PRIVACY NOTICE AND DATA PROTECTION POLICY

This Policy applies to Orso Forte Kft., the balatonibob.hu website, and the services and data processing activities directly related to the facebook.com/BalatoniBob Facebook page, and governs the storage and processing of personal data voluntarily provided by customers and employees.

We collect and process personal data only in accordance with the applicable laws.

We store the data in the most secure way possible. Personal data is only shared with third parties with the consent of the data subject.

We provide anyone with information about the data stored about them, and they may request the deletion of their data at any time through our contact details.

Introduction

Orso Forte Kft. – (8184 Balatonfűzfő, Uszoda u. 2, Tax Number: 29163209-2-19, Company Registration Number: 19-09-521893) – as the Data Controller, hereby acknowledges the contents of this legal notice as binding upon itself. It undertakes that all data processing activities related to its operations will comply with this policy, the applicable national laws, and the requirements set forth in the legal acts of the European Union.

Section 20 (1) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information states that the data subject (in this case the website user, the service user, or the employee) must be informed, before the commencement of data processing, whether the processing is based on consent or is mandatory.

The data subject must be clearly and comprehensively informed of all facts related to the processing of their personal data before the processing begins, including, in particular, the purpose and legal basis of the processing, the identity of the person authorized to carry out the processing and data processing, and the duration of the data processing.

In accordance with Section 6 (1) of the Act on Information Self-Determination and Freedom of Information (Info tv.), the data subject must also be informed that personal data may be processed even if obtaining the data subject’s consent is impossible or would involve disproportionate cost, and the processing of personal data is

• necessary for the fulfillment of a legal obligation applicable to the data controller, or
• necessary for the enforcement of the legitimate interests of the data controller or a third party, provided that the enforcement of such interest is proportionate to the limitation of the right to the protection of personal data.

The information must also cover the data subject’s rights related to data processing and the available legal remedies.

If direct personal notification of the data subjects is impossible or would involve disproportionate cost, the information may also be provided by making the following information publicly available:

1. the fact of data collection,
2. the categories of data subjects,
3. the purpose of data collection,
4. the duration of the data processing,
5. the identity of the potential data controllers authorized to access the data,
6. the description of the data subjects’ rights and legal remedies related to data processing, and
7. if the data processing is subject to registration in the data protection register, the registration number of the data processing activity.

The term of this Policy is effective from 25 May 2018 and remains in force until revoked.

Any amendments shall take effect upon publication on the website balatonibob.hu.

This Policy and the Data Processing Declaration made by the Customer, as an annex, constitute part of the Assignment Agreement.

DEFINITIONS

• Data subject / user: any identified or identifiable natural person, directly or indirectly, based on personal data.
• Personal data: any information relating to a data subject — in particular the data subject’s name, identification mark, and any knowledge relating to one or more physical, physiological, mental, economic, cultural, or social characteristics of the data subject — as well as any inference drawn from such data regarding the data subject.
• Data controller: the natural or legal person, or organization without legal personality, who or which, alone or jointly with others, determines the purposes of data processing, makes and implements decisions regarding data processing (including the tools used), or carries out such processing through a contracted data processor.
• Data processing: any operation or set of operations performed on data, regardless of the procedure applied, including but not limited to collecting, recording, organizing, storing, modifying, using, querying, transmitting, disclosing, aligning or linking, locking, deleting, and destroying data, as well as preventing further use of the data, making photo, audio, or video recordings, and recording physical characteristics suitable for identifying a person (e.g., fingerprints, palm prints, DNA sample, iris image).
• Data processing (technical tasks): the performance of technical tasks related to data processing operations, regardless of the methods and tools used or the location of the application, provided that the technical task is performed on the data.
• Data processor: the natural or legal person, or organization without legal personality, who or which processes data based on a contract with the data controller — including contracts concluded based on statutory provisions.
• Data protection incident: unlawful processing or handling of personal data, including but not limited to unauthorized access, modification, transmission, disclosure, deletion, or destruction, as well as accidental destruction.
• Special categories of data: personal data relating to racial or ethnic origin, political opinion or party affiliation, religious or other ideological beliefs, membership in advocacy organizations, sexual life, health status, or addictive conditions.
• Consent: the voluntary and explicit expression of the data subject’s will based on adequate information, by which the data subject gives unambiguous consent to the processing of their personal data in full or for specific operations.
• Data transfer: making data accessible to a specified third party.
• Disclosure: making data accessible to anyone.
• Data deletion: rendering data unrecognizable in such a way that recovery is no longer possible.
• Data publisher: a public authority performing a public task that publishes data received from the data controller on its website if the data controller does not publish the data itself.
• Data set: the totality of data processed in a single record or register.
• Third party: any natural or legal person, or organization without legal personality, other than the data subject, the data controller, or the data processor.
• EEA state: a member state of the European Union, and any other state party to the Agreement on the European Economic Area, as well as any state whose citizens enjoy equal status with the citizens of an EEA state under an international agreement between that state and a state party to the Agreement on the European Economic Area.
• Third country: any state that is not an EEA state.
• Automated processing: includes the following operations, if performed partly or wholly by automated means: storing data, performing logical or arithmetic operations on the data, modifying, deleting, retrieving, and distributing the data.

LEGAL FRAMEWORK

The data controller undertakes to carry out its activities in accordance with the applicable laws in force at all times.

Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);

• Act CXII of 2011 – on the Right of Informational Self-Determination and Freedom of Information (hereinafter: Info tv.)
• Act CVIII of 2001 – on certain issues of electronic commercial services and information society services (primarily Section 13/A)
• Act XLVII of 2008 – on the prohibition of unfair commercial practices against consumers
• Act XLVIII of 2008 – on the basic conditions and certain limitations of economic advertising activities (in particular Section 6)
• Act XC of 2005 – on Electronic Freedom of Information
• Act C of 2003 – on Electronic Communications (specifically Section 155)
• Opinion No. 16/2011 on the EASA/IAB Recommendation on best practices for behavioural online advertising
• Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information

DATA CONTROLLER DETAILS

Data controller details:

Name: Orso Forte Kft.
Address: 8184 Balatonfűzfő, Uszoda u. 2.
Tax Number: 29163209-2-19
Company Registration Number: 19-09-521893
Registering Court: Veszprém County Court (Veszprémi Törvényszék)
Phone: +36 30 143 0000
Email: bob@balatonibob.hu

Data Protection Officer (DPO):

Name: Szilárd Kovács
Address: 8184 Balatonfűzfő, Uszoda u. 2.
Phone: +36 30 143 0000
Email: bob@balatonibob.hu

The Data Protection Officer (DPO):

1. provides information and professional advice to the data controller, the data processor, and their employees regarding their obligations under data protection law;
2. monitors compliance with the GDPR and other legal provisions, as well as with internal rules on the protection of personal data, including the assignment of responsibilities, raising awareness and training of personnel involved in data processing activities, and related audits;
3. upon request, provides professional advice on data protection impact assessments and monitors their implementation;
4. cooperates with the supervisory authority;
5. acts as the contact point for the supervisory authority in matters related to data processing, and, where applicable, consults with the authority on any other related issues [GDPR Article 39].

DATA STORAGE

The processed data must be stored in such a way that unauthorized persons — including employees who are not authorized to access or process the data — cannot gain access to them. For paper-based data carriers, this requires the establishment of a physical storage and filing system; for data processed electronically, a centralized access control system must be used.

The method of storing data electronically must be chosen so that the data can be deleted when the data retention period expires (taking into account any differing deletion deadlines), or whenever deletion is otherwise necessary. Deletion must be irreversible.

Paper-based data carriers must be deprived of personal data using a shredder or by engaging an external company specialized in document destruction. For electronic data carriers (hard drives, optical media, magnetic media, printers, multifunction devices’ storage, flash (NAND) media, SIM cards, mobile devices, phones, PDAs, tablets, laptops, etc.), physical destruction must be carried out in accordance with the rules on the disposal of electronic media, and, if necessary, the data must first be securely and irreversibly deleted.

The destruction of data carriers must be monitored and documented, and the documentation must be retained in a retrievable manner and disposed of in accordance with disposal rules.

DATA PROCESSING RELATED TO WEBSITE OPERATION AND USE OF SERVICES

WEBSITE VISITS AND REGISTRATION

Pursuant to Section 20 (1) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, the following must be defined within the scope of data processing related to the operation/functioning of the website:

1. the fact of data collection,
2. the categories of data subjects,
3. the purpose of data collection,
4. the duration of data processing,
5. the identity of the potential data controllers authorized to access the data,
6. the description of the data subjects’ rights related to data processing.

Purpose of Data Processing	Identification of website visitors, making electronic services available to them, providing information, maintaining contact, and speeding up administrative processes.
Legal Basis of Data Processing	voluntary consent
Categories of Data Subjects	All data subjects who visit the website and those who register on the website.
Categories of Data	Name Email address Phone number Date and time of registration IP address at the time of registration
Source of the Data	All data subjects who visit the website and those who register on the website.

1. Duration of Data Processing / Data Deletion Deadline: The data shall be deleted immediately upon the deletion of the registration. However, this does not apply to accounting documents, as these data must be retained for 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting. Accounting vouchers that directly or indirectly support bookkeeping (including general ledger accounts, analytical records, and detailed registers) must be kept in a readable format and be retrievable based on accounting references for at least 8 years.
2. Persons Authorized to Access the Data (Potential Data Controllers):Personal data may be processed by the data controller’s sales and marketing staff, in compliance with the principles set forth above.
3. Information on the Data Subjects’ Rights Related to Data Processing: Data subjects may request the deletion or modification of their personal data through the following channel: by email at bob@balatonibob.hu
4. Legal Basis of Data Processing: The legal basis for data processing is the User’s consent, pursuant to Section 5 (1) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Info tv.), and Section 13/A (3) of Act CVIII of 2001 on Electronic Commerce and Information Society Services, which states: The service provider may process personal data that are technically indispensable for providing the service. If all other conditions are equal, the service provider must select and operate the tools used in the provision of the information society service in such a way that personal data are processed only if absolutely necessary for providing the service and fulfilling the purposes defined in this Act, and even then only to the extent and for the duration necessary.

REQUEST FOR INFORMATION

Purpose of Data Processing	Providing the data subject with appropriate information and maintaining contact.
Legal Basis of Data Processing	the data subject’s consent
Categories of Data Subjects	All natural persons who contact the Data Controller and request information from the Data Controller, providing their personal data.
Categories of Data	Name Email address Phone number Address / Delivery address Specific content of the information request
Source of the Data	All natural persons who contact the Data Controller and request information from the Data Controller, providing their personal data.
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Deletion Deadline	Until the purpose is fulfilled

REQUEST FOR QUOTATION

Purpose of Data Processing	Providing the appropriate offer to the data subject and maintaining contact.
Legal Basis of Data Processing	the data subject’s consent
Categories of Data Subjects	All natural persons who request an offer from the Data Controller regarding a given service and/or product, providing their personal data.
Categories of Data	Name Email address Phone number Address / Delivery address Name and quantity of the product or service requested for the quotation Requested delivery and performance deadline required for the quotation Special requirements
Source of the Data	All natural persons who request an offer from the Data Controller regarding a given service and/or product, providing their personal data.
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Deletion Deadline	Upon the expiry of the offer validity period.

PURCHASE / SERVICE AGREEMENT

This Policy constitutes Annex No. 3 to the Service Agreement.

The Data Processing Declaration made by the Customer constitutes Annex No. 4 to the Service Agreement.

Purpose of Data Processing	Conclusion of the Service Agreement with the data subject for the use of services, defining and amending the content of the Agreement, monitoring its performance, invoicing fees arising from it, enforcing related claims, and maintaining contact.
Legal Basis of Data Processing	the data subject’s consent; and/or the performance of the contract
Categories of Data Subjects	All natural persons who enter into a Service Agreement with the Data Controller regarding a specific service and/or product, providing their personal data.
Categories of Data	Name Email address Phone number Address / Delivery address Special requirements Name and quantity of the ordered product or service Delivery or performance deadline Payment method and payment schedule Discounts Data related to payment and outstanding debts
Source of the Data	All natural persons who enter into a Service Agreement with the Data Controller regarding a given service and/or product, providing their personal data.
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Deletion Deadline	The retention period prescribed by law

INVOICING

This Policy constitutes Annex No. 3 to the Service Agreement.

The Data Processing Declaration made by the Customer constitutes Annex No. 4 to the Service Agreement.

Purpose of Data Processing	Implementation of the Service Agreement, invoicing fees arising from it, enforcing related claims, and maintaining contact.
Legal Basis of Data Processing	performance of the contract
Categories of Data Subjects	All natural persons who enter into a Service Agreement with the Data Controller regarding a given service and/or product, providing their personal data.
Categories of Data	Name Email address Phone number Address / Delivery address Special requirements Name and quantity of the ordered product or service Delivery or performance deadline Payment method and payment schedule Discounts Data related to payment and outstanding debts
Source of the Data	All natural persons who enter into a Service Agreement with the Data Controller regarding a given service and/or product, providing their personal data.
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Deletion Deadline	The retention period prescribed by law

REGISTRATION DATABASE – CUSTOMER DATA

Purpose of Data Processing	Providing information, making price offers, maintaining contact, and identifying the customer for the next purchase in order to speed up the order process.
Legal Basis of Data Processing	the data subject’s consent
Categories of Data Subjects	All registered customers
Categories of Data	Name Address Delivery address Email address Phone number
Source of the Data	All registered customers
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Deletion Deadline	6 months after the last login

Data subjects may request the modification or deletion of their data via email at bob@balatonibob.hu , by post to the address 8184 Balatonfűzfő, Uszoda u. 2., or by phone at +36 30 143 0000.

PROCESSING OF EMPLOYEE-RELATED DATA

EMPLOYMENT-RELATED DATA

Purpose of Data Processing	establishment, performance, or termination of employment
Legal Basis of Data Processing	legal authorization
Categories of Data Subjects	Employees of Orso Forte Kft.
Categories of Data	Name, birth name Mother’s maiden name Place of birth Date of birth Marital status Tax identification number Social Security number (TAJ) Citizenship Hungarian bank account number Permanent address Residence address Mailing address Signature Copies of certificates of education Copies of personal documents Statement regarding employment with other employers Salary and payroll data Performance and suitability for advancement, job position / promotions Data and information related to the employment contract Previous employment history Information related to the termination of previous employment Data related to disciplinary actions and liability Training, courses, and educational programs Information on dependents or other beneficiaries Personal data of family members to the extent required by law (for additional leave purposes) Declaration regarding maternity leave, childcare leave, parental leave, old-age / service / early retirement / disability pension
Source of the Data	Employees of Orso Forte Kft.
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Processor	Andrea Fekete, sole proprietor
Data Deletion Deadline	The retention period specified by the applicable laws.

DATA RELATED TO RECRUITMENT

Purpose of Data Processing	Selection of suitable employees to fill vacant positions and the processing of applicants’ personal data.
Legal Basis of Data Processing	the data subject’s consent
Categories of Data Subjects	Individuals who submit their CVs to Orso Forte Kft.
Categories of Data	Name Date of birth Mother’s name Address Education details Photograph Other data provided by the data subject
Source of the Data	Individuals who submit their CVs to Orso Forte Kft.
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Deletion Deadline	1 year from the date of data collection

PROCESSING OF DATA RELATED TO LOYALTY CARDS / CUSTOMER CARDS

Purpose of Data Processing	Providing information to registered customers, making price offers, granting discounts, maintaining contact, and identifying the customer during the next purchase.
Legal Basis of Data Processing	the data subject’s consent
Categories of Data Subjects	All registered customers
Categories of Data	Name Address Delivery address Email address Phone number
Source of the Data	All registered customers
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Deletion Deadline	1 year after the last purchase

PROCESSING OF DATA RELATED TO INCIDENT REPORTS

Purpose of Data Processing	Documenting accidents that occurred in the leisure park.
Legal Basis of Data Processing	legal obligation
Categories of Data Subjects	All persons involved in the accident.
Categories of Data	Name Address Phone number Email address Health data Circumstances of the accident
Source of the Data	All persons involved in the accident.
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Deletion Deadline	as prescribed by law

Data Processors

Hosting Service Provider

1. Activity Performed by the Data Processor: Hosting services
2. Name and Contact Details of the Data Processor:
   • Name:
     Address:
     Telephone:
     Email:
3. Fact of Data Processing and Scope of the Data Processed: All personal data provided by the data subject.
4. Categories of Data Subjects: All data subjects using the website.
5. Purpose of Data Processing: Ensuring the availability and proper operation of the website.
6. Duration of Data Processing and Deadline for Data Erasure: Immediately upon deletion of the registration.
7. Legal Basis of Data Processing: The consent of the User; Section 5 (1) of the Information Act (Act CXII of 2011); and Section 13/A (3) of Act CVIII of 2001 on Electronic Commerce Services and on Certain Issues of Information Society Services.

Accounting

1. Activity Performed by the Data Processor: Accounting and payroll processing
2. Name and Contact Details of the Data Processor:
   • Name: Andrea Fekete, sole proprietor
     Address: 8175 Balatonfűzfő, Balaton körút 49/B., Hungary
     Telephone: +36 30 581 7148
     Email: konyveles.fuzfo@gmail.com
3. Fact of Data Processing and Scope of the Data Processed: All personal data provided by the data subject.
4. Categories of Data Subjects: All data subjects making purchases in the Leisure Park. Employees of the company.
5. Purpose of Data Processing: By recording invoices and carrying out payroll processing, the company fulfills its statutory obligations.
6. Duration of Data Processing and Deadline for Data Erasure: The duration of data processing and the deadline for data erasure are determined by the applicable laws.
7. Legal Basis of Data Processing: Voluntary consent of the data subject and statutory requirements.

Video Surveillance System

Purpose of Data Processing	for the purpose of preventing accidents, protecting physical integrity, and preventing potential minor offences and crimes against property
Legal Basis of Data Processing	In the case of guests, the data subject’s voluntary consent is given by entering the premises; in the case of employees, the provisions of Act CXXXIII of 2005 on the rules of personal and property protection and private investigation activities, as well as the provisions of Act I of 2012 on the Labour Code, apply.
Categories of Data Subjects Categories of Data	The facial images of persons entering the Company’s premises as captured by the camera system, as well as any other inferences that can be drawn from the recordings made by the surveillance system.
Source of the Data	Recordings from the installed surveillance cameras
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Deletion Deadline	Pursuant to the provisions of Act CXXXIII of 2005 on the rules of personal and property protection and private investigation activities, the deadline for filing a complaint is 3 calendar days, and the retention period for the recordings is 6 years.

The Company does not operate an electronic surveillance system for the purpose of monitoring its employees, nor is it intended to influence employee behavior in the workplace.

The operated camera system also records audio.

The Company’s management is committed to operating only cameras with public positions that are visible to both employees and guests on the premises of the business.

Orso Forte Ltd. deletes camera recordings if they are not used after the statutory retention period. Recordings may be retained for more than 6 years only if a competent authority orders the retention of the recording during a legal proceeding, or if the data subject requests the data controller to retain the recording concerning them to prove a legitimate interest. The legitimacy of such a request is assessed by the Company’s Data Protection Officer, who ensures the recording is properly exported and secured in accordance with legal requirements.

In the case of an official request, the Company will immediately provide the retained recording to the requesting authority. If no request concerning a secured recording is received, the Company will destroy the recording after 30 days.

Detailed information: Information on the video surveillance system.

HANDLING OF COOKIES

1. Pursuant to Section 20 (4) of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the following must be defined in relation to the website’s cookie data processing:

• The fact of data collection
• The categories of data subjects
• The purpose of data collection
• The duration of data processing
• The persons or entities authorized to access the data
• Information on the data subjects’ rights in relation to data processing

1. Fact of data processing and scope of processed data: Unique identification number, dates, and times.
2. Scope of data subjects: All data subjects visiting the website.
3. Purpose of data processing: Identification of users and tracking of visitors.
4. Duration of data processing and deadline for data deletion: In the case of session cookies, the duration of data processing lasts until the end of the website visit; in other cases, it lasts for one and a half years.
5. Persons who may have access to the data (potential data controllers): Through the use of cookies, the data controller does not process personal data.
6. Information on the data subjects’ rights related to data processing: Data subjects have the option to delete cookies in their browser, usually under the Tools/Settings menu, within the Privacy settings.
7. Legal basis of data processing: The consent of the data subject is not required if the sole purpose of using cookies is the transmission of communication over an electronic communications network, or if the use of cookies is strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.
8. The data controller uses Facebook remarketing code. In this context, the following information is provided: Cookie lifetime: 20 days; Purpose of data processing: personalization of Facebook advertisements; Further information: http://hu-hu.facebook.com/help/cookies.

GOOGLE ADWORDS CONVERSION TRACKING

1. The data controller uses the online advertising program called Google AdWords and, within its framework, also makes use of Google’s conversion tracking service. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
2. When a User reaches a website via a Google advertisement, a cookie required for conversion tracking is placed on the User’s computer. These cookies have a limited validity period and do not contain any personal data; therefore, the User cannot be identified through them.
3. When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User clicked on the advertisement.
4. Each Google AdWords customer receives a different cookie; therefore, cookies cannot be tracked across the websites of AdWords customers.
5. The information obtained through conversion tracking cookies is used to compile conversion statistics for AdWords customers who have opted for conversion tracking. Customers are informed about the number of users who clicked on their advertisement and were redirected to a page tagged with a conversion tracking label. However, they do not gain access to information that would enable them to identify any individual user.
6. If the User does not wish to participate in conversion tracking, they may refuse it by disabling the installation of cookies in their browser. In this case, the User will not be included in the conversion tracking statistics.
7. Further information, as well as Google’s privacy policy, is available at the following link:
8. www.google.de/policies/privacy/

USE OF GOOGLE ANALYTICS

1. The website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies”, which are text files stored on your computer, to help analyze how users use the website.
2. The information generated by cookies relating to your use of the website is generally transmitted to and stored on one of Google’s servers in the United States. By activating IP anonymization on this website, Google will truncate the user’s IP address within Member States of the European Union or in other states party to the Agreement on the European Economic Area prior to transmission.
3. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate the user’s use of the website, to compile reports on website activity for the website operator, and to provide other services relating to website and internet usage.
4. Within the framework of Google Analytics, the IP address transmitted by the user’s browser will not be merged with other data held by Google. Users may prevent the storage of cookies by selecting the appropriate settings in their browser; however, please note that in this case not all functions of this website may be fully usable.
5. Users may also prevent Google from collecting and processing data generated by cookies relating to their use of the website (including the IP address) by downloading and installing the browser plug-in available at the following link:
6. https://tools.google.com/dlpage/gaoptout?hl=hu

NEWSLETTER

Purpose of Data Processing	Sending electronic messages containing advertisements (e-mail, SMS, push notifications) to the data subject, and providing information about current news, products, promotions, new features, etc.
Legal Basis of Data Processing	consent of the data subject
Categories of Data Subjects	All data subjects who have subscribed to the newsletter.
Categories of Data	Name E-mail address Phone number Date and time of subscription IP address at the time of subscription
Source of the Data	All individuals who have subscribed to the newsletter.
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Deletion Deadline	The data processing lasts until the withdrawal of the consent statement, i.e., until the user unsubscribes.

SOCIAL MEDIA PAGES

Pursuant to Section 20 (1) of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the following must be defined regarding the processing of data on social media pages:

1. The fact of data collection
2. The scope of data subjects
3. The purpose of data collection
4. The duration of data processing
5. The identity of the persons or entities authorized to access the data
6. Information on the data subjects’ rights related to data processing

Purpose of Data Processing	Sharing or “liking” certain content elements, products, promotions, or the website itself on social media pages, as well as promoting them.
Legal Basis of Data Processing	The voluntary consent of the data subject for the processing of their personal data on social media pages.
Categories of Data Subjects	All data subjects who are registered on social media platforms such as Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc., and have “liked” the website.
Categories of Data	The name registered on social media platforms such as Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc., as well as the user’s public profile picture.
Source of the Data	All data subjects who are registered on social media platforms such as Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc., and have “liked” the website.
Data Processors / Recipients of Personal Data	Szilárd Kovács, Managing Director
Data Deletion Deadline	Data processing takes place on the social media platforms; therefore, the duration and manner of data processing, as well as the options for data deletion and modification, are governed by the rules and regulations of the respective social media platform.

CUSTOMER RELATIONSHIPS AND OTHER DATA PROCESSING

1. If a data subject has questions or encounters any issues while using our services, they may contact the data controller through the means provided on the website (telephone, e-mail, social media platforms, etc.).
2. The data controller will store e-mails, messages, and other data provided via phone, Facebook, etc., together with the inquirer’s name, e-mail address, and any other voluntarily provided personal data, and will delete them no later than 2 years after the data was submitted.
3. For data processing not listed in this privacy notice, information will be provided at the time the data is collected.
4. In exceptional cases of official requests or based on statutory authorization, the service provider is obliged to provide information, disclose data, transfer data, or make documents available to other authorities.
5. In such cases, the service provider will only disclose personal data to the requester to the extent and in the amount necessary to achieve the purpose specified in the request, provided that the requester clearly indicates the purpose and scope of the data.

COMPLAINT HANDLING

1. According to Section 20 (1) of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the following must be defined within the scope of complaints handling as data processing:

• The fact of data collection
• The categories of data subjects
• The purpose of data collection
• The duration of data processing
• The persons or entities authorized to access the data
• Information on the data subjects’ rights related to data processing

1. The fact of data collection, the scope of processed data, and the purpose of data processing:

   Personal data:	Purpose of data processing:
   Last name and first name	Identification
   E-mail	Contact
   Telefon	Contact
   Billing name and address	Identification Handling of quality complaints, questions, and problems arising in connection with the ordered service/product.

2. Duration of data processing, deadline for data deletion: The minutes, transcript, and copies of responses related to the recorded complaint must be retained for 5 years pursuant to Section 17/A (7) of Act CLV of 1997 on Consumer Protection
3. Persons or entities authorized to access the data: The personal data may be handled by the staff of the data controller, in compliance with the above principles.
4. Information on the data subjects’ rights related to data processing: The data subject can initiate the deletion or modification of personal data in the following ways:

   • By postal mail: at 8184 Balatonfűzfő, Uszoda u. 2.

     By e-mail: at bob@balatonibob.hu

     By phone: at +36 30 143 0000

5. Legal basis of data processing: the User’s consent, Section 5 (1) of the Information Act, and Section 17/A (7) of Act CLV of 1997 on Consumer Protection.

DATA SECURITY

1. The data controller designs and implements data processing operations in a way that ensures the protection of the data subjects’ privacy.
2. The data controller ensures the security of the data (protection with passwords, antivirus software, SSL encryption), takes the necessary technical and organizational measures, and establishes the procedural rules required to enforce the Information Act and other data and confidentiality protection regulations.
3. The data controller protects the data with appropriate measures, particularly against unauthorized access,
   • against alteration, transfer,
   • disclosure,
   • deletion or destruction,
   • accidental loss or damage,
   • and inaccessibility resulting from changes in the applied technology.
   The data controller ensures, through appropriate technical measures, that the data stored in the records cannot be directly linked to or assigned to the data subject.
4. To prevent unauthorized access to personal data, alteration of data, and unauthorized disclosure or use, the data controller ensures:
   • the establishment and operation of an appropriate IT and technical environment,
   • the controlled selection and supervision of staff involved in providing the service,
   • the issuance of detailed operational, risk management, and service procedure regulations.
   Based on the above, the service provider ensures that the data it manages is available to the authorized person, its authenticity and verification are ensured, and its integrity can be demonstrated.
5. The data controller and its hosting provider’s IT systems protect, among other things, against:
   • computer fraud,
   • espionage,
   • computer viruses, spam,
   • hacking,
   • and other attacks.

DATA SUBJECTS’ RIGHTS

1. A data subject may request from the service provider information regarding the processing of their personal data, request the correction of their personal data, and, except in cases of mandatory data processing, request the deletion or blocking of their personal data.
2. Upon the data subject’s request, the data controller shall provide information about the personal data it processes, as well as data processed by a data processor acting on its behalf, including the source of the data, the purpose and legal basis of processing, the duration of processing, the name and address of the data processor, the activities related to data processing, the circumstances, effects, and remedial actions of any data protection incidents, and, if the personal data has been transferred, the legal basis and recipients of such transfers.
3. If the data controller has an internal data protection officer, it shall maintain a record of data protection incidents for the purpose of monitoring measures and informing data subjects. This record includes the scope of personal data affected, the number and identities of data subjects affected, the timing, circumstances, and effects of the incident, the measures taken to mitigate it, and other data as required by law.
4. The data controller also maintains a transfer log for the purpose of verifying the legality of data transfers and informing data subjects. This log includes the date of transfer, the legal basis and recipient of the transfer, the scope of personal data transferred, and other data required by law.
5. Upon the user’s request, the service provider shall provide information about the processed data, its source, the purpose, legal basis, duration of processing, and, if applicable, the name and address of the data processor and activities related to processing, as well as the legal basis and recipient of any data transfers. The service provider shall respond in writing and in a clear, understandable form as soon as possible, but no later than 25 days from the submission of the request. The provision of information is free of charge.
6. The managing director of Orso Forte Kft. may refuse requests that are unreasonably repetitive, require disproportionate technical effort, endanger others’ personal data, are extremely difficult to implement, or are not legally required by local law. If the data subject insists on repeatedly accessing personal data, such as camera footage, the service provider may charge an administrative fee of HUF 20,000 + VAT per commenced working hour.
7. If the personal data is inaccurate and the service provider has access to the correct data, it shall correct the personal data. Instead of deletion, the service provider shall block the personal data if requested by the user, or if deletion could violate the user’s legitimate interests. Blocked personal data may only be processed as long as the purpose that precluded its deletion continues to exist.
8. The service provider shall delete personal data if its processing is unlawful, the user requests deletion, the data is incomplete or inaccurate and cannot be lawfully corrected, the purpose of processing has ceased, the statutory retention period has expired, or deletion has been ordered by a court or the National Authority for Data Protection and Freedom of Information.
9. The data controller shall mark personal data whose accuracy is contested by the data subject but cannot be conclusively verified.
10. The data subject and all recipients to whom the data was previously transferred for processing purposes must be notified of corrections, blocking, marking, and deletions. Notification may be omitted if it does not harm the legitimate interest of the data subject.
11. If the data controller does not comply with a request for correction, blocking, or deletion, it shall provide written factual and legal reasons for refusal within 25 days of receipt of the request. In the event of refusal, the data controller shall also inform the data subject of the right to judicial remedy and to submit a complaint to the Authority.

LEGAL REMEDY

1. A user may object to the processing of their personal data if:

   The processing or transfer of personal data is necessary solely for the data controller to fulfill a legal obligation or to pursue the legitimate interests of the data controller, the data recipient, or a third party, except where the processing is required by law;

   The use or transfer of personal data is for the purposes of direct marketing, public opinion polling, or scientific research;

   In other cases as specified by law.

2. The service provider shall examine the objection as soon as possible, but no later than 15 days from the submission of the request, decide on its validity, and inform the requester in writing of its decision. If the service provider determines that the objection is justified, it shall terminate the data processing—including any further data collection and transfer—block the data, and notify all parties to whom the personal data affected by the objection was previously transferred, who are obliged to take action to enforce the data subject’s right to object, about the objection and the measures taken based on it.

3. If the User disagrees with the decision made by the service provider, they may appeal to a court within 30 days from the notification of the decision. The court shall handle the case as a matter of priority.
4. Complaints regarding any potential violation by the data controller may be submitted to the National Authority for Data Protection and Freedom of Information:
   • Name: National Authority for Data Protection and Freedom of Information (NAIH)
     Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
     Postal address: 1530 Budapest, P.O. Box 5
     Phone: +36 (1) 391-1400
     Fax: +36 (1) 391-1410
     Website: http://naih.hu
     E-mail: ugyfelszolgalat@naih.hu

JUDICIAL ENFORCEMENT

1. The data controller is obliged to prove that data processing complies with the provisions of the law. The lawfulness of data transfer must be proven by the data recipient.
2. Jurisdiction for adjudicating the case lies with the competent court. At the choice of the data subject, the case may also be initiated before the court of the data subject’s place of residence or habitual residence.
3. A party to the case may also be an entity that otherwise does not have legal capacity in court proceedings. The Authority may intervene in the case to protect the data subject’s interests.
4. If the court upholds the claim, it may order the data controller to provide information, correct, block, or delete the data, annul decisions made through automated data processing, respect the data subject’s right to object, or disclose data requested by the data recipient.
5. If the court rejects the data recipient’s claim, the data controller is obliged to delete the personal data of the data subject within 3 days from the notification of the judgment. The data controller must also delete the data if the data recipient does not initiate court proceedings within the specified deadline.
6. The court may order the publication of its judgment, including the identifying information of the data controller, if required in the interest of data protection and the protection of the rights of a larger number of data subjects.

COMPENSATION AND DAMAGES

1. If the data controller unlawfully processes the personal data of the data subject or violates the requirements of data security, thereby infringing the data subject’s personal rights, the data subject may claim compensation (non-pecuniary damages) from the data controller.
2. The data controller is also liable to the data subject for damages caused by the data processor and must pay compensation for any infringement of personal rights resulting from the actions of the data processor. The data controller is exempt from liability for damages and from the obligation to pay compensation if it proves that the damage or the infringement of the data subject’s personal rights was caused by an unavoidable circumstance beyond the scope of data processing.
3. Compensation and claims for damages shall not be granted to the extent that the damage or infringement of personal rights resulted from the intentional or grossly negligent conduct of the data subject.