Data Policy

DATA MANAGEMENT INFORMATION

RIGHTS OF THE DATA SUBJECT

REGARDING THE PROCESSING OF THEIR PERSONAL DATA

INTRODUCTION

The REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter: Regulation) on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, mandates that the Data Controller shall take appropriate measures to provide the data subject with all information related to the processing of personal data in a concise, transparent, intelligible, and easily accessible form, clearly and in plain language, and to facilitate the exercise of the data subject’s rights.

The obligation of prior information to the data subject is also prescribed by Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.

Crystal Carp Lake Kft. qualifies as a data controller (“Data Controller”) as per Section 3, Point 9 of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information ("Infotv.").

This notice serves to fulfill our statutory obligations.

This information must be published on the company’s website or provided to the data subject upon request.

CHAPTER I - IDENTIFICATION OF THE DATA CONTROLLER

The issuer of this notice, and simultaneously the Data Controller:

1. Company Name: Crystal Carp Lake Kft.
2. Registered Office: 9362 Himod, Dózsa utca 25.
3. Company Registration Number: 08-09-034195
4. Tax Number: 27758861-2-08
5. Representative: László Szakács, Managing Director
6. Phone Number: +36 30 569 8302
7. Email Address: info@crystalcarplake.com
8. Website: www.crystalcarplake.com

(hereinafter: the "Company")

CHAPTER II - IDENTIFICATION OF DATA PROCESSORS

A data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller; (Regulation, Article 4, Point 8).

The involvement of a data processor does not require the prior consent of the data subject, but they must be informed accordingly. Therefore, we provide the following information:

1. IT Service Provider of Our Company

Our company engages a data processor for the maintenance and management of its website, providing IT services (hosting services), and, within this framework, processes personal data provided on the website for the duration of our contract. The operation performed by the data processor involves storing personal data on the server.

This data processor is:

1. Company Name: Rackhost Zrt. (Hosting Provider)
2. Registered Office: 6722 Szeged, Tisza Lajos körút 41.
3. Company Registration Number: 06-10-000489
4. Tax Number: 25333572-2-06
5. Phone Number: +36 1 445 1200
6. Email Address: info@rackhost.hu
7. Website: https://rackhost.hu
8. Company Name: Barion Payment Zrt. (Payment Service Provider)
9. Registered Office: 1117 Budapest, Irinyi József utca 4-20. 2nd floor
10. Company Registration Number: 01-10-048552
11. Tax Number: 25353192-2-43
12. Phone Number: +36 1 464 7099
13. Email Address: hello@barion.hu
14. Website: https://www.barion.com/hu/
15. Company Name: KBOSS.hu Kft. (Billing Service Provider)
16. Registered Office: 1031 Budapest, Záhony utca 7.
17. Company Registration Number: 01-09-303201
18. Tax Number: 13421739-2-41
19. Phone Number: Online customer service
20. Email Address: Contact via website (szamlazz.hu)
21. Website: https://szamlazz.hu

2. Postal Services, Delivery, Parcel Shipping

These data processors receive the personal data necessary for delivering the ordered product (data subject’s name, address, phone number) from our company and use it to deliver the product. The product may be a gift card or a coupon.

These service providers include:

1. Magyar Posta
2. DPD
3. GLS
4. FOXPOST

CHAPTER III - ENSURING THE LAWFULNESS OF DATA PROCESSING

3. Data Processing Based on the Data Subject’s Consent

(1) If the Company intends to process data based on consent, it must request the data subject’s consent in accordance with the content and information specified in the data processing policy’s data request form.

(2) Consent is also considered granted if the data subject marks a relevant checkbox while viewing the Company’s website, configures relevant technical settings when using information society services, or makes any other clear statement or action indicating consent to the intended processing of their personal data. Silence, pre-checked boxes, or inaction shall not constitute consent.

(3) Consent extends to all processing activities carried out for the same purpose or purposes. If processing serves multiple purposes, consent must be given for all of them.

(4) If the data subject provides consent in a written statement concerning other matters—such as concluding a sales or service contract—the request for consent must be clearly distinguishable from those other matters, presented in an understandable and accessible format, and written in clear and simple language. Any part of such a declaration containing the data subject’s consent that violates the Regulation shall not be binding.

(5) The Company shall not condition the conclusion or performance of a contract on the granting of consent to the processing of personal data that are not necessary for the performance of that contract.

(6) Withdrawal of consent must be as easy as giving it.

(7) If the collection of personal data was based on the data subject’s consent, the data controller may process the collected data without separate consent for fulfilling legal obligations applicable to it, and also after the withdrawal of the data subject’s consent.

(8) Visitors are informed that a camera surveillance system operates at the lakes.

Thus, by purchasing a ticket or making a reservation and accepting the Terms and Conditions, they consent to being recorded on video.

(9) The reservation period is 7 days and applies to a specific fishing spot.

4. Data Processing Based on Legal Obligation

(1) In the case of data processing based on a legal obligation, the scope of data that may be processed, the purpose of data processing, the duration of data storage, and the recipients are determined by the relevant legislation.

(2) Data processing based on legal obligation is independent of the data subject’s consent, as processing is determined by law. Before starting data processing, the data subject must be informed that data processing is mandatory. They must also be clearly and comprehensively informed about all facts related to the processing of their data before the processing begins, including its purpose, legal basis, the person authorized to process and manage the data, the duration of processing, whether their data is processed based on a legal obligation applicable to the controller, and who may access the data. This information must also include the data subject’s rights and available legal remedies. Mandatory data processing may be communicated by referring to the publication of statutory provisions containing the above information.

5. Right to Rectification

5.1. The data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning them upon request.

5.2. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

These rules are set out in Article 16 of the Regulation.

6. Right to Erasure ("Right to be Forgotten")

6.1. The data subject has the right to obtain from the Controller the erasure of personal data concerning them without undue delay, and the Controller is obliged to erase personal data concerning the data subject without undue delay where one of the following grounds applies:

a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;

c) The data subject objects to the processing, and there are no overriding legitimate grounds for the processing;

d) The personal data have been unlawfully processed;

e) The personal data must be erased to comply with a legal obligation under Union or Member State law to which the Controller is subject;

f) The personal data have been collected in relation to the offer of information society services directly to a child.

6.2. The right to erasure does not apply where processing is necessary:

a) For exercising the right of freedom of expression and information;

b) For compliance with a legal obligation which requires processing by Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

c) For reasons of public interest in the area of public health;

d) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, where erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) For the establishment, exercise, or defense of legal claims.

The detailed rules for the right to erasure are set out in Article 17 of the Regulation.

7. Right to Restriction of Processing

7.1. When processing is restricted, such personal data may only be processed—except for storage—if the data subject has given consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the Union or a Member State.

7.2. The data subject has the right to obtain restriction of processing from the Controller if any of the following conditions apply:

a) The data subject contests the accuracy of the personal data, in which case the restriction applies for a period that allows the Controller to verify the accuracy of the personal data;

b) The processing is unlawful, and the data subject opposes the erasure of the data and instead requests the restriction of their use;

c) The Controller no longer needs the personal data for processing purposes, but the data subject requires them for the establishment, exercise, or defense of legal claims; or

d) The data subject has objected to processing; in this case, the restriction applies until it is determined whether the Controller's legitimate grounds override those of the data subject.

7.3. The data subject must be informed in advance when the restriction of processing is lifted.

The relevant rules are set out in Article 18 of the Regulation.

8. Notification Obligation Regarding Rectification, Erasure, or Restriction of Processing

The Controller shall communicate any rectification, erasure, or restriction of processing of personal data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, the Controller shall inform the data subject about these recipients.

These rules are set out in Article 19 of the Regulation.

9. Right to Data Portability

9.1. Under the conditions set out in the Regulation, the data subject has the right to receive the personal data concerning them, which they have provided to a Controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, if:

a) The processing is based on consent or on a contract; and

b) The processing is carried out by automated means.

9.2. The data subject also has the right to have the personal data transmitted directly from one Controller to another, where technically feasible.

9.3. Exercising the right to data portability must not infringe Article 17 (Right to Erasure/"Right to be Forgotten"). The right to data portability does not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller. This right must not adversely affect the rights and freedoms of others.

The detailed rules are set out in Article 20 of the Regulation.

10. Right to Object

10.1. The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on public interest, the exercise of official authority (Article 6(1)(e)), or legitimate interest (Article 6(1)(f)), including profiling based on those provisions. In such cases, the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

10.2. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of their personal data for such marketing, including profiling related to direct marketing. If the data subject objects to processing for direct marketing purposes, their personal data may no longer be processed for such purposes.

10.3. The data subject must be explicitly informed of this right at the time of the first communication with them, and this information must be presented clearly and separately from any other information.

10.4. The data subject may exercise their right to object by automated means using technical specifications.

10.5. Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject has the right to object to processing of their personal data on grounds relating to their particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The relevant provisions are found in the Regulation.

11. Automated Individual Decision-Making, Including Profiling

11.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

11.2. This right does not apply if the decision:

a) Is necessary for entering into or performing a contract between the data subject and the Controller;

b) Is authorized by Union or Member State law to which the Controller is subject, which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

c) Is based on the data subject’s explicit consent.

11.3. In the cases referred to in points (a) and (c), the Controller must implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express their point of view, and to contest the decision.

The relevant provisions are set out in Article 22 of the Regulation.

12. Restrictions

Union or Member State law applicable to the Controller or Processor may, through legislative measures, restrict the scope of rights and obligations (Articles 12–22, Article 34, and Article 5 of the Regulation) if the restriction respects the essence of fundamental rights and freedoms.

The conditions for such restrictions are set out in Article 23 of the Regulation.

13. Information to the Data Subject in Case of a Data Breach

13.1. If a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject without undue delay. This notification must clearly and plainly describe the nature of the data breach and at least:

a) The name and contact details of the data protection officer or another contact point for further information;

b) The likely consequences of the data breach;

c) The measures taken or proposed by the Controller to address the data breach, including measures to mitigate any possible adverse effects.

13.2. The data subject does not need to be informed if any of the following conditions are met:

a) The Controller has implemented appropriate technical and organizational protection measures and these measures were applied to the personal data affected by the breach, such as encryption, rendering the data unintelligible to unauthorized persons;

b) The Controller has taken subsequent measures ensuring that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;

c) Notifying the data subject would involve disproportionate effort. In such cases, public communication or similar measures must be taken to inform data subjects effectively.

The relevant provisions are found in Article 34 of the Regulation.

14. Right to Lodge a Complaint with a Supervisory Authority (Right to Administrative Redress)

The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement, if the data subject considers that the processing of their personal data infringes the Regulation.

The supervisory authority with which the complaint has been lodged must inform the complainant about the progress and the outcome of the complaint, including the possibility of seeking judicial remedy.

The relevant provisions are found in Article 77 of the Regulation.

Complaint Submission:

Complaints may be submitted to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

NAIH Contact Information:

1. Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
2. Mailing Address: 1530 Budapest, P.O. Box 5.
3. Phone: +36-1-391-1400
4. Website: http://naih.hu/
5. Email: ugyfelszolgalat@naih.hu

15. Right to an Effective Judicial Remedy Against a Supervisory Authority

15.1. Without prejudice to any other administrative or non-judicial remedies, every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

15.2. Without prejudice to any other administrative or non-judicial remedies, every data subject has the right to an effective judicial remedy where the competent supervisory authority does not handle their complaint or does not inform them within three months about the progress or outcome of their complaint.

15.3. Proceedings against a supervisory authority must be brought before the courts of the Member State where the supervisory authority is established.

15.4. Where proceedings are brought against a decision of a supervisory authority that has been subject to an opinion or a decision under the coherence mechanism by the European Data Protection Board (EDPB), the supervisory authority must submit that opinion or decision to the court.

The relevant provisions are found in Article 78 of the Regulation.

16. Right to an Effective Judicial Remedy Against the Controller or Processor

16.1. Without prejudice to any available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority, every data subject has the right to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the unlawful processing of their personal data.

16.2. Proceedings against a Controller or Processor must be brought before the courts of the Member State where the Controller or Processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has their habitual residence, unless the Controller or Processor is a public authority acting in the exercise of its official powers.

The relevant provisions are found in Article 79 of the Regulation.