, IP requests, etc.). The cookies used by Hotjar are not deleted for different periods of time, some cookies are automatically deleted after the current visit, but there are also those that remain for up to 365 days.

If you wish to disable data logging by Hotjar, please visit the following page: https://www.hotjar.com/opt-out.

You can find Hotjar's privacy policy here (https://www.hotjar.com/legal/policies/privacy).

On the website, the Company uses the so-called “Facebook pixel” of the Facebook social network operated by Facebook Inc. (1 Hacker Way, Menlo Park, CA 94025, USA) or, if you live in the EU, by Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) (hereinafter “Facebook”). The Facebook pixel allows Facebook to treat website visitors as a target group for displaying advertisements (so-called Facebook ads). Accordingly, the Company uses the Facebook pixel to ensure that the Facebook ads it embeds are only displayed to Facebook users who have also shown interest in the Company’s offers. In other words, the purpose of the Facebook pixel is to ensure that Facebook ads match the potential interests of users and are not distracting. The Facebook pixel also allows the Company to analyze the effectiveness of the ads displayed on Facebook for statistical and market research purposes, for example, whether users reached our website by clicking on the Facebook ad. When you visit our website, Facebook directly embeds the Facebook pixel, which can place a so-called cookie, a small file, on your device. If you later log in to Facebook or visit Facebook pages while logged in, your visit to the website is registered in your profile. Data obtained from visitors

they are anonymous to us, meaning we cannot determine your identity based on this. However, the data is stored and processed by Facebook, so it can be linked to the given user profile. Facebook processes the data in accordance with its own data protection regulations. Therefore, you can find more information about how the remarketing pixel works and how Facebook ads are displayed in general in Facebook's data protection regulations at the following address:

https://www.facebook.com/policy.php. You can prevent the Facebook pixel from collecting data and using your data to display Facebook ads. To do this, open the page created by Facebook and follow the instructions for personal advertising settings: https://www.facebook.com/settings?tab=ads, the address of the US page is http://www.aboutads.info/choices/, and the EU page is http://www.youronlinechoices.com/. The settings are platform-independent, meaning they apply to both desktop and mobile devices.

Data processed for the purpose of concluding and fulfilling contracts

In order to conclude and fulfill the contract, several data processing cases may be implemented. We inform you that data processing related to complaint handling and warranty administration will only be implemented if the Data Subject exercises one of the aforementioned rights.

If the Data Subject does not make purchases through the webshop, but is only a visitor to the webshop, then the provisions on data processing for marketing purposes may apply to him/her, if he/she gives consent to the Company for marketing purposes.

The data processing carried out for the purpose of concluding and fulfilling contracts is described in more detail:

• Contact us

Contact is established when you contact us with a question about a product, for example via email, contact form, or phone. Prior contact is not mandatory, and you can order from the webshop at any time without this.

Data processed:

Data provided during contact.

Duration of data processing:

The Company will only process the data until the contact is closed.

Legal basis for data processing:

The Data Subject's voluntary consent, which he/she provides to the Data Controller by contacting him/her. [Data processing pursuant to Article 6(1)(a) of the Regulation]

Recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service, the Company's hosting service provider as a data processor, employees of the Company performing hosting services.

• Registration to use the Webshop/Webstore

On the website, the registering natural person can give their consent to the processing of their personal data by checking the relevant box.

The scope of data provided during registration:

- name

- company name

- email address

- contact phone number

- billing and shipping address

- company tax number

The purpose of processing personal data is:

1. Performance of services provided on the website, development of services

2. Analysis of website usage.

3. Sale of advertising spaces

4. Use it for your own research and statistics.

The statements made about these are published only in a form that is not suitable for the unique identification of individual users.

The legal basis for data processing is the consent of the data subject.

Recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service and marketing activities, the Company's hosting service provider as a data processor, employees of the Company providing hosting services.

Duration of storage of personal data: until the registration/service is valid or until the data subject withdraws their consent (until a request for deletion, which can be sent to the email address info@tell.hu).

• Order processing

When processing orders, data processing activities are necessary to fulfill the contract.

Data processed: name, address/registered office, telephone number, e-mail address, characteristics of the purchased product, order number and date of purchase

If you have placed an order in the webshop, data processing and providing data is essential for the fulfillment of the contract.

Duration of data processing: We process the data for 5 years according to the civil law statute of limitations.

Legal basis for data processing:

Performance of the contract. [Data processing pursuant to Article 6(1)(b) of the Regulation]

Recipients of personal data and categories of recipients: employees of the Company performing tasks related to the processing of orders, the Company's hosting service provider as a data processor, employees of the Company providing hosting services.

• Issuance of the invoice

The data processing process is carried out in order to issue invoices in accordance with the law and to fulfill the obligation to retain accounting documents. Pursuant to Section 169 (1)-(2) of the Accounting Act, business companies must retain accounting documents that directly and indirectly support accounting settlements.

Data processed:

Name, address, email address, phone number.

Duration of data processing:

Issued invoices must be kept for 8 years from the date of issue of the invoice, pursuant to Section 169 (2) of the Hungarian Revenue Act.

Legal basis for data processing:

Pursuant to Section 159 (1) of Act CXXVII of 2007 on Value Added Tax, the issuance of an invoice is mandatory and it must be kept for 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting [Data processing pursuant to Article 6 (1) c) of the Regulation].

Recipients of personal data and categories of recipients: employees of the Company performing invoicing-related tasks

• Data processing related to the transport of goods

The data processing process is carried out in order to deliver the ordered product. Processed data: Name, address, e-mail address, telephone number.

Duration of data processing:

The Data Controller processes the data until the delivery of the ordered goods.

Legal basis for data processing: Performance of a contract [Data processing pursuant to Article 6(1)(b) of the Regulation].

Recipients and data processors of data processing related to the transport of goods

Name of the recipient: Company employees performing tasks related to order fulfillment, GLS General Logistics Systems Hungary Csomag-Logisztikai Kft., TNT Express Hungary Kft.

• Data processed in connection with the verification of consent

During registration, ordering, or subscribing to the newsletter, the IT system stores the IT data related to the consent for later proof.

Processed data: Date of consent and IP address of the data subject.

Duration of data processing:

Due to legal requirements, consent must be proven later, therefore the data storage period is limited to the limitation period following the termination of data management.

Legal basis for data processing:

This obligation is laid down in Article 7(1) of the Regulation. [Data processing pursuant to Article 6(1)(c) of the Regulation]

Recipients of personal data and categories of recipients: employees of the Company providing technical support, the Company's hosting service provider as a data processor, employees of the Company providing hosting services.

• Data processing related to newsletter service

The Company operates a newsletter system for the purpose of continuously informing interested parties, in connection with which the personal data (full name, e-mail address) provided during registration on the website is processed with the prior written consent of the newsletter recipient. The Company's newsletters are sent from abroad via the "Mailchimp" international newsletter system, so in addition to registration, your express consent is also required for the transfer of your personal data to a foreign data controller. The Mailchimp system is operated by The Rocket Science Group, LLC (675 Ponce de Leon Avenue, Suite 5000, Atlanta, GA 30308 USA). The foreign operator ensures data processing in accordance with European Union regulations based on the provisions of the "EU-US Privacy Shield Framework" data exchange agreement. The data subject may unsubscribe from the newsletter at any time by clicking the "Unsubscribe" button in the footer of the newsletters, which will automatically delete their data stored in the system, or upon request by e-mail (info@tell.hu), the Company will delete their data immediately, but no later than within 15 days.

You can find Mailchimp's latest Privacy Policy at https://mailchimp.com/legal/privacy/.

The natural person registering for the newsletter service on the website may give his/her consent to the processing of his/her personal data by checking the box regarding consent to the processing of data by pressing the Subscribe button. The data subject may unsubscribe from the newsletter at any time by using the “Unsubscribe” application of the newsletter, or by making a written or e-mail statement, which constitutes the withdrawal of consent. In such a case, all data of the unsubscriber must be deleted immediately.

The scope of personal data that can be processed: the name of the natural person (surname, first name), e-mail address.

The purpose of processing personal data is:

1. Sending a newsletter about the Company's products and services

2. Sending advertising material

3. Information about technical information (updates, new functions, bug fixes) Legal basis for data processing: consent of the data subject.

Recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service and marketing activities, employees of the Company's IT service provider as data processors for the purpose of providing hosting services,

The duration of storage of personal data: until the newsletter service is available or until the data subject withdraws their consent (until a request for deletion, which can be sent to the email address info@tell.hu).

• Recording customer service calls over the phone

The Company records telephone communications with its customer service for the purpose of providing sales and services, or providing information about them. The legal basis for this data processing is the consent of the data subject.

You must be informed about the recording at the beginning of the call and your consent must be requested.

When recording telephone conversations, we store the following data: telephone number, time of call, audio recording of the recorded conversation, personal data provided during the conversation.

Recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service.

Telephone conversations are kept for 1 year. Recorded audio can be retrieved by phone number and date of conversation.

• Community Guidelines / Data Management on the Company's Facebook page

The Company maintains a Facebook page to introduce and promote its products and services.

A question on the Company's Facebook page does not constitute a formal complaint. The Company does not process personal data posted by visitors to the Company's Facebook page. Visitors are subject to Facebook's Terms of Service and Privacy Policy.

In the event of the publication of illegal or offensive content, the Company may exclude the person concerned from membership or delete their comment without prior notice.

The Company is not responsible for any illegal content or comments posted by Facebook users. The Company is not responsible for any errors, malfunctions or problems arising from changes to the operation of Facebook.

• Data processing for direct marketing purposes

Unless otherwise provided by a separate law, advertising may be communicated by directly contacting a natural person as the recipient of the advertisement (direct marketing), in particular by electronic mail or other equivalent individual means of communication - with the exception specified in Act XLVIII of 2008 - only if the recipient of the advertisement has given his prior and explicit consent.

The scope of personal data that the Company may process for the purpose of advertising addressee inquiries: the natural person's name, address, telephone number, e-mail address, online identifier.

The purpose of processing personal data is to carry out direct marketing activities related to the Company's activities, i.e. to regularly or periodically send advertising publications, newsletters, and current offers in printed (postal) or electronic form (e-mail) to the contact details provided upon registration.

The legal basis for data processing is the consent of the data subject.

Recipients of personal data and categories of recipients: employees of the Company performing customer service-related tasks, employees of the Company's IT service provider performing server services as data processors, and employees of the Post Office in the case of postal delivery.

Duration of storage of personal data: until consent is withdrawn.

• Management of data of contracting partners

The Company processes the name, birth name, date of birth, mother's name, address, tax identification number, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number), online identifier (list of customers, suppliers, regular purchase lists) of the natural person who has entered into a contract with it for the purpose of concluding, fulfilling, terminating the contract, and providing a contractual discount, under the legal title of contract performance. This data processing is also considered lawful if the data processing is necessary to take steps at the request of the data subject prior to concluding the contract. The recipients of the personal data are: the Company's employees performing customer service-related tasks, employees performing accounting and tax tasks, and data processors. The duration of the processing of personal data: 5 years after the termination of the contract.

The data subject must be informed before the start of data processing that the data processing is based on the legal basis of the performance of the contract; this information can also be provided in the contract.

The data subject must be informed about the transfer of his/her personal data to the data processor. • Contact details of natural person representatives of legal entity clients, buyers, suppliers The scope of personal data that can be processed: name, address, telephone number, e-mail address of the natural person.

The purpose of processing personal data is: to fulfill the contract concluded with the Company's legal entity partner, to maintain business relations. Personal data is processed by the Service Provider based on Article 6(1)(f) of the GDPR, and on the Service Provider's legitimate interest in establishing and maintaining a business relationship.

Recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service.

The period of storage of personal data: 5 years after the business relationship or the representative status of the data subject.

• Data processing carried out during the performance of technical support tasks

The scope of personal data that can be processed: the natural person's name, address, telephone number, e-mail address, and the debug log, which contains all communication between the device and the software.

The purpose of processing personal data is: fulfillment of the contract concluded with the Company's partner, performance of technical support tasks, troubleshooting. The legal title of data processing is based on the legal title of performance of the contract.

Recipients of personal data and categories of recipients: employees of the Company performing tasks related to technical support.

Duration of storage of personal data: duration of technical support tasks, troubleshooting, after which the data will be deleted immediately.

SUMMARY INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

In this chapter, for the sake of clarity and transparency, we briefly summarize the rights of the data subject, detailed information on the exercise of which is provided in the following chapter.

Right to prior information

The data subject has the right to be informed about the facts and information related to data processing before the start of data processing.

(Articles 13-14 of the Regulation)

Data processing can only begin after the information has been provided. If the legal basis for data processing is consent, the data subject must also consent to the data processing in addition to the information.

We will provide information about the detailed rules in the next chapter.

The data subject's right of access

The data subject has the right to receive feedback from the Data Controller as to whether his or her personal data is being processed and, if such processing is taking place, has the right to access the personal data and related information as specified in the Regulation.

(Article 15 of the Regulation).

We will provide information about the detailed rules in the next chapter.

The right to rectification

The data subject shall have the right to obtain from the Controller, at his/her request, the rectification of inaccurate personal data concerning him/her without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

(Article 16 of the Regulation).

The right to erasure (“the right to be forgotten”)

The data subject has the right to request that the Data Controller erase personal data concerning him or her without undue delay, and the Data Controller is obliged to erase personal data concerning the data subject without undue delay if one of the reasons specified in the Regulation applies.

(Article 17 of the Regulation)

We will provide information about the detailed rules in the next chapter.

Right to restriction of data processing

The data subject has the right to request that the Data Controller restrict data processing if the conditions specified in the order are met.

(Article 18 of the Regulation)

We will provide information about the detailed rules in the next chapter.

Notification obligation related to the rectification or erasure of personal data or the restriction of data processing

The Data Controller shall inform all recipients to whom the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. Upon request, the Data Controller shall inform the data subject of these recipients.

(Article 19 of the Regulation)

The right to data portability

Under the conditions set out in the Regulation, the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format, and has the right to transmit these data to another Data Controller without hindrance from the Data Controller to whom the personal data have been provided.

(Article 20 of the Regulation)

We will provide information about the detailed rules in the next chapter.

The right to protest

The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her based on point (e) of Article 6(1) of the Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller) or point (f) of Article 6(1) of the Regulation (processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party).

(Article 21 of the Regulation)

We will provide information about the detailed rules in the next chapter.

Automated decision-making in individual cases, including profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

(Article 22 of the Regulation)

We will provide information about the detailed rules in the next chapter.

Restrictions

Union or Member State law applicable to the controller or processor may restrict, by means of legislative measures, the rights and obligations set out in Articles 12 to 22 and Article 34 and in accordance with Articles 12 to 22.

(Article 23 of the Regulation)

We will provide information about the detailed rules in the next chapter.

Informing the data subject about the data protection incident

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall inform the data subject about the data breach without undue delay.

(Article 34 of the Regulation)

We will provide information about the detailed rules in the next chapter.

Right to lodge a complaint with a supervisory authority (right to a judicial remedy)

The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data concerning him or her infringes the Regulation.

(Article 77 of the Regulation)

We will provide information about the detailed rules in the next chapter.

Right to an effective judicial remedy against the supervisory authority

Every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her, or if the supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments or the outcome of the complaint submitted.

(Article 78 of the Regulation)

We will provide information about the detailed rules in the next chapter.

Right to an effective judicial remedy against the controller or processor

Every data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.

(Article 79 of the Regulation)

We will provide information about the detailed rules in the next chapter.

DETAILED INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

Right to prior information

The data subject has the right to be informed about the facts and information related to data processing before the start of data processing.

A) Information to be provided when personal data are collected from the data subject

Where personal data relating to the data subject are collected from the data subject, the controller shall provide the data subject with all of the following information at the time the personal data are obtained:

a) the identity and contact details of the controller and, if any, the controller's representative; b) the contact details of the data protection officer, if any;

c) the purpose of the intended processing of personal data and the legal basis for the processing;

d) in the case of data processing based on Article 6(1)(f) of the Regulation (legitimate interest), the legitimate interests of the controller or a third party;

(e) where applicable, the recipients of the personal data and the categories of recipients, if any;

(f) where applicable, the fact that the controller intends to transfer the personal data to a third country or to an international organisation, the existence or absence of an adequacy decision by the Commission or, in the case of F referred to in Article 46, Article 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy of them or their availability.

In addition to the information referred to in point 1, the data controller shall, at the time of obtaining the personal data, inform the data subject of the following additional information in order to ensure fair and transparent data processing:

a) the period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;

b) the right of the data subject to request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data, as well as the right of the data subject to data portability;

c) in the case of processing based on Article 6(1)(a) (the data subject's consent) or Article 9(2)(a) (the data subject's consent) of the Regulation, the right to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal;

d) the right to lodge a complaint with the supervisory authority;

e) whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for concluding a contract, and whether the data subject is obliged to provide the personal data, as well as the possible consequences of failure to provide the data;

f) the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

Where the controller intends to process personal data for purposes other than those for which they were collected, the controller shall, prior to the further processing, inform the data subject of that other purpose and of any relevant additional information referred to in paragraph (2).

Points 1-3 do not apply if and to the extent that the data subject already has the information.

(Article 13 of the Regulation)

B) Information to be provided if the personal data were not obtained from the data subject

If the personal data were not obtained from the data subject, the data controller shall provide the data subject with the following information:

a) the identity and contact details of the controller and, if any, the controller's representative; b) the contact details of the data protection officer, if any;

c) the purpose of the intended processing of personal data and the legal basis for the processing; d) the categories of personal data concerned;

e) the recipients of the personal data and the categories of recipients, if any;

(f) where applicable, the fact that the controller intends to transfer the personal data to a recipient in a third country or to an international organisation, the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Articles 46, 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy of them or their accessibility.

In addition to the information referred to in point 1, the data controller shall provide the data subject with the following additional information necessary to ensure fair and transparent data processing for the data subject:

a) the period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;

b) if the processing is based on Article 6(1)(f) of the Regulation (legitimate interest), the legitimate interests of the controller or a third party;

c) the right of the data subject to request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of personal data, as well as the right of the data subject to data portability;

d) in the case of processing based on Article 6(1)(a) (the data subject's consent) or Article 9(2)(a) (the data subject's consent) of the Regulation, the right to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal;

(e) the right to lodge a complaint with a supervisory authority;

(f) the source of the personal data and, where applicable, whether the data originate from publicly available sources; and

g) the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

The data controller shall provide the information referred to in points 1 and 2 as follows:

a) taking into account the specific circumstances of the processing of personal data, within a reasonable period of time from the date of obtaining the personal data, but no later than one month;

b) if the personal data are used for the purpose of communicating with the data subject, at least upon initial contact with the data subject; or

c) if the data are expected to be communicated to other recipients, at the latest when the personal data are communicated for the first time.

If the controller intends to process personal data for a purpose other than that for which they were collected, it must inform the data subject of this different purpose and of any relevant additional information referred to in point 2 prior to further processing.

Points 1 to 5 shall not apply if and to the extent that:

(a) the data subject already has the information;

(b) providing the information in question proves impossible or would involve a disproportionate effort, in particular for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, in the case of processing carried out subject to the conditions and safeguards laid down in Article 89(1) of the Regulation, or where the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously jeopardise the achievement of the purposes of such processing. In such cases, the controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including making the information publicly available;

(c) the collection or disclosure of the data is expressly required by Union or Member State law applicable to the controller, which provides for appropriate measures to safeguard the legitimate interests of the data subject; or

(d) personal data must remain confidential pursuant to an obligation of professional secrecy laid down in Union or Member State law, including a statutory obligation of confidentiality.

(Article 14 of the Regulation)

The data subject's right of access

The data subject has the right to receive feedback from the Data Controller as to whether his or her personal data is being processed and, if such processing is taking place, he or she has the right to access the personal data and the following information:

a) the purposes of data processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;

(d) where applicable, the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;

e) the right of the data subject to request from the Data Controller the rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data;

(f) the right to lodge a complaint with a supervisory authority;

g) if the data were not collected from the data subject, all available information on their source;

h) the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

If personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards regarding the transfer in accordance with Article 46 of the Regulation.

The Data Controller shall provide the data subject with a copy of the personal data subject to processing. For further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request electronically, the information shall be provided in a widely used electronic format, unless the data subject requests otherwise. The right to request a copy shall not adversely affect the rights and freedoms of others.

(Article 15 of the Regulation)

The right to erasure (“the right to be forgotten”)

a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

b) the data subject withdraws his or her consent which was the basis for the processing pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the Regulation and there is no other legal basis for the processing;

c) the data subject objects to the processing of his or her data pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d) the personal data have been processed unlawfully;

e) the personal data must be erased for compliance with a legal obligation under Union or Member State law applicable to the Controller;

f) the personal data were collected in connection with the provision of information society services referred to in Article 8(1) of the Regulation.

Where the Controller has made the personal data public and is obliged to erase them pursuant to point 1 above, the Controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the Controllers processing the data that the data subject has requested erasure by them of links to, or copies or replications of, the personal data concerned.

Points 1 and 2 do not apply if the processing is necessary:

a) for the purpose of exercising the right to freedom of expression and information;

b) for the purpose of fulfilling an obligation to process personal data under Union or Member State law applicable to the Controller, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

c) on grounds of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the Regulation;

d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, where the right referred to in point 1 would likely render impossible or seriously jeopardise such processing; or

e) for the establishment, exercise or defense of legal claims.

(Article 17 of the Regulation)

Right to restriction of data processing

The data subject has the right to request that the Data Controller restrict data processing if one of the following applies:

a) the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period of time enabling the Data Controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use;

c) the Data Controller no longer needs the personal data for the purposes of data processing, but the data subject requires them for the establishment, exercise or defense of legal claims; or

d) the data subject has objected to the processing pursuant to Article 21(1) of the Regulation; in such a case, the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the Controller override those of the data subject.

If processing is restricted pursuant to point 1, such personal data may, with the exception of storage, only be processed with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important reasons of public interest of the Union or of a Member State.

The Data Controller shall inform the data subject, at whose request data processing has been restricted pursuant to point 1, in advance of the lifting of the restriction on data processing.

(Article 18 of the Regulation)

The right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another Data Controller without hindrance from the Data Controller to whom the personal data have been provided, if:

a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the Regulation, or on a contract pursuant to point (b) of Article 6(1) of the Regulation; and

b) the data processing is carried out in an automated manner.

When exercising the right to data portability pursuant to point 1, the data subject has the right to request the direct transmission of personal data between Data Controllers, if technically feasible.

The exercise of this right shall be without prejudice to Article 17 of the Regulation. The said right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

The right referred to in point 1 shall not adversely affect the rights and freedoms of others. (Article 20 of the Regulation)

The right to protest

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on Article 6(1)(e) of the Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller) or point (f) of the Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller) (processing is necessary for the legitimate interests of the Controller or a third party).

necessary for the exercise of the data subject's interests), including profiling based on the aforementioned provisions. In such a case, the Data Controller may no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.

If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for this purpose.

The right referred to in points 1 and 2 must be expressly brought to the attention of the data subject at the latest during the first contact, and the information relating to this must be displayed clearly and separately from all other information.

In connection with the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may also exercise the right to object by automated means based on technical specifications.

Where personal data are processed for scientific and historical research purposes or for statistical purposes pursuant to Article 89(1) of the Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

(Article 21 of the Regulation)

Automated decision-making in individual cases, including profiling

Point 1 shall not apply if the decision:

a) necessary for the conclusion or performance of a contract between the data subject and the Data Controller;

b) it is permitted by Union or Member State law applicable to the Controller, which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject; or

In the cases referred to in points a) and c) of point 2, the Data Controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention on the part of the Data Controller, to express his or her point of view and to object to the decision.

The decisions referred to in point 2 may not be based on special categories of personal data referred to in Article 9(1) of the Regulation, unless points (a) or (g) of Article 9(2) apply.

applicable and appropriate measures have been taken to protect the rights, freedoms and legitimate interests of the data subject.

(Article 22 of the Regulation)

Restrictions

Union or Member State law applicable to the controller or processor may, by means of legislative measures, restrict the scope of the rights and obligations set out in Article 5 in respect of the provisions of Articles 12 to 22 and Article 34 of the Regulation and in accordance with the rights and obligations set out in Articles 12 to 22, provided that the restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to protect:

a) national security;

b) national defense;

(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e) other important objectives of general public interest of the Union or of a Member State, in particular the important economic or financial interests of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;

(f) the protection of judicial independence and judicial proceedings;

g) in the case of regulated professions, the prevention, investigation, detection and conduct of proceedings related to ethical violations;

h) in the cases referred to in points a)–e) and g) – even occasionally – control, investigation or regulatory activities related to the performance of public authority tasks;

(i) the protection of the data subject or the rights and freedoms of others;

j) enforcement of civil claims.

The legislative measures referred to in point 1 shall, where appropriate, contain detailed provisions on at least:

a) the purposes of data processing or the categories of data processing,

b) categories of personal data,

c) the scope of the restrictions introduced,

d) guarantees aimed at preventing misuse or unauthorized access or transmission,

e) to define the Data Controller or to define the categories of Data Controllers,

f) the duration of data storage and the applicable safeguards, taking into account the nature, scope and purposes of the data processing or categories of data processing,

g) the risks to the rights and freedoms of data subjects, and

h) the right of data subjects to be informed about the restriction, unless this may adversely affect the purpose of the restriction.

(Article 23 of the Regulation)

Informing the data subject about the data protection incident

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall inform the data subject about the data breach without undue delay.

The information provided to the data subject referred to in point 1 shall describe in a clear and comprehensible manner the nature of the personal data breach and shall include at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the Regulation.

The data subject does not have to be informed as referred to in point 1 if any of the following conditions are met:

a) the Data Controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular measures – such as the use of encryption – that make the data unintelligible to persons not authorized to access the personal data;

b) the Data Controller has taken additional measures following the data protection incident to ensure that the high risk to the rights and freedoms of the data subject referred to in point 1 is no longer likely to materialise;

(c) the provision of information would involve a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly available information or a similar measure shall be taken which ensures that the data subjects are informed in a similarly effective manner.

If the Data Controller has not yet notified the data subject of the data breach, the supervisory authority, after considering whether the data breach is likely to involve a high risk, may order the data subject to be informed or may determine that one of the conditions referred to in point 3 is met.

(Article 34 of the Regulation)

Right to lodge a complaint with a supervisory authority

Without prejudice to other administrative or judicial remedies, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The supervisory authority to which the complaint has been submitted is obliged to inform the customer about the procedural developments related to the complaint and its outcome, including the fact that the customer has the right to a judicial remedy pursuant to Article 78 of the Regulation.

(Article 77 of the Regulation)

In Hungary, the supervisory authority is the National Authority for Data Protection and Freedom of Information. The relevant detailed legal provisions are contained in Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.

Right to an effective judicial remedy against the supervisory authority

Without prejudice to other administrative or non-judicial remedies, every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.

Without prejudice to other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy where the supervisory authority competent pursuant to Article 55 or 56 of the Regulation does not deal with the complaint or does not inform the data subject of the procedural developments or the outcome of a complaint lodged pursuant to Article 77 within three months.

Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

If proceedings are brought against a decision of the supervisory authority in relation to which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority shall be obliged to send this opinion or decision to the court.

(Article 78 of the Regulation)

Right to an effective judicial remedy against the controller or processor

Without prejudice to any available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation, all

The data subject has the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.

Proceedings against a controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its official authority.

(Article 79 of the Regulation)

SUBMISSION OF THE APPLICATION OF THE PARTY CONCERNED,

DATA CONTROLLER MEASURES

The Data Controller shall inform the data subject of the measures taken following his request to exercise his rights without undue delay, but in any case within one month of receipt of the request.

If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Data Controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay.

If the data subject has submitted the request electronically, the information shall be provided electronically, if possible, unless the data subject requests otherwise.

If the Data Controller does not take action following the request of the data subject, it shall inform the data subject without delay, but no later than one month from the receipt of the request, of the reasons for the failure to take action and of the fact that the data subject may lodge a complaint with a supervisory authority and exercise his or her right to a judicial remedy.

The Data Controller shall provide the information pursuant to Articles 13 and 14 of the Regulation and the information on the data subject's rights (Articles 15-22 and 34 of the Regulation) and the action taken free of charge. If the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Data Controller shall, taking into account the administrative costs involved in providing the requested information or communication or in taking the requested action:

a) may charge a fee of HUF 6,350, or

b) may refuse to take action on the request.

The Data Controller bears the burden of proving that the request is clearly unfounded or excessive.

If the Data Controller has reasonable doubts regarding the identity of the natural person submitting the request, it may request the provision of additional information necessary to confirm the identity of the data subject.

DATA SECURITY

When operating IT systems, we ensure the necessary authorization management, internal organizational and technical solutions so that your data cannot be obtained by unauthorized persons, and that unauthorized persons cannot delete, remove or modify the data. We also enforce data protection and data security requirements against our data processors. We keep records of any data protection incidents and, if necessary, inform the data subject of any incidents that arise, if this is required by the Regulation.