On the Data Processing of 22 Media and Design Studio Kft.

The purpose of this notice is to set out the data protection and data processing principles applied by 22 Media és Design Stúdió Kft. (hereinafter: Data Controller), which the Data Controller recognizes as binding upon itself, and to inform Data Subjects of their rights related to data processing under Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR) and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Infotv.).

The Data Controller undertakes that all data processing related to its activities complies with the expectations set out in applicable legislation. Personal data are handled confidentially, and the Data Controller implements IT and other technical and organizational measures that support secure data management in order to preserve confidentiality and the integrity of the data.

Definitions

The terms used in this notice shall be interpreted in accordance with the definitions set out in Article 4 of Chapter I of the GDPR, as follows:

“Personal data”: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing”: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Data Subject”: any identified or identifiable natural person based on personal data.

“Restriction of processing”: the marking of stored personal data with the aim of limiting their processing in the future.

“Profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“Pseudonymization”: the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that the personal data cannot be attributed to an identified or identifiable natural person.

“Filing system”: any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.

“Controller”: the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

“Processor”: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

“Recipient”: a natural or legal person, public authority, agency, or another body to which personal data are disclosed, whether a third party or not.

“Third party”: a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

“Consent of the Data Subject”: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them.

“Personal data breach”: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

“Genetic data”: personal data relating to inherited or acquired genetic characteristics of a natural person.

“Biometric data”: personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person which allow or confirm the unique identification of that natural person.

“Health data”: personal data related to the physical or mental health of a natural person.

“Main establishment”: the place of central administration in the Union where decisions on the purposes and means of processing are taken.

“Representative”: a natural or legal person established in the Union designated in writing by the controller or processor.

“Enterprise”: a natural or legal person engaged in economic activity regardless of legal form.

“Group of undertakings”: a controlling undertaking and its controlled undertakings.

“Binding corporate rules”: personal data protection policies adhered to by a controller or processor within a corporate group.

“Supervisory authority”: an independent public authority established by a Member State.

“Cross-border processing”: processing of personal data taking place in more than one Member State or affecting data subjects in multiple Member States.

“Relevant and reasoned objection”: an objection regarding whether there is an infringement of this Regulation.

“Information society service”: a service as defined in Directive (EU) 2015/1535.

“International organization”: an organization governed by public international law or established by an agreement between countries.

Data Controller Information

Registered office:
1221 Budapest, Vihar utca 5. Building D, Floor 4, Door 15.

Tax number:
25550155-2-43

Telephone:
+36-20-591-24-46

Email:
info@22.design

Purpose of Data Processing

The purpose of data processing is defined in the annex titled “Data Processing Consent Statement and Information.”

Personal data collected in connection with the services of the Data Controller are processed only:

• with the voluntary consent of the Data Subject, or

• on the basis of a contractual relationship.

Personal data are processed in compliance with applicable data protection laws, especially the GDPR and Infotv., and in accordance with this notice.

Principles of Personal Data Processing

The Data Controller observes the following principles:

Lawfulness, fairness, and transparency
Personal data are processed lawfully, fairly, and in a transparent manner.

Purpose limitation
Data are collected only for specified, explicit, and legitimate purposes.

Data minimization
Only data necessary for the purpose of processing are collected.

Accuracy
Personal data must be accurate and kept up to date.

Storage limitation
Data are stored only as long as necessary for the purposes of processing.

Integrity and confidentiality
Appropriate technical and organizational measures ensure data security and protection against unauthorized access, loss, or damage.

Accountability
The Data Controller is responsible for and must demonstrate compliance with these principles.

Data Transfer

Personal data may be transferred to processors listed in the records of data sources and processes, exclusively for specified purposes and with confidentiality and data integrity ensured.

Except for these processors, the Data Controller does not transfer personal data domestically, within the EU, or to third countries or international organizations.

Use of Data Processors

Processors used by the Data Controller are listed in the current records of data sources and processes.

Duration of Data Processing

Personal data are stored until the purpose of processing is fulfilled, as defined in the Data Processing Consent Statement and Information document.

Categories of Processed Data

Depending on the purpose of processing, the Data Controller may process the following personal data:

• company name

• contact person / data subject name

• business phone numbers

• business email addresses

• business postal addresses

• information about the data subject’s IT devices

• Microsoft personal data

• usernames

• passwords

The exact data categories are specified in the Data Processing Consent Statement and Information document.

Right of Access

The Data Subject has the right to obtain confirmation from the Data Controller as to whether their personal data are being processed and, if so, access to:

• the purposes of processing

• categories of personal data

• recipients of the data

• storage period

• rights to rectification, erasure, restriction, or objection

• the right to lodge a complaint with a supervisory authority

• information on the source of data (if not collected from the data subject)

• information about automated decision-making, including profiling.

The Data Controller shall provide a copy of personal data to the Data Subject upon request.

Right to Rectification

The Data Subject has the right to request correction of inaccurate personal data without undue delay.

Right to Erasure (“Right to be Forgotten”)

The Data Subject may request deletion of their personal data if, among other reasons:

• the data are no longer necessary

• consent has been withdrawn

• the processing is unlawful

• the data must be erased to comply with legal obligations.

Exceptions apply when processing is necessary for legal obligations, public interest, research, or health-related purposes.

Right to Restriction of Processing

The Data Subject may request restriction of processing if:

• the accuracy of the data is contested

• processing is unlawful but deletion is opposed

• the data are required for legal claims

• an objection to processing has been submitted.

Right to Object

The Data Subject has the right to object to processing when it is based on legitimate interests or for direct marketing purposes.

If the objection is justified, the Data Controller must cease processing the data.

Right to Data Portability

The Data Subject has the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit those data to another controller.

The Data Controller provides the data in XML format upon request.

Withdrawal of Consent

The Data Subject may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Withdrawal can be made using the document “Withdrawal of Data Processing Consent Statement.”

Right to Lodge a Complaint

Without prejudice to other legal remedies, the Data Subject has the right to lodge a complaint with a supervisory authority.

The competent authority in Hungary is:

Hungarian National Authority for Data Protection and Freedom of Information

Address:
1125 Budapest, Szilágyi Erzsébet fasor 22/C

Mailing address:
1530 Budapest, Pf. 5

Phone:
+36 1 391 1400

Email:
ugyfelszolgalat@naih.hu

Website:
http://www.naih.hu

Automated Decision-Making and Profiling

The Data Controller ensures that no decisions producing legal effects concerning data subjects are made solely on automated processing unless:

• it is necessary for a contract

• it is authorized by law

• it is based on the explicit consent of the Data Subject.

• 
  

Newsletter Data Processing

Newsletter subscriptions are based on the voluntary consent of the Data Subject.

The Data Subject may unsubscribe at any time via the unsubscribe link or contact details provided in the newsletter.

Upon unsubscribing, all personal data related to the subscription will be deleted immediately.

Data processed:

• name (first name and last name)

• email address

Purpose of processing:

• sending newsletters about products, services, and events of 22 Media and Design Studio Ltd.

• sending promotional materials.

Legal basis:

• consent of the Data Subject.

Duration of processing:

• until the Data Subject unsubscribes from the newsletter.

The Data Controller does not verify the accuracy of the provided data. Responsibility for the accuracy of the provided email address lies solely with the Data Subject.