Anikó Ilyés, sole proprietor (registered office: 1085 Budapest Csepreghy utca 2. 3rd floor. 16th door, registration number: 57626624, tax number: 59579803-1-42) as data controller (hereinafter: Data Controller) subjects himself to the following information notice.

The Data Controller complies with the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the right to informational self-determination and the freedom of information (Act CXII of 2011), and the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), and states that the data subject (in this case, the website user, hereinafter: User) must be informed whether the data processing is based on consent or mandatory before the start of the data processing.

The data subject must be clearly and thoroughly informed of all facts related to the processing of their data before the processing begins, including, in particular, the purpose and legal basis of the data processing, the person authorized to carry out the data processing and processing, and the duration of the data processing.

The data subject must also be informed in accordance with Section 6 (1) of the Information Act if personal data can be processed even if it is impossible or disproportionately costly to obtain the data subject’s consent, and the processing of personal data is necessary:

• • for the fulfillment of a legal obligation to which the data controller is subject, or
  • for the purpose of the legitimate interests pursued by the data controller or a third party, and such interests override the rights to the protection of personal data.

The information must also cover the data subject’s rights and remedies related to data processing.

If individual notification of the data subjects is impossible or would involve disproportionate costs (such as in the case of an online store), the notification can be carried out by public disclosure of the following information:

a) the fact of data collection, b) the scope of the data subjects, c) the purpose of the data collection, d) the duration of the data processing, e) the possible data controllers authorized to access the data, f) the description of the data subjects’ rights related to data processing and their remedies, and g) if the data processing must be registered in the data protection register, the registration number of the data processing.

This data management information notice governs the data management of the following websites: https://www.digital-tailors.com/ and is based on the above content requirements.

The notice is available at: https://www.digital-tailors.com/privacy-policy/

Changes to the notice take effect by being published at the above address.

Legal regulations applied during data processing

The data processing is governed by the following legal regulations: The right to the protection of personal data laid down in Chapter VI (2) and (3) of the Fundamental Law of Hungary (Fundamental Law).

Act CXII of 2011 on the right to informational self-determination and the freedom of information (Info Act).

Act LXIII of 1992 on the protection of personal data and the publicity of data of public interest (Data Protection Act).

Act CVIII of 2001 on certain issues of electronic commerce services and information society services (E-commerce Act).

Act V of 2013 on the Civil Code (Civil Code).

Act C of 2012 on the Criminal Code (Criminal Code).

Definitions of basic terms according to the Info Act

Data subject: Any identified or identifiable natural person whose personal data is processed, in this case, the website user.

Personal data: Data related to the data subject – particularly the data subject’s name, identification number, and one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity – and the conclusions that can be drawn from the data concerning the data subject.

Special data:

• • personal data concerning racial origin, nationality, political opinions, or party affiliation, religious or other beliefs, membership in representative organizations, and sexual life,
  • personal data concerning health, pathological addiction, and criminal personal data.

Consent: The voluntary and explicit declaration of the data subject’s will, based on appropriate information, by which they unmistakably consent to the processing of their personal data, either fully or partially.

Objection: The data subject’s statement objecting to the processing of their personal data and requesting the termination of data processing and the deletion of the processed data.

Data controller: The natural or legal person, or entity without legal personality, who, alone or jointly with others, determines the purposes and means of the processing of personal data, makes and implements decisions on data processing (including the used device), or has them implemented by the data processor.

Data processing: Any operation or set of operations performed on data, regardless of the method applied, particularly the collection, recording, organization, storage, modification, use, retrieval, transmission, disclosure, alignment, or combination, blocking, deletion, and destruction of data, as well as the prevention of further use of the data, taking photographs, sound, or video recordings, and recording physical characteristics suitable for personal identification (e.g., fingerprints, palm prints, DNA samples, iris images).

Data transmission: Making data accessible to a specific third party.

Disclosure: Making data accessible to anyone.

Data deletion: Making data unrecognizable in such a way that their restoration is no longer possible.

Data designation: Providing the data with an identifying mark to distinguish it.

Data blocking: Providing the data with an identifying mark to limit its further processing for a defined or indefinite period.

Data destruction: Complete physical destruction of the data storage medium containing the data.

Data processing: Performing technical tasks related to data processing operations, regardless of the method and device used to perform the operations, and the location of application, provided that the technical task is performed on the data.

Data processor: A natural or legal person, or entity without legal personality, who processes data based on a contract, including a contract concluded under statutory provisions, with the data controller.

Data protection incident: Unlawful processing or handling of personal data, including unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as accidental destruction and damage.

Data file: All data processed in a single record.

Sales, training applications

1. 1. According to Section 20 (4) of Act CXII of 2011 on the right to informational self-determination and the freedom of information, the following must be specified regarding data processing in sales on the website:

• • a) the fact of data collection,
  • b) the scope of the data subjects,
  • c) the purpose of the data collection,
  • d) the duration of the data processing,
  • e) the possible data controllers authorized to access the data,
  • f) the description of the data subjects’ rights related to data processing.

2. 2. The fact of data collection, the scope of processed data, and the purpose of data processing:

• • Personal data: The purpose of data processing
  • Surname and first name: Necessary for contact, purchasing, training application, and proper invoicing.
  • Email address: Contact, invoicing.
  • Phone number: Contact, more efficient coordination of invoicing or shipping questions.
  • Billing address: Issuing proper invoices, creating, defining, modifying, monitoring the performance of the contract, billing the fees arising from it, and enforcing related claims.
  • Shipping name and address (for physical products): Enabling home delivery.
  • Time of purchase/application: Executing technical operation. IP address at the time of purchase/application: Executing technical operation.
  • The email address does not necessarily have to contain personal data.

3. 3. Scope of the data subjects: All individuals purchasing on the website/applying for training.
   4. Duration of data processing, deadline for data deletion: Until the contract is fulfilled. Except for accounting documents, as these must be retained for 8 years according to Section 169 (2) of Act C of 2000 on accounting.

Accounting documents supporting the bookkeeping records directly and indirectly (including the general ledger accounts, analytical, and detailed records) must be kept in a readable format for at least 8 years, retrievable based on the bookkeeping records.

5. 5. Possible data controllers authorized to access the data: The data controller’s sales and marketing employees, respecting the above principles.
   6. Description of the data subjects’ rights related to data processing: The data subject can initiate the deletion or modification of their personal data in the following ways:

• • by email at hello@digital-tailors.com

7. 7. Legal basis for data processing: User’s consent, Section 5 (1) of the Info Act, and Section 13/A (3) of Act CVIII of 2001 on electronic commerce services and certain aspects of information society services (hereinafter: E-commerce Act):

The service provider may process personal data that is technically essential for providing the service. The service provider must choose and operate the tools used in the provision of the information society service in such a way that personal data processing only occurs when it is necessary for providing the service and fulfilling other statutory purposes, but even in such cases, only to the necessary extent and duration.

Data processors

Hosting provider

1. 1. Activity performed by the data processor: Hosting service
   2. Name and contact details of the data processor:

Data processor name: Nethely Kft. Postal address: 1115 Budapest, Halmi utca 29. Registered office: 1115 Budapest, Halmi utca 29. Phone: +36 1 445 2040 Email address: info@nethely.hu www.nethely.hu

3. 3. The fact of data processing, the scope of processed data: All personal data provided by the data subject.
   4. Scope of the data subjects: All users of the website.
   5. Purpose of data processing: Making the website available and operating it properly.
   6. Duration of data processing, deadline for data deletion: Until the termination of the agreement between the data controller and the hosting provider, or according to the data subject’s request for deletion to the hosting provider.
   7. Legal basis for data processing: User’s consent, Section 5 (1) of the Info Act, and Section 13/A (3) of Act CVIII of 2001 on electronic commerce services and certain aspects of information society services (E-commerce Act).

Data security measures

The data controller ensures the security of the data and implements technical and organizational measures to ensure that the data collected, stored, and processed is protected against unauthorized access, alteration, disclosure, deletion, or destruction, and accidental destruction.

The data controller ensures that unauthorized persons cannot access the data, and only authorized persons have access, and that the data is not altered or disclosed to unauthorized persons. The data controller also ensures that data files are not directly accessible by users, only through authorized internal operations.

The data controller uses SSL (Secure Socket Layer) encryption on the website to ensure secure data transmission.

The data controller stores personal data in password-protected, encrypted databases on secure servers.

5. The fact of data collection, the scope of processed data, and the purpose of data processing:

Personal Data	Purpose of Data Processing
Name, email address	Identification, enabling newsletter subscription.
Subscription date	Performing technical operation.
IP address at the time of subscription	Performing technical operation.

6. Scope of data subjects: All individuals subscribed to the newsletter.

7. Purpose of data processing: Sending electronic messages containing advertisements (emails, SMS, push notifications) to the data subject, providing information about current news, products, promotions, new features, etc.

8. Duration of data processing, deadline for data deletion: Data processing lasts until the withdrawal of the consent, i.e., until the unsubscription.

9. Potential data controllers authorized to access the data: Personal data may be processed by the employees of the data controller, respecting the above principles.

10. Registration number of data processing: Not required for this activity.

11. Description of data subjects’ rights regarding data processing: The data subject can unsubscribe from the newsletter at any time, free of charge.

12. Data processor employed: None.

13. Legal basis for data processing: The voluntary consent of the data subject, based on Section 5 (1) of the Information Act and Section 6 (5) of Act XLVIII of 2008.

Social Media

1. 1. According to Section 20 (1) of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the following must be specified for data processing related to social media:a) The fact of data collectionb) Scope of data subjectsc) Purpose of data collectiond) Duration of data processinge) Potential data controllers authorized to access the dataf) Description of data subjects’ rights regarding data processing
   2. The fact of data collection, scope of processed data: The registered name on social media platforms like Facebook/YouTube/Instagram, and the user’s public profile picture.
   3. Scope of data subjects: All individuals registered on LinkedIn/Facebook/Twitter/Pinterest/YouTube/Instagram/TikTok, etc., who have “liked” the website.
   4. Purpose of data collection: Sharing or “liking” certain content elements, products, promotions, or the website itself on social media platforms, thereby promoting them.
   5. Duration of data processing, deadline for data deletion, potential data controllers authorized to access the data, and description of data subjects’ rights regarding data processing: The data subject can find information about the source of data, data handling, and the method and legal basis of data transfer on the respective social media platform. Data processing takes place on social media platforms, so the duration, method, and possibilities for data deletion and modification are governed by the regulations of the respective social media platform.
   6. Legal basis for data processing: The voluntary consent of the data subject for processing their personal data on social media platforms.

Protection of Personal Data

According to the Information Act, personal data can only be processed for a specific purpose, to exercise a right or fulfill an obligation. Data processing must comply with the purpose at all stages, and data collection and processing must be fair and lawful.

Only personal data that is essential for achieving the purpose of data processing and suitable for achieving that purpose can be processed. Personal data can only be processed to the extent and for the duration necessary for achieving the purpose.

Personal data retains its quality during data processing as long as it can be related to the data subject. The relationship with the data subject can be restored if the data controller has the technical means to do so.

During data processing, the accuracy, completeness, and – if necessary for the purpose of data processing – up-to-dateness of the data must be ensured, and the data subject can only be identified as long as necessary for the purpose of data processing. Processing of personal data is considered fair and lawful if the purpose is to ensure the freedom of expression of the data subject by a person who wants to know the opinion of the data subject and visits the data subject at their residence or place of stay, provided that the personal data is processed according to the provisions of this Act and the personal visit is not for business purposes. Personal visits cannot take place on public holidays according to the Labor Code.

According to Section 5 (1) of the Information Act, personal data can be processed ifa) the data subject consents, orb) it is ordered by law or – based on legal authorization, within the scope defined – by a local government decree for a purpose of public interest (mandatory data processing).

Personal data can only be processed with the informed consent of the data subject.

The data subject must be clearly, comprehensibly, and thoroughly informed about all facts related to data processing, including the purpose and legal basis of data processing, the person authorized to process and handle the data, the duration of data processing, and who can access the data. The information must cover the rights of the data subject and the available legal remedies.

The data controller must plan and execute data processing operations in a way that ensures the protection of the data subjects’ privacy.

The data controller and the data processor within their scope of activities must ensure data security and take technical and organizational measures and establish procedural rules necessary for enforcing the provisions of this Act and other data and secrecy protection rules.

Data must be protected by appropriate measures, especially against unauthorized access, alteration, transmission, disclosure, deletion or destruction, accidental destruction and damage, and becoming inaccessible due to changes in the applied technology.

The data controller must ensure during data processinga) protection against unauthorized access (data confidentiality),b) the assurance of data integrity,c) the availability of data and services.

The data controller must ensure data security by preventing unauthorized access, unauthorized modification, unauthorized transmission, unauthorized disclosure, unauthorized deletion or destruction, accidental destruction, and damage, as well as the inaccessibility of data due to changes in the applied technology.

An adequate level of protection of personal data is ensured if it is laid down in a binding legal act of the European Union or if an international treaty is in force between the third country and Hungary containing safeguards for the exercise of the rights of data subjects, the right of redress and independent supervision of the processing of personal data.

Transfers to an EEA State shall be considered as transfers within the territory of Hungary.

Complaints handling

1.Pursuant to Section 20 (1) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, the following shall be defined in the scope of complaint handling as data management:

a) the fact of data collection,

b) the data subjects concerned,

c) the purpose of the data collection,

(d) the duration of the processing,

(e) the identity of the potential controllers who are entitled to access the data,

(f) a description of the data subjects’ rights in relation to the processing.

The fact of collection, the scope of the data processed and the purposes of the processing:

Personal data: purpose of the processing

Surname and first name: Identification, contact.

E-mail address: contact.

Telephone number: contact.

Billing name and address: Identification, handling of quality complaints, questions and problems regarding the products ordered.

3. Data subjects: all data subjects who shop on the website of the webshop and all data subjects who complain about quality.

4. Duration of data processing, deadline for deletion of data: copies of the record, transcript and reply to the recorded objection shall be kept for 5 years pursuant to Article 17/A (7) of Act CLV of 1997 on Consumer Protection.

5. Potential data controllers: personal data may be processed by the controller’s staff, in compliance with the principles set out above.

6: Description of the data subject’s rights in relation to data processing: the data subject may request the deletion or modification of personal data in the following ways:

• • By e-mail to hello@digital-tailors.com.

1. 1. 5(1) of the Privacy Policy and Article 17/A(7) of Act CLV of 1997 on Consumer Protection.

Other

1. 1. By registering on the website, the data subject expressly consents to the Data Controller processing and using his/her personal and other data for the purpose of improving and developing the quality of the service, as well as for the purpose of monitoring and enforcing the interests of the user, for the purpose of implementing its information activities related to the provision and use of the service.

2.At the end of the period of data processing, the Controller shall delete the personal data of the data subject in a way that makes it impossible to identify the data subject.

3. 3. It also undertakes to require any third party to whom it may transfer or disclose the data to comply with its obligations in this respect.
   4. The Data Controller reserves the right to unilaterally modify this Privacy Statement by giving prior notice to Users. After the entry into force of the amendment, the User accepts the amended Policy by using the Service.