Privacy Policy

The purpose of this notice is to provide information on the processing of personal data related to the use of Xeropan (available via internet browser and mobile phone application) and the interactive language teaching material, software and interface to those to whom the personal data relates (data subjects). This notice does not cover the use of Xeropan in Hungarian public education logged in with the Cretan DKT system, in which case this notice does not apply. The processing of data related to the Xeropan Classroom application for language teachers is not covered by this notice, and the information on the Xeropan Classroom application for language teachers is not information on this information can be found here.

1. Data controller data
   

   Xeropan International Ltd.

• 1.1. Headquarters: 4026 Debrecen, Hunyadi János utca 22. 3. em. Door 1.
• 1.2. Tax number: 26304706-2-09
• 1.3. Company registration number: 09-09-029639
• 1.4. Representative: M. Attila AlGharawi, Managing Director
• 1.5. Email: info@xeropan.com.

2. Specificities of data management
   The purpose of the Xeropan web and mobile application is to provide users with interactive language learning materials, to enable their effective use and to guide them in their language learning (hereinafter: the Service). The data processing by the Data Controller is governed by Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Info.tv.) and, where applicable, by Act CXII of 2001 on certain aspects of electronic commerce services and information society services (hereinafter: the Act). Act CVIII of 2007 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter referred to as GDPR), and Act XLVIII of 2008 on the basic conditions and certain restrictions of commercial advertising (hereinafter referred to as Grt.). The Service Provider does not verify the personal data provided to it, nor their authenticity. The Service User shall be entitled to provide only his/her own personal data and shall refrain from providing data of third parties. The Services may only be used by persons over the age of 18.

• 2.1. Data processing necessary for the operation of the Xeropan website
  • 2.1.1. Visiting Xeropan's website (even without accessing the language learning interfaces) and using the Xeropan web application (i.e. the Xeropan application accessible via an internet browser) involves the processing of personal data. Some of this data is necessary to enable the website to be displayed, to be accessible to visitors, to enable its functions to work, and to enable the web application to function and perform its functions. The use of the web application also requires additional processing of data, as described in section 2.2 below. The main features of this processing:
  • 2.1.2. The data processed include: the identifier of the computer (IP address) of the data subject, the type of browser used by the data subject, the date and time of the visit, user activity, user preferences (such as: accessibility settings). This data in this form is not suitable for the Controller to personally identify the data subject and the Controller will not take steps to identify the owner of the IP address, except in compliance with a legal obligation and under the conditions set out therein. The use of the web application requires additional processing as described in section 2.2 below.
  • 2.1.3. Data Subjects: persons accessing and using xeropan.com (including all its subdomains and directories, hereinafter referred to as the "Website"), including users of web applications.
  • 2.1.4. Legal basis for processing: processing necessary for the performance of a contract between the parties (i.e. to enable the use of the website and the Xeropan web application) pursuant to Article 6 (1) (b) of the GDPR (pursuant to Article 13/A (3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services).
  • 2.1.5. The purpose of data processing is: to operate the website, to perform the Service, to monitor the operation of the Service.
  • 2.1.6. Duration of processing: 365 days from the date of accessing the website.
• 2.2. Data processing necessary for the operation (in particular downloading, installing, running and using) of Xeropan applications (web, IOS and Android platforms)
  • 2.2.1. For the Xeropan applications to work as expected and in accordance with the needs and preferences of the data subject, it is necessary for the Data Controller to process certain personal data of the data subject as follows:
  • 2.2.2. The data processed include: the IP address, unique device identifier, country, time zone, date of last activity, first name, surname, image of the data subject (if provided in the user account created in connection with the Services or if accessed by the Data Controller when connecting to Facebook or Google), date of registration, login data corresponding to the chosen login method (in particular: Google account login data, Facebook ID, Apple ID, email address), Google and/or Facebook friends (only if the data subject has consented to the processing of these data on the relevant platform), user application settings (such as: purchases, subscriptions, loads, data related to user activity and learning (in particular: xp's collected, tasks solved, lessons solved, league positions, learning goal set, language proficiency level set, time spent in the application, words learned, languages learned). The Data Controller also uses a unique identifier (ID) to identify the data subject in connection with the use of the application.
  • 2.2.3. Affected: users of Xeropan applications (on any platform).
  • 2.2.4. Legal basis for processing: processing necessary for the performance of the contract between the parties (i.e. the provision of the Service) in accordance with Article 6(1)(b) of the GDPR.
  • 2.2.5. Purpose of the processing: to ensure that the Xeropan application functions as expected and in accordance with the needs and preferences of the data subject (including in particular: ensuring the general functioning of the application, providing gamified functionality and personalised user experience, providing language learning content, sending messages related to operation, performance, ensuring secure and traceable operation, enabling login and access to user accounts, managing subscriptions).
  • 2.2.6. Duration of processing: until the data subject sends the Controller a request for erasure. The Data Controller shall delete the data from its system immediately upon receipt of the request, but within 1 month at the latest, and in the case of registered users, immediately after deletion of the user account.
  • 2.2.7. Xeropan applications may also include content and services provided by third parties (such as other service providers), which may involve the processing of data by these third parties. In particular, but not exclusively, YouTube videos are available in Xeropan, for which the Data Controller uses YouTube API Services, to which Google's Privacy Policy applies, available at the following link: http://www.google.com/policies/privacy.
• 2.3. Processing of data to further develop Xeropan applications and their content in line with user needs
  • 2.3.1. The Data Controller strives to provide its users with the best learning experience content and software. In order to achieve this, the Data Controller conducts data processing that allows it to infer what improvements and changes should be made to Xeropan applications and content. In doing so, the Data Controller examines, among other things, how the applications are used and what actions are taken by the data subjects as users. Consent can be withdrawn at any time by using the cookie management tool in the Settings interface of the Xeropan mobile application, in the Privacy settings menu, in the web application and on the website.
  • 2.3.2. Data processed: data about the data subject's device (device type, model, operating system and version number), geolocation data (inaccurate location), session origin (from which interface the data subject came), in-app events (such as: first access to the app, lessons loaded, trial started, subscription purchased), how the data subject registered (Apple, Google or Facebook), user's specific characteristics related to each app (PRO subscription status, trial in progress, learning level and duration of regular learning series), user or device identifiers, specific characteristics of the learning material used (languages learnt, language levels, classes, lessons opened and completed), data describing student performance (learning statistics, number of points and stars collected), how the user is identified in the app (guest or via Facebook, Google or AppleID), subscription status (free, PRO, on trial).
  • 2.3.3. Affected: users of Xeropan applications (on any platform).
  • 2.3.4. Legal basis for processing: in principle, the legitimate interest of the controller pursuant to Article 6(1)(f) GDPR, with the exception that geolocation data, session origin and user or device identifiers are processed by the controller on the basis of the data subject's voluntary consent pursuant to Article 6(1)(a) GDPR. The data subject's consent may be withdrawn at any time.
  • 2.3.5.Purpose of data processing: to improve, develop and modify the Service.
  • 2.3.6. Duration of processing: 7 years (but not longer than until the withdrawal of the data subject's consent, if the processing is based on the data subject's consent).
• 2.4. Measuring the effectiveness of advertising
  • 2.4.1. The purpose of measuring the effectiveness of advertisements is to understand the effectiveness and efficiency of advertisements, enabling the Data Controller to launch more successful advertising campaigns. The processing of personal data helps the Data Controller to determine which advertisements are working effectively and enables it to tailor its advertising practices accordingly. Consent can be withdrawn at any time by using the cookie management tool in the Settings interface of the Xeropan mobile application, under Privacy Settings, in the web application and on the website.
  • 2.4.2. Data processed: session origin (from which platform the data subject came from), in-app events (such as first access to the app, loading lessons, starting a trial, purchasing a subscription), user or device identifiers.
  • 2.4.3. Affected parties: users of Xeropan applications (on any platform), other potential visitors to the Xeropan website (even if they do not open the learning interface).
  • 2.4.4. Legal basis for processing: voluntary consent of the data subject pursuant to Article 6(1)(a) GDPR. The data subject's consent may be withdrawn at any time.
  • 2.4.5. Purpose of the processing: to draw conclusions that may be useful for the Data Controller's advertising activities through the aggregated analysis of the personal data of a large number of data subjects.
  • 2.4.6. Duration of processing: 7 years (but not longer than until the withdrawal of the data subject's consent).
• 2.5. Targeted advertising
  • 2.5.1. From time to time, the Data Controller may conduct targeted online marketing campaigns. This means that advertisements are targeted to individuals who have previously interacted with the Data Controller, for example through in-app activity or other user actions. The data subject may receive personalised ads based on their previous activity. Thus, the data subject may see personalised ads targeted to him or her on Xeropan in online platforms, based on an analysis of his or her previous activity. Consent can be withdrawn at any time by using the cookie management tool in the Settings interface of the Xeropan mobile application, under Privacy settings, in the web application and on the website.
  • 2.5.2. Data processed: specific characteristics of the curricula used (languages learnt, language levels, classes, lessons opened and completed), data describing student performance (learning statistics, scores and stars collected).
  • 2.5.3. Affected: users of Xeropan applications (on any platform), visitors to the Xeropan website (even if they do not open the learning interface).
  • 2.5.4. Legal basis for processing: voluntary consent of the data subject pursuant to Article 6(1)(a) GDPR. The data subject's consent may be withdrawn at any time.
  • 2.5.5. Purpose of the processing: targeted and personalised advertising, offers and discounts based on the data subject's past behaviour.
  • 2.5.6. Duration of processing: 7 years (but not longer than until the withdrawal of the data subject's consent).
• 2.6. Sending newsletters to the data subject, investigation of data subject behaviour in relation to newsletters
  • 2.6.1. The Service Provider will send newsletters and similar requests to those data subjects who subscribe to them. By registering in Xeropan, the data subject can subscribe to receive newsletters or other promotional material, offers and information from the Data Controller. The data subject has the right to withdraw his or her consent at any time, free of charge, by clicking on "Unsubscribe" at the bottom of the newsletter, by sending an email to the Service Provider's customer service. After unsubscribing, the Data Controller shall not send the data subject any further newsletters or other promotional communications and shall delete the data subject's data from the list of data subjects subscribed to the newsletter.
  • 2.6.2. The purposes of the processing are: sending newsletters or other promotional mailings, providing up-to-date information, sending system messages and notifications about the use of the Service. In order to measure the interactions of the data subject with the newsletter, the Service Provider uses a newsletter tracking code (mailgun, MailChimp), which provides feedback on the opening and reading of the newsletter and on the clicks on the newsletter.
  • 2.6.3. Data subjects: recipients of the Controller's newsletters.
  • 2.6.4. Legal basis for data processing: voluntary consent of the data subject, Article 6 (1) (a) of the GDPR, § 13/A of the Eker tv. § 6 (1). The consent of the data subject may be withdrawn at any time.
  • 2.6.5. The data processed include: email address, date and time of subscription, opening and clicking on the newsletter.
  • 2.6.6. Duration of data processing: until the data subject unsubscribes, but not longer than the period during which the Data Controller sends newsletters.
• 2.7. Newsletter ban list
  The process:
  An existing User invites one or more friends to use the Service.
  The invited friend's email address - if not already a Xeropan user - will be added to a mailing list - unless previously blocked and on the MKT list defined below - This is called a working ENTRY LIST (LIST OF EXPRESSED LISTS) -
  The system will automatically send the User a letter informing him/her that his/her friend wishes to invite him/her and requesting the Service Provider's permission to send him/her more information.
  In this letter you will have two options:
  A) You can send me a letter
  B) You can't send me a letter
  This letter will include a link to the GTC and the documents on data management.
  If you select option A) You can send:
  A1.) The Service Provider will re-subscribe you to the ENROLLED mailing list (ENG). The Service Provider will store the date of the subscription.
  A2.) The EKL will be removed from the list by the Service Provider.
  A3.) The Service Provider will send him/her the invitation letter and the reminders regarding the validity of the invitation.
  A4.) Decision:
  Become a user - You will then be transferred to the user database (USERS)
  No user - In this case, the Service Provider will remove your email address from the ENG list 72 hours after the invitation expires.
  If you select B) You could not send:
  B1.) The Service Provider opens an unsubscribe page for the User after clicking on the button
  B2.) The website runs a remarketing code that anonymously adds the user's device to a remarketing list to which the Service Provider does not send Google or Facebook ads
  B3.) The invitee must choose between two options for sending invitations "Deny permission"
  "You can't send me now"
  "You may not send and please note this address so that you do not send again". The user then ticks that he/she agrees to the storage of the address and that he/she is aware of our data processing rules.
  B3) 1 case - "You can't send now":
  Your address will not be copied to the ENG mailing list.
  The user will also be deleted from the EKL list immediately.
  If anyone invites you again, the whole process starts all over again, so if you invite someone again, you will be put back on the EKL list, receive a permission letter and can choose from the options.
  B3) In 2 cases - "You cannot send and make a note of this address so that you do not send again":
  The User's address is stored by the Service Provider with his/her consent in a SUBSCRIBER'S NOTIFICATION TO SUBSCRIBERS (MKT) newsletter list.
  Only the email address and the place, date and time of subscription to the list are stored by the Service Provider, and only so that your friends in the Xeropan base cannot invite you unnecessarily.
  If anyone wants to call you later, you will not receive a letter.
  Regardless, the User can still become a USER, but will remain on the Block list until they unsubscribe.
  If the User does not choose either option A) or B), after 72 hours the Service Provider will remove the User from the EKL list, i.e. the same will happen to the User as in option B3.1.
       2.7.1. Legal basis for data processing: the Info.tv. Article 5 (1) (b) of the GDPR, Article 6 (1) (a) of the GDPR.
       2.7.2. Concerned: those who request not to receive newsletters and invitations later
       2.7.3. Scope of the data processed: e-mail address
       2.7.4. Purpose of the processing: to avoid sending inviting e-mails and newsletters to data subjects
       2.7.5. Duration of processing: until the data subject unsubscribes or requests deletion.
  2.8. Send push messages
  • 2.8.1. The Data Controller sends so-called push messages (messages that appear as notifications on the device running the application) to users of Xeropan mobile applications, subject to the consent of the data subject. Consent to push messages can be withdrawn at any time in the settings of the data subject's mobile phone, via the Xeropan application settings.
  • 2.8.2. Legal basis for data processing: the data subject's voluntary consent, the Info tv. Article 5 (1) (b) of the Info Act, Article 6 (1) (a) of the GDPR, Article 13/A of the Eker tv. 6 (1) of the Data Protection Act.
  • 2.8.3. Data subjects: users of the Xeropan applications (on any platform), visitors to the Xeropan website (even if they do not access the learning interface). The data subject's consent may be withdrawn at any time.
  • 2.8.4. Scope of the data processed: unique device identifier.
  • 2.8.5. Purpose of the processing: to communicate with data subjects, to send messages related to Xeropan (including in particular advertisements and offers) by push messages to the data subject.
  • 2.8.6. Duration of data processing: until consent is withdrawn, but not longer than the period during which the Data Controller sends push messages.

• 2.9. Customer correspondence, complaint handling
  • 2.9.1. The data subject has the right to lodge a complaint orally, electronically or in writing in relation to the services provided by the Data Controller pursuant to Act CLV of 1997 on Consumer Protection (Act on Consumer Protection). The Data Controller shall also receive requests and comments that may not fall within this scope.
  • 2.9.2. Legal basis for processing: the data subject's voluntary consent pursuant to Article 6 (1) (a) GDPR or the fulfilment of a legal obligation pursuant to Article 6 (1) (c) GDPR, pursuant to paragraphs (3) to (5) of Article 17/A of the Act on the Protection of Personal Data. The consent of the data subject may be withdrawn at any time.
  • 2.9.3. Stakeholders: complainants and interested parties.
  • 2.9.4. The scope of the data processed: the full name, email address and other data voluntarily provided by the data subject, as well as other data specified in paragraph (5) of Article 17/A of the Act on the Protection of Personal Data.
  • 2.9.5. The purpose of data processing: to record the comments and questions of the data subject in order to improve the Service, to monitor its operation, to handle the data subject's complaints.
  • 2.9.6. Duration of data processing: until the complaint is investigated, or 3 years from the date of the written record in the case of a written record.
• 2.10. Data management related to social media platforms
  • 2.10.1. The Data Controller maintains pages and publishes content on the following social media platforms: Facebook, Instagram, TikTok, LinkedIn. E platformokhoz kapcsolódó egyes – az Adatkezelő által esetlegesen, időről, időre, de nem szükségszerűen végzett – tevékenységekhez (így különösen a szolgáltató által nyújtott oldal statisztikák eléréséhez) kapcsolódóan az adott platform üzemeltetőjével közös adatkezelőnek minősül. The terms and conditions and agreement for this joint processing are available at the links below: Facebook and Instagram, LinkedIn, TikTok.
• 2.11. Other data processing
  The Data Controller shall provide information on any additional processing not listed in this Notice at the time of the recording of the data. The court, the prosecutor, the investigating authority, the law enforcement authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, or other bodies authorized by law may request the Controller to provide information, to disclose or transfer data, or to provide documents. The Data Controller shall disclose to the authorities - if the authority has indicated the exact purpose and scope of the data - personal data only to the extent and to the extent that is indispensable for the lawful implementation and fulfilment of the purpose of the request and the legal obligation.

• 2.12. Cookies and other tracking tools
  • 2.12.1. In a web environment (i.e. when using an internet browser), the use of cookies may be necessary for the correct functioning of certain functions of the Service, which in other cases may also provide certain convenience functions for the data subject and support the marketing activities of the Data Controller. Cookies placed by the Data Controller may, for example, allow the Data Controller to identify the computer of the data subject (IP address), to know his/her browsing data. The cookie may contain information that can be used to identify the data subject (User ID), which is processed by the Data Controller in particular in order to provide its services in accordance with the preferences, needs and interests of the data subject and to facilitate the use of the Service by the data subject. The data subject may disable or delete the use of cookies in his or her browser at any time, however, in the case of certain necessary cookies, this may cause certain functions of the Service to function incorrectly.
  • 2.12.2. The Data Controller uses the following types of cookies on the Xeropan website and in the Xeropan web application (the tool at the bottom of the interface allows you to read the description of each cookie separately and to give or refuse/deny consent for each group separately):
    • 2.12.2.1. Necessary: the use of which is essential for the proper and correct functioning of the website or application.
    • 2.12.2.2. Functional: the use of these cookies helps improve the performance of the site or application and allows for personalisation.
    • 2.12.2.3. Statistical: allows the Data Controller to collect anonymous data related to the website to understand the usage patterns of the website and the application, and to improve the application based on user behaviour.
    • 2.12.2.4. Marketing: to enable the presentation of relevant advertisements to the data subject, based on the data subject's activity, and to support the Data Controller's marketing activities with information (by measuring the effectiveness of the advertisements).
  • 2.12.3. The Data Controller may, but not necessarily always, use third-party tracking codes, which use cookies or other similar means to identify the data subject on web interfaces. Accordingly, based on your browsing history and activity, advertisements may be presented to the data subject. The Data Controller may provide third party advertising service providers with the possibility to publish advertisements when using the Service. These advertising service providers may place cookies on the computer and/or mobile phone of the data subject in order to track their browsing data, the advertisements viewed, in order to provide their own service in accordance with the needs and interests of the data subject. This Notice does not apply to, and the Data Controller shall not be liable for, the data management practices of these external advertising service providers.
  • 2.12.4. In order to better understand the use of the Service by the data subject, the Data Controller is assisted by external service providers (in particular Google Analytics) to measure and audit the traffic and other analytical data of the Xeropan website and the Xeropan web and mobile application. These external service providers may use cookies, APIs and other tools in their operations, which allow them to collect and process data for the Service Provider. This Notice does not apply to, and unless otherwise provided by law, the Controller shall not be liable for, the data processing practices of these external service providers. The data subject can find out about their data processing at the following address: https://www.google.com/analytics/
  • 2.12.5. They apply for each of the purposes of processing listed in this Section 2.12 above.
  • 2.12.6. Browsers give you the option to change your cookie settings in general. Most browsers automatically allow cookies by default, but this can be changed to prevent automatic acceptance once set. For information on the settings of some popular browsers, see the links below:
    Google Chrome; Firefox; Microsoft Internet Explorer 11; Microsoft Internet Explorer 10; Microsoft Edge

• 2.13. Link to the Xeropan Classroom Application
  • 2.13.1. In the event that the data subject is connected to the language teacher profile created in Xeropan Classroom (hereinafter referred to in this paragraph as "Classroom Account") through his/her Xeropan user account, the holder of the Classroom Account may have access to certain personal data of the Xeropan user (in particular: name, likeness, progress in language tasks, data entered in tasks, evaluation of tasks, comparison of the results of tasks completed with the results of other users) and the holder of the Classroom Account may create a study group. When logged into the created study group (depending on the Classroom Account settings), this data or part of this data may be made available to other users of the Xeropan application assigned to the study group.
  • 2.13.2. Connecting to a user account created in Xeropan Classroom is not automatic, it requires an explicit initiative from one party (e.g. an invitation from the language teacher using the Xeropan Classroom app) and an explicit approval from the other party (e.g. acceptance of said invitation), and data sharing with other members of the study group can be set up separately (in the Classrooom Account). From the establishment of this relationship, the Data Controller shall be considered a data processor in this respect and the Classroom Account holder shall be considered a data controller in respect of the collection and other processing of data (in respect of the data of the learners) for the Classroom Account holder in accordance with the settings of the Classroom Account. Accordingly, the Data Controller shall not carry out any investigation in this respect (in particular, it shall not investigate the relationship between the Classroom Account holder and the data subject) and shall not be liable. For the purposes of this paragraph, the Classroom Account holder shall be considered to be anyone who accesses the Classroom Account.

3. How personal data are stored, security of processing
   • 3.1. The Data Controller's computer systems and other data storage locations are located partly at its headquarters and partly at its data processors, to which the Data Controller's data processors, in addition to the Data Controller (and its employees), may have access, where justified. The primary place of data processing is on the servers of the data processors of Hetzner Online GmbH in Germany.
   • 3.2. The Data Controller has the technical, organisational and organisational measures in place to ensure and maintain the security of data processing, and thus the Data Controller provides protection in particular against:
     • 3.2.1. unauthorised access,
     • 3.2.2. change,
     • 3.2.3. Forwarding
     • 3.2.4. disclosure,
     • 3.2.5. deletion or destruction, and
     • 3.2.6. accidental destruction and damage, and
     • 3.2.7. against inaccessibility due to changes in the technology used.
   • 3.3. Having regard to the state of the art, the Controller and the processor(s) shall choose the data security measures that provide an adequate level of protection against the risks associated with the processing and shall choose the solution that ensures a higher level of protection of personal data from among several possible solutions, unless this would impose a disproportionate burden on the Service Provider.
   • 3.4. The Data Controller ensures the security of personal data through server-level and application-level security procedures.
4. Recipients of personal data, data processors
   The Data Controller uses third party processors to carry out certain processing activities, who perform certain processing operations on behalf of the Data Controller. An up-to-date list of recipients of personal data and processors is available on this website link, which will be updated by the Data Controller from time to time as necessary. We encourage you to visit this page for up-to-date information.

5. The main rights of the data subject in relation to data processing
   • 5.1. In particular, the data subject has the following rights in relation to data processing under the GDPR.
     • 5.1.1.The right to information and access to the personal data processed,
     • 5.1.2. Right to rectify data,
     • 5.1.3.Right to data erasure,
     • 5.1.4. Right to restriction of processing,
     • 5.1.5.Right to data retention,
     • 5.1.6.Right to object,
     • 5.1.7.Exclusion of automated decision-making in individual cases, including profiling,
     • 5.1.8. Right to withdraw consent.
   • 5.2. Definitions of rights, more detailed rules, conditions and exceptions are set out in the annex to this notice. If you wish to exercise your data subjects' rights or have any questions, please contact info@xeropan.com.
6. Contact and redress
   • 6.1. The Data Controller can be contacted with any questions or comments related to data management using the contact details provided in this notice. If you have any concerns, please contact the Data Controller at info@xeropan.com.
   • 6.2. Right to apply to the courts
     The data subject may take the Data Controller to court in the event of a breach of his or her rights. The court shall rule on the case out of turn.
   • 6.3. Data Protection Authority procedure
     You can lodge a complaint with the National Authority for Data Protection and Freedom of Information: Name: National Authority for Data Protection and Freedom of Information Headquarters: 1125 Budapest, 1055 Budapest, Falk Miksa utca 9-11., Postal address: 1363 Budapest, Pf.: 9. Phone: +36 (30) 683-5969, +36 (30) 549-6838, +36 (1) 391 1400, Fax: +36 (1) 391-1410, E-mail: ugyfelszolgalat@naih.hu

7. Informing data subjects about the data breach
   • 7.1. Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
   • 7.2. Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subjects of the personal data breach without undue delay and in a clear and plain language.
   • 7.3. The data subject need not be informed if any of the following conditions are met:
     • 7.3.1. the Data Controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
     • 7.3.2. the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
     • 7.3.3. information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly disclosed information or by a similar measure which ensures that the data subjects are informed in an equally effective manner.

8. Other provisions
   The Data Controller reserves the right to update this Privacy Notice unilaterally in the light of changes in its data management practices, while notifying the data subjects and respecting their rights.

ANNEX

DETAILS OF THE RIGHTS OF THE PARTIES CONCERNED

For more detailed information on the main rules, exceptions and conditions of data subjects' rights related to data processing under the Prospectus, please consult this Annex.

1. The right to information and access to the personal data processed:
   • 1.1. The data subject has the right to receive feedback from the Data Controller as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the following information:
     • 1.1.1. the purposes of the processing;
     • 1.1.2. the categories of personal data concerned;
     • 1.1.3. the categories of recipients or recipients to whom or which the personal data have been or will be disclosed, including in particular recipients in third countries and international organisations;
     • 1.1.4. where applicable, the envisaged period of storage of the personal data or, if this is not possible, the criteria for determining that period;
     • 1.1.5. the right of the data subject to obtain from the controller the rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data;
     • 1.1.6. the right to lodge a complaint with a supervisory authority;
     • 1.1.7. if the data were not collected from the data subject, any available information on their source;
     • 1.1.8. the fact that automated decision-making, including profiling, is taking place and, at least in these cases, the logic used and clear information on the significance of such processing and the likely consequences for the data subject.
   • 1.2. If personal data are transferred to a third country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards regarding the transfer.
   • 1.3. The Data Controller shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject has made the request by electronic means, the Controller shall provide the information in a commonly used electronic format, unless the data subject requests otherwise.
   • 1.4. The right to request a copy referred to in the previous paragraph shall not adversely affect the rights and freedoms of others.
   • 1.5. The above rights can be exercised through the contact details of the Data Controller indicated above.
2. Right of rectification
   • 2.1. The data subject may request that inaccurate personal data relating to him or her processed by the Controller be corrected without delay and that incomplete data be completed.
3. Right to erasure
   • 3.1. The data subject shall have the right to obtain from the Data Controller, upon his or her request, the erasure of personal data relating to him or her without undue delay where one of the following grounds applies and the Data Controller shall be obliged to comply with the data subject's request where one of the grounds applies:
     • 3.1.1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
     • 3.1.2. the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
     • 3.1.3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing or where the processing would be for direct marketing purposes;
     • 3.1.4. the personal data have been unlawfully processed;
     • 3.1.5. the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Data Controller;
     • 3.1.6. personal data are collected in connection with the provision of information society services.
   • 3.2. The erasure of data cannot be initiated if the processing is necessary:
     • 3.2.1. to exercise the right to freedom of expression and information;
     • 3.2.2. to comply with an obligation under Union or Member State law that requires the controller to process personal data or in the public interest;
     • 3.2.3. for preventive health or occupational health purposes, to assess an employee's ability to work, to make a medical diagnosis, to provide health or social care or treatment, or to manage health or social care systems and services, under EU or Member State law or under a contract with a health professional and the processing of that data is carried out by or under the responsibility of that professional, who is subject to a duty of professional secrecy under Union or Member State law or under rules laid down by the competent authorities of the Member States or by another person who is also subject to a duty of secrecy under Union or Member State law or under rules laid down by the competent authorities of the Member States;
     • 3.2.4. in the public interest in the field of public health, such as protection against serious cross-border threats to health or ensuring a high level of quality and safety of healthcare, medicines and medical devices, and on the basis of Union or Member State law which provides for adequate and specific measures to safeguard the rights and freedoms of the persons concerned, in particular professional secrecy;
     • 3.2.5. on grounds of public interest in the field of public health and the processing of such data is carried out by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or the rules established by the competent authorities of the Member States, or by another person who is also subject to the obligation of professional secrecy under Union or Member State law or the rules established by the competent authorities of the Member States;
     • 3.2.6. archiving in the public interest, for scientific or historical research purposes or for statistical purposes, where the right of erasure would be likely to render such processing impossible or seriously jeopardise it; or
     • 3.2.7. to bring, enforce or defend legal claims.

4. Right to restriction of processing
   • 4.1. The data subject shall have the right to obtain, at his or her request, the restriction of processing by the controller if one of the following conditions is met:
     • 4.1.1. the data subject contests the accuracy of the personal data, in which case the restriction applies for a period of time which allows the accuracy of the personal data to be verified;
     • 4.1.2. the data processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
     • 4.1.3. the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
     • 4.1.4. the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject.
   • 4.2. Where processing is restricted, personal data, other than storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.
5. Right to data retention
   • 5.1. The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to the Controller in a structured, commonly used, machine-readable format and to transmit those data to another Controller, without hindrance by the Controller, where the processing is based on consent or on a contract; and the processing is carried out by automated means.
   • 5.2. The data subject has the right to request, where technically feasible, the direct transfer of personal data between Data Controllers. This right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to data portability shall not adversely affect the rights and freedoms of others.
6. Right to object
   • 6.1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions.
   • 6.2. In the event of an objection, the Controller may no longer process the personal data, unless it is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
7. Exclusion of automated decision-making in individual cases, including profiling
   • 7.1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
8. Right to withdraw consent
   • 8.1. The data subject has the right to withdraw his or her consent at any time, provided that consent is the legal basis for the processing. This shall not be more onerous for him/her than giving consent.