DATA PROCESSING POLICY OF KOMPLEX EVENT LTD

I. Introduction and Contact Information of the Data Controller

Komplex Event Ltd. (hereinafter referred to as the “Data Controller” or the “Company”) provides the following information regarding the processing of personal data in accordance with the REGULATION (EU) 2016/679 of the European Parliament and of the Council (GDPR).

The Company is committed to protecting the personal data of its clients and partners, and considers it extremely important to respect the informational self-determination rights of its clients. The Company treats personal data it has acquired as confidential, and takes all security, technical, and organizational measures necessary to guarantee the security of the data.

Contact Information of the Data Controller

Company Name: KOMPLEX EVENT Ltd.

Registered Office: 1061 Budapest, Király Street 26. 2nd floor

Company Registration Number: 01-09-343414

Tax Number: 26762108-2-42

Email Address: [email protected]

Website: www.twentysixbudapest.com

II. Definitions

Personal Data

Any information related to an identified or identifiable natural person (hereinafter referred to as the “Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Data Processing

Any operation or set of operations performed on personal data or on data files, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Controller

A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Processor

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.

Recipient

A natural or legal person, public authority, agency, or other body to whom or which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Consent

A freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them. Thus, consent consists of three fundamental elements: voluntariness, definiteness, and appropriate information.

Third Party

A natural or legal person, public authority, agency, or body other than the Data Subject, Data Controller, Data Processor, and persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process personal data.

Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Partner

Legal entities or partnerships without legal personality that use the services of the Data Controller under a contract and/or facilitate the fulfillment of the Data Controller’s services, to which the Data Controller—upon obtaining the Data Subject’s consent—transfers or may transfer personal data, or which perform or may perform data storage, processing, associated IT, and other activities that promote secure data processing for the Data Controller.

Employee

A natural person in an employment, assignment, or other legal relationship with the Data Controller who is designated or may be designated to provide or fulfill the services of the Data Controller and who may come into contact with personal data during their data processing or data processing tasks, and for whose activities the Data Controller assumes full responsibility towards the circle of Data Subjects and third parties.

III. Scope of the Policy

Temporal Scope

This Policy is in force from June 25, 2019, until further notice or until revoked.

Personal Scope

The personal scope of this Policy extends to the Data Controller, those individuals whose data are contained in data processing activities under the scope of this Policy, as well as those individuals whose rights or legitimate interests are affected by the Company’s data processing activities.

Material Scope

The scope of this Policy covers all data processing activities by the Data Controller that contain personal data, regardless of whether they are conducted electronically and/or on paper.

Right to Amend

The Data Controller reserves the right to amend this policy at any time and will notify Data Subjects and Partners of any changes in due time.

IV. Relevant Legislation

The Data Controller declares that its data processing activities are in compliance with the applicable data protection laws, including but not limited to:

• Act CLV of 1997 on Consumer Protection (Fgytv.);
• Act C of 2000 on Accounting (Számv. tv.);
• Act XLVII of 2008 on the Prohibition of Unfair Business-to-Consumer Commercial Practices;
• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.);
• Act V of 2013 on the Civil Code (Ptk.);
• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

V. Principles of Data Processing by the Company

Lawfulness, Fairness, and Transparency

The processing of personal data by the Company is lawful, fair, and conducted in a transparent manner with respect to the Data Subject.

Purpose Limitation

The collection of personal data is limited to specified, explicit, and legitimate purposes and is not processed in a manner incompatible with these purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in accordance with Article 89(1) GDPR, shall not be considered incompatible with the initial purposes.

Data Minimization

Personal data processed by the Company are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy

Personal data processed by the Company are accurate and, where necessary, kept up to date; the Company takes every reasonable step to ensure that inaccurate personal data are erased or rectified without delay.

Storage Limitation

Personal data are kept in a form that permits the identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the Data Subject.

Integrity and Confidentiality

The Company processes personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

Accountability

The Company shall be responsible for, and be able to demonstrate compliance with, the above principles.

VI. Security Principles of Data Processing

The Data Controller selects and operates the IT tools used for processing personal data during service provision in such a way that the processed data are:

a) accessible to those authorized to access them (availability); b) protected from unauthorized alteration (data integrity); c) traceable for integrity (data authenticity); d) protected against unauthorized access (data confidentiality).

The Data Controller ensures the protection of data processing security with technical, organizational, and structural measures that provide an appropriate level of protection against the risks arising in connection with data processing.

The Data Controller’s IT system and network are protected against computer-aided fraud, espionage, sabotage, vandalism, fire, flood, computer viruses, computer break-ins, and denial-of-service attacks. The operator ensures security through server-level and application-level protection procedures.

VII. Data Processing Activities Conducted by the Company

Employees

1.1. Scope of Processed Data:

Name, birth name, place and date of birth, mother’s name, nationality, permanent address, identity card number, social security number (TAJ), tax identification number, bank account number, education, professional qualification, clothing size.

1.2. Legal Basis for Data Processing:

The legal basis for data processing is the employment contract between the Data Controller and the employee, as well as Act I of 2012 on the Labor Code (Mt.), Act C of 2000 on Accounting (Sztv.), and Act CL of 2017 on the Rules of Taxation (Art.).

1.3. Purpose of Data Processing:

The purpose of data processing is to fulfill obligations arising from the employment contract and legal requirements.

1.4. Data Transfer:

The Data Controller transfers data only for the fulfillment of the employment contract and to the authorities and bodies specified by law, with any additional data transfer subject to the employee’s prior consent.

1.5. Duration of Data Processing:

The Data Controller retains personal data relating to employees, including earnings, tax, and social security data arising in connection with the employment relationship, in the personnel file for the period specified by law.

1.6. Persons Authorized to Access Data:

Personal data may be processed by employees of the Data Controller who are authorized to do so, in compliance with the above principles.

Guests

2.1. Scope of Affected Individuals:

Guests booking tables at the restaurant, guests of the yoga studio, and individuals using the event hall.

2.2. Scope of Processed Data:

Name, telephone number, email address.

2.3. Legal Basis for Data Processing:

Article 6(1)(b) of the GDPR, as well as Act C of 2000 on Accounting (Sztv.).

2.4. Purpose of Data Processing:

Table reservations and purchases at the restaurant, scheduling appointments for yoga classes, issuing invoices, maintaining records of guests, differentiating between guests, documenting purchases and payments, fulfilling accounting obligations, customer contact, analyzing purchasing habits, and providing more targeted service.

2.5. Data Transfer:

The Data Controller transfers data only based on the guest’s consent and to the authorities and bodies specified by law, with any additional data transfer subject to the guest’s prior consent.

2.6. Duration of Data Processing:

Eight (8) years, in accordance with the provisions of the Accounting Act.

2.7. Persons Authorized to Access Data:

Personal data may be processed by employees of the Data Controller who are authorized to do so, in compliance with the above principles.

2.8. Possible Consequences of Failure to Provide Data:

The guest may not be able to make a reservation or receive a personalized invoice.

Newsletter and Direct Marketing Activities

The Data Subject may expressly consent in advance to being contacted by the Company with promotional offers and other mailings at the provided contact details and to the Company processing their personal data necessary for sending promotional offers.

The Company does not send unsolicited promotional messages, and the Data Subject may unsubscribe from newsletters without restriction and without justification, free of charge. In such cases, the Company deletes all personal data necessary for sending promotional messages from its records and will not contact the Data Subject with further promotional offers.

3.1. Scope of Affected Individuals:

All natural persons subscribing to the newsletter.

3.2. Scope of Processed Data:

Name, email address.

3.3. Legal Basis for Data Processing:

The consent of the Data Subject, Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Reklámtv.).

3.4. Purpose of Data Processing:

To send electronic messages containing advertisements to the Data Subject, provide information on current news, products, promotions, and offers.

3.5. Duration of Data Processing:

The Company processes the personal data mentioned in this section until the withdrawal of the consent, i.e., until the unsubscription.

3.6. Persons Authorized to Access Data:

Personal data may be processed by employees of the Data Controller who are authorized to do so, in compliance with the above principles.

3.7. Possible Consequences of Failure to Provide Data:

The Data Subject will not receive newsletters or Direct Marketing communications.

Company Website

4.1. Scope of Affected Individuals:

Natural persons registering on the Company’s website (www.twentysixbudapest.com).

4.2. Scope of Processed Data:

Name, email address.

4.3. Purpose of Data Processing:

To enable registration on the website, facilitate communication between users, and provide information about current news and offers.

4.4. Legal Basis for Data Processing:

The voluntary consent of the Data Subject.

4.5. Duration of Data Processing:

The Company processes the data mentioned in this section until the deletion of the user account.

4.6. Persons Authorized to Access Data:

Personal data may be processed by employees of the Data Controller who are authorized to do so, in compliance with the above principles.

4.7. Possible Consequences of Failure to Provide Data:

The Data Subject may not register on the Company’s website.

Use of Social Media

The Company is accessible on social media platforms such as Facebook and Instagram, and the use of these platforms and any contact, interaction, or other activity conducted through them is based on the voluntary consent of the Data Subject.

The Data Controller communicates with the Data Subjects only when they contact the Data Controller through the social media platform, at which point the purpose of the data becomes relevant. The Data Subject voluntarily consents to data processing under the terms of use of the social media platform by following, liking the contents of the Data Controller. (For example, on the Facebook page, the Data Subject can subscribe to the news feed posted on the message wall by clicking the “like” link on the page and thereby consent to the Company’s news and offers being posted on their message wall, and can unsubscribe by clicking the “dislike” link, as well as delete unwanted news feeds from their message wall using the message wall settings.)

The Data Controller also posts images/videos on its social media pages of various events, its services, and other activities. The Data Controller may link its Facebook and Instagram pages to other social media platforms under the rules of social networks, so posting on Facebook and Instagram pages also includes posting on such linked social media portals.

If the images are not of mass gatherings or public figures, the Data Controller will always seek the Data Subject’s written consent before posting images.

5.1. Scope of Affected Individuals:

Natural persons who voluntarily follow, share, or like the Company’s social media pages, particularly on Facebook and Instagram, or the content appearing on them.

5.2. Scope of Processed Data:

Name registered on social media platforms such as Facebook and Instagram, as well as the Data Subject’s public profile picture.

5.3. Purpose of Data Processing:

The purpose of presence and data processing on social media platforms is the sharing, publishing, and marketing of the content found on the website on social media platforms. Through social media, the Data Subject can also learn about the latest promotions.

5.4. Legal Basis for Data Processing:

The Data Subject’s voluntary consent to the processing of personal data on social media platforms.

5.5. Duration of Data Processing, Deadline for Data Deletion, Persons Authorized to Access Data, and Description of the Data Subject’s Rights:

The Data Subject can learn about the data processing, its method, and its legal basis on the respective social media platform. Since data processing occurs on social media platforms, the duration, method, and possibilities for deletion and modification of the data are governed by the rules of the respective social media platform.

VIII. Cookie-Related Data Processing

What is a Cookie?

Cookies are small text files in which websites store information related to visits for a specific period and purpose. During repeated visits, the website can recognize the text file, thereby identifying the previous visitor.

The primary function of cookies is to make browsing more convenient and personalized, as they allow us to store various personal data and settings. Cookies also facilitate well-targeted, personalized advertising campaigns.

The Company’s website was created using a portal, and the website uses its engine. The portal and the pages created using the portal may use the cookies specified below, but the Data Controller does not utilize these cookies in any way. The used cookies can communicate between the Data Subject’s device and the portal; they do not transmit or provide any data to the Data Controller, so the portal’s data processing guide applies to the used cookies.

Types of Cookies

The cookies used on the Company’s website can be classified into four different categories, according to the classification of the International Chamber of Commerce:

a) Strictly Necessary Cookies

These cookies enable navigation on the website. Without these cookies, the content visited on the Company’s website (including the use of secure protocols) becomes impossible.

The Company’s website identifies you during your use of the site with a cookie containing an encrypted string. Whenever you log into the Data Subject’s interface, we place this cookie containing a unique identifier on your device. For example: session cookie.

These cookies are strictly necessary for the operation of the website, so they cannot be disabled. Please do not continue to use the Company’s website if you do not wish for these cookies to be downloaded in your browser.

b) Performance Cookies

These cookies collect information about how visitors use a website, such as which pages are visited most frequently or where visitors encounter error messages.

These cookies do not store any information that would allow visitors to be identified by websites. The information collected using these cookies is used exclusively in aggregate and anonymously. Their purpose is to improve the functions and user experience available on the Company’s website. For example: has_js__cdrop.

Cookies that collect data about the website’s performance can be disabled and deleted in the browser settings.

c) Functional Cookies

These cookies allow the storage of the username and selected language preference used on the website. For example, a website can serve local news based on the visitor’s geographic location stored in a cookie. These cookies can store changed font sizes and other similar settings. The settings stored in the cookies are anonymous. Their stored value cannot be traced back to individual Data Subjects by the operator. For example: Drupal.tableDrag.showWeight, Drupal.toolbar.collapsed.

Disabling this type of cookie affects the Company’s website’s functions and the user experience. However, cookies that store personal settings can be disabled and deleted in the browser settings.

d) Web Analytics and Targeting Cookies

These cookies enable visitors to encounter advertising messages tailored to their interests. These providers may store the visitors’ IP addresses and other – non-personal data – identifying information to display the Company’s advertisement on external websites later. For example: id, RSMKTO1, _mkto_trk, __utma, __utmb, __utmc, __utmz.

Cookies used for web analytics and targeting advertisements can be disabled and deleted in the browser settings.

IX. Google AdWords

The Data Controller uses the “Google AdWords” online advertising program to display the Data Controller’s online advertisements and, within its framework, utilizes Google’s conversion tracking service.

When a Data Subject reaches a website through a Google advertisement, a cookie necessary for conversion tracking is placed on their computer. These cookies have limited validity and do not contain any personal data, so the Data Subject cannot be identified by them. Moreover, each Google AdWords Data Subject receives a different cookie, so they cannot be tracked through AdWords users’ websites.

The information obtained through conversion tracking cookies is used to create conversion statistics for companies that choose AdWords conversion tracking. This way, companies learn the number of Data Subjects who clicked on their advertisement and were directed to a page with a conversion tracking tag.

If you do not wish to participate in conversion tracking, you can reject it by disabling the option to install cookies in your browser. You will then not be included in the conversion tracking statistics.

Further information and Google’s privacy policy can be found at the following site: www.google.de/policies/privacy/

X. Google Analytics

The operator of the Company’s website uses the Google Analytics service for statistical analysis of visitor behavior. Although the information obtained during the analysis does not contain personal data, visit data may in certain cases be traceable back to Data Subjects.

Google Analytics uses so-called “cookies,” text files that are saved to your computer, thus helping analyze the use of the website visited by the Data Subject.

Information created by cookies related to the website used by the Data Subject is typically transferred to and stored on a Google server in the USA. With IP anonymization activated on the website, Google will shorten the Data Subject’s IP address in EU member states or other states that are party to the Agreement on the European Economic Area.

The full IP address will be sent to and shortened by Google’s servers in the USA only in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how the Data Subject used the site, compile reports on website activity for the website operator, and provide other services related to website and internet usage.

Google will not merge the IP address transmitted by your browser within Google Analytics with any other data held by Google. The Data Subject can prevent the storage of cookies by selecting the appropriate settings on their browser; however, please note that in this case, the full functionality of the Company’s website may not be available. You can also prevent Google from collecting and processing data created by cookies and related to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu.

The Data Subject has the following rights concerning the personal data processed by the Company:

XI. Rights of the Data Subjects

Right to Information:

At the Data Subject’s request, the Data Controller shall provide information on the personal data processed by the Data Controller or processed by a processor on behalf of the Data Controller, their sources, the purpose, legal basis, and duration of data processing, the name and address of the data processor, and its activities related to data processing, the circumstances and effects of any data breach, and the measures taken to address it, and in the case of data transfer, the legal basis and recipient of the data transfer.

Right to Rectification:

If the personal data are inaccurate, the Data Controller shall correct them without undue delay upon the request of the Data Subject, provided that the correct data are available to the Data Controller or provided by the Data Subject.

Right to Erasure:

The Data Subject has the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay, and the Data Controller shall have the obligation to erase personal data without undue delay.

The Data Controller shall not erase the Data Subject’s personal data if data processing is ordered by law.

Right to Restriction of Processing:

At the request of the Data Subject, the Data Controller shall restrict the use of the Data Subject’s personal data if any of the following conditions are met:

a) The Data Subject contests the accuracy of the personal data – in this case, the restriction applies to the period allowing the Data Controller to verify the accuracy of the personal data; b) The data processing is unlawful, and the Data Subject opposes the erasure of the data and requests the restriction of their use instead; c) The Data Controller no longer needs the personal data for the purposes of data processing, but the Data Subject requires them for the establishment, exercise, or defense of legal claims; or d) The Data Subject has objected to data processing; in this case, the restriction applies for the period during which it is verified whether the legitimate grounds of the Data Controller override those of the Data Subject.

If processing is restricted, such personal data shall, except for storage, only be processed with the Data Subject’s consent or for the establishment, exercise, or defense of legal claims or the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The Data Controller shall inform the Data Subject who has requested the restriction before lifting the processing restriction.

Right to Data Portability:

The Data Subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller.

Right to Object:

The Data Subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them, including profiling based on those provisions, for reasons of public interest or legitimate interest, except where data processing is ordered by law.

In such cases, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims.

Automated Individual Decision-Making, Including Profiling:

The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

The above rights shall not apply if the data processing is necessary for entering into or the performance of a contract between the Data Subject and the Data Controller, or if it is permitted by Union or Member State law applicable to the Data Controller and which also lays down suitable measures to safeguard the Data Subject’s rights, freedoms, and legitimate interests, or is based on the Data Subject’s explicit consent.

Procedural Rules:

The Data Controller has 25 (twenty-five) days to comply with requests for the deletion, restriction, or rectification of personal data. Where necessary, considering the complexity and number of requests, this period may be extended by a further two months. The Data Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the request is submitted electronically, the information shall be provided electronically unless otherwise requested by the Data Subject.

If the Data Controller does not fulfill the Data Subject’s request for rectification, blocking, or erasure, it shall inform the Data Subject in writing or electronically of the reasons for the refusal within 25 (twenty-five) days of receipt of the request.

In case of refusal, the Data Controller shall inform the Data Subject of the possibility of judicial remedy and the right to lodge a complaint with the supervisory authority. The Data Subject may file a lawsuit if their rights are violated. The Data Controller shall prove that data processing complies with the law. The lawsuit shall be heard by the competent court.

The Data Controller shall examine the objection as soon as possible but no later than 15 days from the submission of the request, decide on its merits, and inform the applicant in writing of its decision. If the Company determines that the Data Subject’s objection is justified, it shall cease data processing, including further data collection and transfer, block the data, and notify all persons to whom the personal data affected by the objection have been previously transferred and who are obliged to take measures to enforce the right to object.

If the Data Subject disagrees with the Company’s decision, they may appeal to the court within 30 days of notification. However, the data may not be transferred to the recipient if the Company agrees with the objection or if the court establishes the validity of the objection.

XII. Complaint Handling

Right to Compensation and Remedies, Right to Court:

The Data Controller is liable for damages caused by unlawful data processing or breaches of data security requirements. The Data Subject may claim compensation for any harm suffered due to a breach of their personal rights (Civil Code § 2:52).

The Data Controller shall also be liable for damages caused by the data processor.

The Data Controller shall not be liable for damages and compensation claims insofar as the damage or violation of personal rights is due to the Data Subject’s intentional or grossly negligent conduct.

Data Protection Authority Procedure:

In the event of improper data processing, the Data Subject may file a complaint with the National Authority for Data Protection and Freedom of Information at the following contact details:

Address: 1125 Budapest, Szilágyi Erzsébet Avenue 22/C.

Mailing Address: 1530 Budapest, P.O. Box: 5.

Phone: 06.1.391.1400

Fax: 06.1.391.1410

Email: [email protected]

Website: http://www.naih.hu

XIII. Legal Statement

This Policy is considered a copyrighted work. Copying, reproduction, public transmission, distortion, mutilation, use, utilization, processing, or selling the Policy in whole or in part without the written consent of the Data Controller is prohibited.