PRIVACY POLICY

Regarding the Data Processing Activities of 22 Média és Design Stúdió Kft.

This privacy policy aims to outline the data protection and data processing principles followed by 22 Média és Design Stúdió Kft. (hereinafter: “Data Controller”), which the Data Controller acknowledges as binding upon itself. It also serves to inform Data Subjects of their rights related to data processing under Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: “GDPR”) and Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: “Info Act”).

The Data Controller undertakes to ensure that all data processing activities related to its operations comply with the requirements set out by applicable legislation. It treats all personal data confidentially and implements appropriate technical and organizational measures to preserve the confidentiality and integrity of the data.

Definitions

The terms used in this document shall be interpreted in accordance with Article 4 of Chapter 1 of the GDPR, as follows:

• “Personal data”: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

• “Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

• “Data Subject”: any identified or identifiable natural person whose personal data is processed;

• “Restriction of processing”: the marking of stored personal data with the aim of limiting their processing in the future;

• “Profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

• “Pseudonymisation”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure non-attribution to an identified or identifiable natural person;

• “Filing system”: any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

• “Controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

• “Processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

• “Recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

• “Third party”: a natural or legal person, public authority, agency or body other than the Data Subject, the Controller, the Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process personal data;

• “Data Subject’s consent”: any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

• “Personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

• “Genetic data”: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

• “Biometric data”: personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

• “Data concerning health”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

• “Main establishment”:

  a) for a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter has the power to have such decisions implemented, in which case the establishment having taken such decisions shall be considered to be the main establishment;

  b) for a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if it has no central administration in the Union, the establishment in the Union where the main processing activities in the context of the activities of an establishment of the processor take place;

• “Representative”: a natural or legal person established in the Union who, designated in writing by the controller or processor pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

• “Enterprise”: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

• “Group of undertakings”: a controlling undertaking and its controlled undertakings;

• “Binding corporate rules”: personal data protection policies adhered to by a controller or processor established in the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or group of enterprises engaged in a joint economic activity;

• “Supervisory authority”: an independent public authority which is established by a Member State pursuant to Article 51;

• “Cross-border processing”:

  a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union;

  b) or which substantially affects or is likely to substantially affect data subjects in more than one Member State;

• “Relevant and reasoned objection”: an objection to a draft decision as to whether there is an infringement of this Regulation or whether envisaged measures in relation to the controller or processor comply with this Regulation, clearly demonstrating the risks posed by the draft decision to the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

• “Information society service”: a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535;

• “International organization”: an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

Data Controller Information

• Registered office of the Data Controller: 1221 Budapest, Vihar utca 5. D. building, 4th floor, door 15.

• Tax number: 25550155-2-43

• Phone number: +36-1-208-0015

• Email: info@22.design

Purpose of Data Processing

The purpose of data processing is always specified in the attached “Consent to Data Processing and Information” statement. In the context of services provided by the Data Controller, the collection and processing of personal data are always based on the Data Subject’s voluntary consent or a contractual relationship.

The Data Controller handles personal data in accordance with the applicable data protection laws, in particular the GDPR and the Info Act, and in line with this privacy notice.

Principles Relating to the Processing of Personal Data

In processing personal data, the Data Controller adheres to the following principles:

• Lawfulness, fairness, and transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the Data Subject.

• Purpose limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes as defined under the GDPR.

• Data minimization: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

• Accuracy: Personal data shall be accurate and, where necessary, kept up to date. The Data Controller shall take every reasonable step to ensure that inaccurate personal data are erased or rectified without delay.

• Storage limitation: Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as they will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, subject to the implementation of appropriate technical and organizational measures required by the Regulation in order to safeguard the rights and freedoms of the Data Subject.

• Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

• Accountability: The Data Controller shall be responsible for, and be able to demonstrate compliance with, the above principles.

Data Transfers

The Data Controller may transfer personal data of the Data Subject to processors listed in the current record of data sources and processes, strictly for the defined purposes, and with full respect for the confidentiality and integrity of the data. Apart from the above, the Data Controller does not transfer the Data Subject’s personal data within the country, within the Union, to a third country, or to any international organization.

Use of Data Processors

The Data Controller may use data processors in the course of its operations, as listed in the current record of data sources and processes.

Duration of Data Processing

The data will be stored until the objective of data processing is fulfilled, and the specific duration is defined in the document titled “Consent to Data Processing and Information”.

Scope of Data Processed

During and following the provision of services, the Data Controller may process the following personal data based on the Data Subject’s voluntary consent or contractual relationship, depending on the purpose of processing:

• company name,

• contact person/Data Subject’s name,

• corporate/business phone numbers,

• corporate/business email addresses,

• corporate/business postal addresses,

• data related to the Data Subject’s IT equipment,

• Microsoft personal data,

• usernames,

• passwords.

The data categories listed in this policy are indicative; in case of deviations, the precise scope is defined in the “Consent to Data Processing and Information” document.

Right of Access

The Data Subject has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information:

• the purposes of the processing;

• the categories of personal data concerned;

• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

• the existence of the right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing;

• the right to lodge a complaint with a supervisory authority;

• where the personal data are not collected from the Data Subject, any available information as to their source;

• the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

Where personal data are transferred to a third country or to an international organization, the Data Subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.

The Data Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. If the request is made electronically, the information shall be provided in a commonly used electronic format, unless otherwise requested by the Data Subject.

Right to Rectification

The Data Subject has the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed.

Right to Erasure (“Right to be Forgotten”)

The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

• the Data Subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;

• the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;

• the personal data have been unlawfully processed;

• the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;

• the personal data have been collected in relation to the offer of information society services.

If the Data Controller has made the personal data public and is obliged to erase it, it shall take reasonable steps, including technical measures, to inform other controllers processing the data that the Data Subject has requested the erasure of any links to, or copies or replications of, those personal data.

The right to erasure shall not apply to the extent that processing is necessary:

• for exercising the right of freedom of expression and information;

• for compliance with a legal obligation or for the performance of a task carried out in the public interest;

• for reasons of public interest in the area of public health;

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;

• for the establishment, exercise or defense of legal claims.

Right to Restriction of Processing

The Data Subject shall have the right to obtain from the Data Controller restriction of processing where one of the following applies:

• the accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data;

• the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;

• the Data Controller no longer needs the personal data for the purposes of processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims;

• the Data Subject has objected to processing pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.

Where processing has been restricted under the above, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The Data Controller shall inform the Data Subject before lifting the restriction of processing.

Right to Object

Under the GDPR, the Data Subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them:

• when the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

• or when the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.

In particular, where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to such processing, including profiling related to such direct marketing. If the Data Subject objects, the personal data shall no longer be processed for such purposes.

The right to object may also be exercised in the case of processing for scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The objection may be submitted to the Data Controller electronically.

Right to Data Portability

According to Article 20 of the GDPR, the Data Subject shall have the right to receive the personal data concerning them, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

• the processing is based on the Data Subject’s consent for one or more specific purposes, or

• the processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;

• and the processing is carried out by automated means.

The Data Controller shall fulfill such data requests by providing the data in XML format, delivered on a data carrier provided by the Data Subject.

Where technically feasible, the Data Subject shall have the right to have the personal data transmitted directly from one controller to another. Such requests must be submitted in writing and include verification of the Data Subject’s identity.

The right to data portability shall not adversely affect the rights and freedoms of others and does not override the right to erasure.

Withdrawal of Consent

The Data Subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The Data Subject shall be informed of this before giving consent. Consent may be withdrawn using the form “Statement of Withdrawal of Consent to Data Processing”.

Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, every Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement, if they consider that the processing of personal data relating to them infringes the GDPR.

The supervisory authority shall inform the complainant of the progress and the outcome of the complaint.

The competent supervisory authority in Hungary is the National Authority for Data Protection and Freedom of Information:

• Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

• Mailing address: 1530 Budapest, P.O. Box 5.

• Phone: +36-1-391-1400

• Fax: +36-1-391-1410

• Email: ugyfelszolgalat@naih.hu

• Website: http://www.naih.hu

The Data Controller is obliged to comply with decisions made by the supervisory authority.

Automated Decision-Making and Profiling

The Data Controller ensures that the Data Subject is not subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless such decision:

• is necessary for entering into, or performance of, a contract between the Data Subject and the Data Controller;

• is authorized by Union or Member State law and lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests;

• is based on the Data Subject’s explicit consent.

Consent to Data Processing for Newsletter Subscription

Data processing is based on the Data Subject’s voluntary, informed, and explicit consent, whereby the Data Subject agrees that their personal data provided during newsletter subscription may be used for such purpose.

The Data Subject may unsubscribe at any time via the link provided in the newsletter or by using the “Unsubscribe” function, which constitutes withdrawal of consent. In such cases, all of the Data Subject’s data will be deleted without delay.

Personal data that may be processed:

• Data Subject’s name (surname, first name)

• Email address

Purpose of data processing: to ensure the delivery of newsletters to the email address provided by the Data Subject. The Data Controller will use the provided data exclusively for the purpose of sending newsletters on the following topics:

• information on the products, services, and events of 22 Média és Design Stúdió Systems Kft.

• promotional materials.

Legal basis for data processing: the Data Subject’s consent.

Access to data: personal data may be accessed primarily by the Data Controller and those employees who are responsible for managing such data.

Duration of data processing: until the Data Subject unsubscribes from the newsletter.

The Data Controller does not verify the personal data provided. The Data Subject is solely responsible for the accuracy of the data. By providing an email address, the Data Subject also declares that only they will use the email address for the services provided.

2025.05.30. Budapest, 22 Média és Design Stúdió Kft.