Attention, Important!
The following translation of the GDPR is for informational purposes only, and any interpretation is exclusively possible in the Hungarian language. Due to the above, we do not take any responsibility for translation errors!

Data Management Information (GDPR)

DATA MANAGEMENT INFORMATION

I. Introduction

MAG SE (hereinafter: Service Provider, Data Controller) submits itself to the following information.

The data subject must be clearly and thoroughly informed about all facts related to the processing of their data before the start of data processing, including the purpose and legal basis of data processing, the person authorized to process and process data, and the duration of data processing.

The information must also cover the data subject’s rights and legal remedies related to data processing.

This data management information contains the regulations for personal data processing during the operation of the (www.gokartsportarena.hu) website. The information is available on our website at the following link:

http://gokartsportarena.hu/adatvedelmi-szabalyzat-gdpr/

The purpose of the site is to organize go-kart events for the Service Provider’s end-user customers. In this regard, the Service Provider primarily keeps records of the data necessary for the performance of the contract in connection with the operation. This Information should be applied in accordance with and in connection with the Data Controller’s General Terms and Conditions.

The User accepts the content of this data management information both by using the website and by booking an appointment on the site.

The Data Controller is entitled to unilaterally modify this Information at any time, taking into account the current legal regulations. The modifications of the Information come into effect by publishing them at the above address.

II. Interpretative Concepts

  1. Data Subject: any natural person who is identified or can be identified, directly or indirectly, based on personal data, including natural person users provided by non-natural person Users.
  2. User: the Data Subject using the website (www.gokartsportarena.hu) (including the individual entrepreneur and the individual company) or other non-natural person user.
  3. Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”).
  4. Special Categories of Personal Data: personal data indicating racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic and biometric data aimed at uniquely identifying natural persons, health data, and personal data relating to the sexual life or sexual orientation of natural persons.
  5. Consent: the Data Subject’s voluntary, specific, informed, and unambiguous expression of will, by which the Data Subject, by a statement or by a clear affirmative action, indicates consent to the processing of personal data concerning him or her;
  6. Data Controller: The controller of personal data.
  7. Data Processing: any operation or set of operations performed on personal data or data files, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  8. Restriction of Data Processing: marking stored personal data with the aim of limiting their future processing.
  9. Data Processor: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.
  10. Third Party: a natural or legal person, public authority, agency, or other body other than the Data Subject, the Data Controller, the Data Processor, or those persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process personal data.

The other concepts used in this Information comply with the definitions of the current legal regulations – in particular: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter: GDPR) and Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Infotv.). The Data Controller complies fully with the current legal regulations in the data processing it applies.

III. Basic Principles

The Data Controller, when processing the data of the Data Subject, acts in full compliance with the following basic principles:

  1. Data processing must be carried out lawfully, fairly and in a transparent manner for the data subject (“lawfulness, fairness and transparency”);
  2. Data collection should only be for specified, explicit and legitimate purposes, and should not be processed in a manner incompatible with these purposes (“purpose limitation”);
  3. They must be adequate and relevant for the purposes of data processing and must be limited to what is necessary (“data minimization”);
  4. They must be accurate and, where necessary, kept up to date (“accuracy”);
  5. Storage must be in a form that allows the identification of data subjects only for as long as necessary for the purposes of personal data processing (“limited storage”);
  6. Processing must be carried out in such a way as to ensure the appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, by appropriate technical or organizational measures (“integrity and confidentiality”).
  7. The data controller is responsible for compliance with the above principles and must be able to demonstrate this compliance (“accountability”).
  8. The Data Controller has developed its procedures in accordance with the above, continuously reviews and modifies them as necessary. The Data Controller ensures built-in and default data protection during data processing.
  9. The user (User) must continuously ensure, both before and during the use of the service related to the information society, that he can prohibit data processing. The User is entitled to exercise this right in accordance with the provisions of Chapter IX.

IV. User’s Scope of Responsibility

  1. If the User does not provide his own data, but that of another natural person during registration for an appointment or in connection with its use, it will be the sole responsibility of the User to provide the data with the consent, knowledge and appropriate information of this natural person. The Data Controller is not obliged to check the existence of these. The Data Controller draws the User’s attention to the fact that if he does not fulfill this obligation and as a result the Data Subject asserts a claim against the Data Controller, the Data Controller may pass on the asserted claim and the amount of the related damage to the User.
  2. During data processing, the accuracy, completeness and, if necessary, up-to-dateness of the data must be ensured, and the data subject can only be identified for as long as necessary for the purposes of data processing. It is the User’s responsibility to ensure that the data provided are accurate, and he is also responsible for keeping them up to date. The User is obliged to immediately implement changes in the data on the registration interface, to modify the data. The User may also initiate data modification at the Data Controller, at the contact details specified by the Data Controller in Chapter IX.
  3. The Data Controller does not process the data of minors. However, the validity of a legal statement containing the consent of a minor Data Subject who has reached the age of 16 does not require the consent or subsequent approval of his legal representative. Minors under the age of 18 cannot use the appointment booking function, such persons cannot be registered. Compliance with this is the responsibility of the User.

V. The Purposes of Data Processing and Their Conditions

The Data Controller processes personal data for the following purposes:

Recording of appointment booking for go-karting

By making a reservation for the go-karting event and using the website, visitors accept the terms outlined in the Privacy Policy available on the www.gokartsportarena.hu website.

The website may contain links to other websites. In this regard, the Data Controller expressly states that it assumes no responsibility for the data protection and data processing practices, regulations of the websites reached by the user through links, and the Data Controller specifically draws the attention of users to the fact that the provisions of this Privacy Policy do not apply to these websites.

The website uses cookies for the reservation process.

VI. Data Management

During the operation of the website, the Data Controller uses the following cookies:

The Data Controller highlights that visitors (Data Subjects) have the option to delete the created cookies in their browser settings.

  1. Facebook
    The site uses the Facebook „Like” feature, allowing visitors to express their liking for the page. During the use of the service, no data is automatically transmitted with the knowledge of the Data Controller. More information about Facebook’s privacy principles can be found here: https://hu-hu.facebook.com/policies/cookies/
  1. Google Analytics
    The Data Controller measures the website’s traffic data using the Google Analytics service. During the use of the service, data is transmitted. The transmitted data is not suitable for identifying the Data Subject. More information about Google’s privacy principles can be found here: http://www.google.hu/policies/privacy/
  1. Google YouTube product
    The site uses the Google YouTube product to showcase „short videos” on the site to visitors. During the use of the service, no data is automatically transmitted with the knowledge of the Data Controller. More information about Google’s privacy principles can be found here: http://www.google.hu/policies/privacy/

During the use of the reservation function on the website, the Data Controller records the data provided by the user. The purpose of data processing is to trace the User’s online activities for the performance of the contract (confirmation of compliance with the order).

The legal basis for data processing is the performance of the contract.

Data stored regarding the reservation (highlighting personal data!): event dates, reservation name (Data Subject’s name), Data Subject’s email address, phone number, reservation date, reservation time, reservation duration, number of go-karters, notes.

The duration of data processing for the reservation is 60 days.

VII. Access to Data, Release of Data to Third Parties, Data Storage

  1. General provisions

The Data Controller ensures default and built-in data protection. To this end, the Data Controller applies appropriate technical and organizational measures to:

  • regulate access to data precisely.
  • only allow access to persons for whom the data is necessary for the performance of their task, and even then, only the data minimally necessary for the task can be accessed.
  • carefully select appointed data processors and ensure data security through appropriate data processing contracts.
  • ensure the integrity, authenticity, and protection of the managed data.
  1. Data transmission, data processing, access

The Data Controller strives not to release Data Subject data to third parties. However, data release cannot be avoided in certain cases. The Data Controller primarily releases data to third parties in the following cases:

    1. Data Transfer to Authorities: The Data Controller may have reporting obligations arising from legal requirements related to the establishment, performance, and termination of contracts. Data may also be disclosed for other reasons, such as in response to an official request or suspicion of criminal activity.
    2. Data Processor Access Rights: The Data Processor, with the purpose of fulfilling the contract on behalf of the Data Controller, processes the tasks transmitted by the Data Controller through a subcontractor based on the agreement between them.

    In addition to the cases defined above, the Data Controller may also disclose data to third parties in accordance with the applicable legal requirements.

    Possible data controllers authorized to access the data: Personal data may be processed by the employees of the Data Controller and the Data Processor, strictly adhering to the principles defined in this Notice.

    1. Physical Data Storage

    Data management, processing, and security backup of data take place within the territory of Hungary, utilizing the hosting service rented by the Data Controller.

    During data transfer, the Data Controller ensures the security of Personal Data with contractual safeguards required by the applicable laws. The Data Controller is fully responsible for the legality of data transfer and the security of the data.

    1. Storage Period

    The Data Controller retains the Data Subject’s data for the periods specified in the respective data processing purposes. After this period, the data will be destroyed. The storage duration of data is subject to the applicable legal requirements. If the legislation requires data storage beyond the specified period, the Data Controller is entitled to store the data for the duration specified by the law.

    VIII. Measures Taken by the Data Controller in Data Protection

    The Data Controller applies reasonable physical, technical, and organizational security measures to protect Data Subject data, particularly against accidental, unauthorized, unlawful destruction, loss, alteration, disclosure, use, access, or processing. In case of unauthorized access or use with a high risk for the Data Subject, the Data Controller promptly informs the Data Subject.

    If data transmission is necessary, the Data Controller ensures the proper protection of transmitted data, such as encrypting the data. The Data Controller is fully responsible for the data processing carried out by third parties concerning Data Subjects.

    The Data Controller also ensures the protection of Data Subject data through appropriate and regular security backups.

    During automated data processing, the Data Controller takes additional measures to:

    1. Prevent unauthorized data entry;
    2. Prevent the unauthorized use of automated processing systems by unauthorized individuals through data transmission devices;
    3. Verify and establish which organizations received or may receive personal data through the use of data transmission devices;
    4. Verify and establish which personal data was entered into automated processing systems, when, and by whom;
    5. Ensure the recoverability of installed systems in case of operational failure;
    6. Report errors occurring during automated processing.

    IX. Rights of the Data Subject

    The Data Subject has the following rights regarding data processing:

    1. Right to Transparent Information: The Data Subject has the right to receive information about the processed data and the data processing before and during data processing, as part of this Regulation.
    2. Right to Access Stored Data: The Data Subject is entitled to request information about the stored data concerning them and certain elements of data processing (especially: the existence of data processing, its purpose, legal basis, scope of processed data, data disclosure to third parties, storage period, methods of exercising rights, possibilities of legal remedies, data source, profiling, automated decision-making, guarantees, etc.).
    3. Right to Rectification: In case of incorrect data, the Data Subject can request the rectification of the data.
    4. Right to Erasure (Right to be Forgotten): The Data Subject may request the deletion of data if:
      • the data is no longer needed for the original purpose for which it was collected,
      • the Data Subject withdraws their consent to data processing,
      • the Data Subject objects to data processing, and there are no other legitimate grounds for processing,
      • data processing is unlawful,
      • legal obligations require deletion,
      • data collection was related to the offering of information society services.
    5. Right to Object: The Data Subject may object to data processing based on public interest or legitimate interests. In such cases, the Data Controller can only continue processing the data if compelling legitimate reasons exist, which take precedence over the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or defense of legal claims. The Data Subject can object to data processing for direct marketing purposes at any time, and in such cases, the data cannot be processed further.
    6. Right to Restriction of Processing: In the case of unlawfully processed data or other cases permitted by law, the Data Subject may request the restriction of data processing.
    7. Right to Data Portability: In the case of automated data processing based on consent or a contract, the Data Subject is entitled to request the release of the data they provided in a structured, widely used, machine-readable format and can transmit the data to another data controller.
    8. Right to Withdraw Consent: The Data Subject can withdraw their consent at any time.

    The Data Subject can exercise the above rights at any time. The Data Subject can send a request to the Data Controller at gokartsportarena@gmail.com in writing. The Data Controller informs Data Subjects that, according to current legal requirements, it is not obliged to appoint a data protection officer, but a designated data protection officer is available to Data Subjects at the above contacts.

    The Data Controller is entitled to identify the Data Subject before responding (to verify that the request comes from the authorized person). The Data Controller considers requests received from the email address or registered online platform recorded by the Data Controller, along with the sender’s name and email address, or other voluntarily provided personal data, as originating from the Data Subject. For requests received in other forms, the Data Controller is entitled to authenticate the Data Subject in other ways (e.g., verbally inquire about the authenticity of a written request via the provided phone number, request written confirmation in response to verbal requests, or initiate other appropriate authentication methods).

    The Data Controller examines the received requests and processes them promptly, but no later than within one month—unless a longer period is allowed by law in exceptional cases—with justification or rejects them. The Data Controller informs the Data Subject in writing about the results of the decision. The handling of requests is free of charge, except for unfounded or excessive requests, for which the Data Controller may charge a reasonable fee corresponding to its administrative costs.

    The Data Controller deletes received letters, along with the name and email address of the sender and other voluntarily provided personal data, five years after the completion of the case.

    The Data Subject can submit comments or complaints about data processing to the Data Controller at the provided contacts (gokartsportarena@gmail.com email address) at any time. In addition to the above, in case of dissatisfaction with data processing, the Data Subject is entitled to initiate a court procedure at the seat of the Data Controller or the Data Subject’s place of residence (Pest County Court), which is exempt from fees and is expedited. The Data Controller is also subject to legal proceedings initiated by the National Authority for Data Protection and Freedom of Information, beyond the above.