Privacy Policy

GAL SYNERGYTECH ZRT.  

DATA CONTROLLING POLICY 

 

I. INTRODUCTION

1.1. INTRODUCING GAL SYNERGYTECH ZRT. 

GAL SynergyTech Zrt. (address: 1076 Budapest, Sajó utca 4-8.. 01/Ü. company registration number: 01-10-141486, hereinafter referred to as Company; legal predecessor: GAL Vital SynergyTech Kft.) is one of the most dynamically improving unique Hungarian food industry enterprises. Products of the Company include food supplements, such as vitamins, mineral and herbal products; popularity of these products is the result of unquestionable professional contents, attractive appearance and lovable didactic communications. During the development of the products, our company considers both naturalness and effectiveness to be the most important factors. In all GAL products, ingredients are contained in the same form and proportion they are contained in our natural food. 

1.2. Websites

The Company operates websites www.gal.hu and www.vitaverse.co.uk, where the Company publishes information on its products and their active ingredients, communicates and operates a webshop, as well. 

1.3. Webshop 

Under domain name www.gal.hu the Company operates a webshop in Hungarian and English languages (hereinafter referred to as Webshop). The Webshop is the product catalog of the Company, offering for sale food products and nutritional supplements marketed by the Company (hereinafter referred to as Product). By placing an electronic order on the Webshop and accepting the order by the Company, a sales contract is created between the natural person placing the order, as buyer (hereinafter referred to as Buyer) and the Company, as seller. 

 

II. GENERAL PROVISIONS

2.1. Purpose of the Policy 

The purpose of this data controlling policy (hereinafter referred to as Policy) is to provide information regarding the data controlling activities adopted and applied by the Company.   

2.2. Scope of the Policy 

With respect to sections 1.2. and 1.3. the Company declares that this data controlling policy applies to  

[1] data controlling activities adopted and applied by the Company, and  

[2] natural persons - Buyers - affected by the said data controlling activities 

. The Company implements data controlling with respect to data provided by the buyers on its websites listed in section 1.2. and via the Webshop. This way, the data controlling policy does not apply to data controlling activities implemented by dealers, websites and webshops reselling the products of the Company or the natural persons affected by the applied data controlling activities, with regard to which the entities making the sales qualify as independent data controllers, and as such, hold the rights and obligations related to their own data controlling activities.    

2.3. Availability of the Policy 

The effective version of this Policy is available at all times the central offices of the Company determined in section 1.1. and on the websites listed in section 1.2.  

2. 4. Amendment of the Policy 

The Company reserves the right to unilaterally amend the Policy - as necessary - at any time without preliminary notification, effective upon making the amendment, on which it shall publish general information. The Company is entitled to change the contents or topics of the websites without preliminary notification, which may affect the purpose of data controlling activities specified in this Policy and the consent thereto, in which case the Company shall act in compliance with this Policy. 

2.5. Governing Law 

The Company declares that its data controlling activities related to its business are in compliance with the provisions of this Policy and the effective legislation [including, but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR) and Act CXII of 2011 On Information self-determination and freedom of information, hereinafter referred to as Infotv.). 

Concepts used in the Policy written with capitalized first letter have the meaning determined in the legal provisions indicated above. For the purpose of this Policy, affected party collectively means the Buyer and any person, whose personal data are controlled by the data controller.  

2.6. Authenticity and accuracy of the provided personal data  

The Data Subject is solely responsible for the authenticity and accuracy of the personal data provided or made available to the Company, except for the personal data measured by the Company.  The Company assumes no responsibility for the deficiencies of data provision or for the consequences for providing faulty data; any responsibility of the Company in this respect is explicitly excluded.  

2.7. Lack of Data Provision 

The Data Subject acknowledges that certain personal data need to be voluntarily provided for the purchases, and the Buyer fulfills such data provision. By choosing not to provide the requested personal data or any part thereof the Buyer acknowledges and accepts that maintaining relations with him/her by the Company will not be successful.  

2.8. Data security 

The Company handles personal data as confidential information, and takes every security, technical and organizational steps that serve the integrity of the data. 

 

III. INDIVIDUAL CASES OF DATA CONTROLLING 

Individual cases of data controlling are presented in separate tables. The tables contain only the facts related to data controlling determined in section 1 of each table.  

3.1. Webshop 

1. The process of data controlling: 

For the products selected in the Webshop, Buyers can place their order by logging in after registration or without registration. In both cases, the Buyer records personal data determined in section 2; fulfillment of the contract is conditional upon the provision of this data.  

2. Controlled personal data: 

1. name 

2. residential address (zip code, city, street, street number) 

3. delivery address (zip code, city, street, street number)  

4. telephone number 

5. email address 

6. date of birth 

7. sex 

8.  invoice data (name and address of the person, to whom the invoice is issued) 

 

3. Purpose of data controlling: 

Sales of Products to the Buyer via the Webshop, delivery of the Product to the Buyer, compliance with accounting obligations.   

4. Legal basis for data processing: 

Data controlling is performed pursuant to Article 6 (1) b) of the GDPR, i.e. data controlling is necessary to establish and deliver the sales and purchase contract.  

Legal basis for data controlling is Article 6 (1) c), i.e. data controlling is necessary for compliance with a legal obligation to which the Company is subject to (taxation and accounting obligations stipulated by the law). 

5. Duration of data controlling: 

The Company manages the Data Subject's personal data for the duration of the contractual relationship and for a fixed period thereafter in compliance with the applicable legal obligations. 

6. Rights of the Buyer: 

Rights pursuant to Chapter IV 

7. Enforcing the rights of the Buyer: 

Pursuant to Chapter V 

8. Data processor: 

Neucom Kft. (address: 1171 Budapest, Czimra Gyula utca 14., cg: 01 09 284222, tax ID: 25595211-2-42) 

GLS delivery service 

 

3.2. Data controlling related to invoicing 

1. The process of data controlling: 

The Company issues and keeps invoices for the products sold and the services used in the above tables. Data controlling related to invoicing is closely related to data controlling related to the fulfillment of the contract, forms part of it, but is done on a different legal basis.  

2. Controlled personal data: 

Pursuant to Articles 169 and 202 of Act CXXVII of 2017 on the Value-Added Tax:   

1. name 

2. residential address 

Pursuant to Article 167 of Act C of 2000 on Accounting: 

1. name 

2. residential address 

3. Purpose of data controlling: 

To issue and keep invoices for the products sold and the services used, fulfillment of tax and accounting obligations. 

4. Legal basis for data processing: 

Legal basis for data controlling is Article 6 (1) c), i.e. data controlling is necessary for compliance with a legal obligation to which the Company is subject to (taxation and accounting obligations stipulated by the law). 

5. Duration of data controlling: 

The issued invoice, as an accounting document, must be preserved until the deadline specified in Article 169 of Act C of 2000 on Accounting (currently 8 years), until December 31, 2017 pursuant to Article 47 (3) and 164 of Act XCII of 2003 On the order of Tax Payment (old Art.), whereas after January 1, 2018 until the tax law lapse period pursuant to Articles 78 (3) and 202 of Act CL of 2017 on the Order of Tax Payment (new Art.).  

6. Rights of the Buyer: 

Rights pursuant to Chapter IV 

7. Enforcing the rights of the Buyer: 

Pursuant to Chapter V 

8. Data processor: 

Neucom Kft. (address: 1171 Budapest, Czimra Gyula utca 14., cg: 01 09 284222, tax ID: 25595211-2-42) 

Employees of the Company 

 

3.3. Inquiries with advertising content aimed at business acquisition and marketing purposes (e-DM, newsletter) 

1. The process of data controlling: 

Pursuant to Article 6 (1) Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities (hereinafter referred to as Grtv.), the Company communicates advertisement to the Buyer, as the addressee of the advertisement, in particular via electronic correspondence or other equivalent individual tools of communications (hereinafter referred to as  Newsletter), provided that the Buyer provided his or her explicit preliminary and unambiguous consent by checking the corresponding checkbox during registration.    

2. Controlled personal data: 

name 

Email address 

3. Purpose of data controlling: 

Sending inquiries with advertising content for business acquisition or marketing purposes via electronic corresponding or other equivalent tools of communication (e-DM): newsletter containing the Company’s own offers and products, as well as questionnaires processed anonymously for the purpose of generating statistical data generation or measuring satisfaction.   In case if the Company sends the given type of inquiry specifically targeted to the given Buyer, then this is so communicated in the inquiry. 

4. Legal basis for data processing: 

The legal basis for data controlling is Article 6 (1) a) of GDPR, i.e. with the consent of the Buyer granted by checking the corresponding checkbox during the registration. 

Buyers are entitled to withdraw their consent at any time. However, the revocation of the consent does not apply to the legality of data controlling based on the consent prior to its revocation. The Buyer may revoke his or her consent in writing, with a free text application, which must be sent to one of the addresses specified by the Company in Chapter IV of this Policy. Revocation of the consent becomes effective, when communicated to the Company. 

5. Duration of data controlling: 

36 months from the date of giving the consent, or until the consent is revoked (unsubscribing from the newsletter, hereinafter referred to as: Unsubscribing). For the sake of provability, the fact and date of Unsubscribing is recorded in a way that is not suitable for retrieving earlier data, but Unsubscribing can be proved, when the concrete data is specified. Unsubscription can be done by sending a request via the link at the bottom of the Newsletter or to one of the addresses specified in Chapter IV of this Policy. Unsubscribing via the Newsletter takes effect immediately, whereas Unsubscribing requested via telephone or other address becomes effective not later than within 5 business days. 

6. Rights of the Buyer: 

Rights pursuant to Chapter IV 

7. Enforcing the rights of the Buyer: 

Pursuant to Chapter V 

8. Data processor: 

Neucom Kft. (address: 1171 Budapest, Czimra Gyula utca 14., cg: 01 09 284222, tax ID: 25595211-2-42) 

Employees of the Company 

 

3.4. Partner Program 

1. The process of data controlling: 

After registration on websites listed in section 1.2., the Company stores the Buyer’s purchase data and amount. If the amount of purchases made as a registered buyer calculated without coupon discounts and shipping fee exceeds HUF 50,000, the Buyer automatically becomes member of the Partner program and gets 10% discount from additional purchases. 

2. Controlled personal data: 

1. name 

2. residential address (zip code, city, street, street number) 

3. delivery address (zip code, city, street, street number)  

4. telephone number 

5. email address 

6. date of birth 

7. sex 

8.  invoice data (name and address of the person, to whom the invoice is issued) 

9. details of former purchases 

 

3. Purpose of data controlling: 

The purpose of the Partner program is to reward loyal buyers. For the sake of this purpose we store the purchase data of registered buyers, so we can determine, who qualifies as loyal buyer, whose purchases reach 50,000 HUF in total.  

4. Legal basis for data processing: 

GDPR, Articles 6 (1) and 9 (2) a) 

Buyers are entitled to withdraw their consent at any time. However, the revocation of the consent does not apply to the legality of data controlling based on the consent prior to its revocation. The Buyer may revoke his or her consent in writing, with a free text application, which must be sent to one of the addresses specified by the Company in Chapter III of this Policy. Revocation of the consent becomes effective, when communicated to the Company. 

5. Duration of data controlling: 

The Company will continue data controlling for a period of 24 months from the date of granting the consent, or until the consent is revoked. After data controlling is terminated for any reason, the Company will immediately delete the Buyer’s data stored in the Partner program. 

6. Rights of the Buyer: 

Rights pursuant to Chapter IV 

7. Enforcing the rights of the Buyer: 

Pursuant to Chapter V 

8. Data processor: 

Neucom Kft. (address: 1171 Budapest, Czimra Gyula utca 14., cg: 01 09 284222, tax ID: 25595211-2-42) 

Employees of the Company 

 

3.5. Data controlling on our social media channels (Facebook, Instagram, Youtube channel) 

3.5.1. The Company operates social media channels to introduce its operation and promote its products.  

3.5.2. Personal data published by the visitors on our social media channels are not stored, controlled or stored. Visitors are subject to the social media channels’ own privacy and service conditions. Questions posted via the social media channels are not regarded as official complaints. 

3.5.3. In case of illegitimate or offensive content, the Company is entitled to ban out the data subject and delete his/her comment.  

3.5.4. The Company shall not be responsible for illegitimate data contents, comments or any fault, failure resulted by the operation of the social media interfaces or problems attributable to the change in the operation of the system. 

 

3.6. Cookies 

3.1.6. Websites of the Company automatically collect data via the use of so-called cookies. A cookie is a small text file that stores internet settings. Almost all websites use this technology. 

When the data subject visits the website for the first time, a cookie is automatically downloaded from his or her browser upon granting consent. Next time, if the data subject logs in to the website from the same device, the cookie - and the information contained therein - is either sent back by the system to the website that created it (so-called own cookie), or sends to another website, to which it belongs (so-called partner cookie). This way, the website recognizes that the given site was opened with this browser, and in certain cases it will modify the displayed contents. For more information about the cookies used on our websites can be found on the links on each website, including the information about the consequences of disabling the use of the cookies.  

3.6.2. With the help of the cookies the server is allowed to identify a given user, to collect various information about him or her, and to prepare analyses using this data. Main functions of the cookies: 

a) collect information on the visitors and their devices; 

b) remember individual settings of the visitors that are (can be) used, for example to perform online transactions, so no repeated typing is necessary; 

c) make the use of the given website easier, simpler, smoother and more convenient; 

d) make it unnecessary to re-enter previously entered data; 

e) generally improve the user experience. 

3.6.3. With the use of cookies the Company performs data controlling - based on the consent granted by the data subject - the main goals of which are to identify the user, to identify individual sessions, to identify devices user for accessing the site, to store certain data, to store and forward certain provided data, to store and forward tracking and location information, to store and forward data necessary for analytic measurements. 

3.6.4. Legal basis for data processing is the data subject’s consent. Scope of the controlled data: the concerned user data (user ID, session ID, device ID), login date and duration of the use, GSP coordinates of the user. 

Duration of data controlling: 1 year from the date the data subject’s consent was given. 

3.6.5. The Company measures the traffic data of the websites using the Google Analytics service. During the use of the service personal data no are transferred. The transferred data are not suitable for identification. 

 

IV. RIGHTS OF THE CONCERNED ENTITY 

With respect to the above data controlling the Data Subject has the following rights 

4.1. Right of information  

The Data Subject has the right to receive information about the facts related to data controlling in relation to the personal data controlled by the Company before the start of the data controlling. With respect to the fact that the Data Subject gives the personal data to the Company himself, the Company fulfills its information provision obligation under Article 13 of the GDPR by publishing this Policy.  

4.2. Right of access (GDPR, Article 15) 

Data Subjects shall have the right to obtain information as to exactly which of their personal data are controlled by the Company. Upon the data Subject’s request, the Company also provides information on the purpose, legal basis and duration of data controlling related to the Data Subject, as well as on who received or will receive such data and for what purpose (including, but not limited to addressees in third countries, as well as international organizations, if any). The Data Subject is entitled to be granted access, to request the Company to correct, delete or restrict the controlling of his/her personal data, and may object the controlling of such personal data. The Data Subject is entitled to be informed that he/she may file complaint to the supervisory authority. Should any data not obtained by the Company from the Data Subject appear, the Data Subject is entitled to request information on the source of the data at any time. In case if the Company forwards personal data to a third country or to an international organization, then the Company shall inform the Data Subject on forwarding the data and the guarantees pursuant to Article 46 of the GDPR. 

The Company provides the Data Subject with the first copy of the personal data subject to data controlling free of charge. For additional copies, the Company may charge a reasonable fee based on administrative costs and adjusted to the amount of data, but the Company will notify the Data Subject of this amount in advance. If the Data Subject submitted his/her application electronically, the response shall also be given electronically in a widely used format, unless requested otherwise by the Data Subject. The right to requesting a copy must not adversely impact the rights and liberties of others. 

4.3. Right to rectification (GDPR, Article 16) 

The Data Subject is entitled to request the Company to rectify inaccurate or faultily recorded personal data. Should the data be deficient - considering the purpose of data controlling - the Data Subject may request completion of the data. If the data requested to be rectified or supplemented is included in an official identity card or other official register confirming identity and residential address, this document must also be presented in order to be rectified or supplemented.  

4.4. Right of erasure (“right to be forgotten”) (GDPR, Article 17) 

The Data Subject may request the Company to erase his or her personal data at any time, which request must be satisfied by the Company, provided that any of the following reasons exists: 

the personal data are no longer needed for the purpose they were collected or otherwise managed by the Company; 

the Data Subject revoked by his or her consent on which the data controlling is based and there is no other legal basis for the data controlling; 

the Data Subject objects the data controlling by the Company based on public or legitimate interest, and there is no overriding legitimate reason for data controlling, or objects the data controlling for direct marketing purposes pursuant to GDPR Article 21 (2); 

the personal data were controlled by the Company illegitimately; 

personal data must be deleted to comply with the legal obligation stipulated by community or member state law applicable to the Company; 

personal data were collected in connection with offering services related to the information society referred to in Article 8, Section (1) of the GDPR. 

In case if the Company published the personal data and is obliged to erase it, it shall take every reasonably expected action to notify additional data controllers controlling the data on its obligation to erase. 

The data does not need to be erased, if data controlling is necessary: 

for the purpose of exercising the right to freedom of expression and information; 

for the purpose of fulfilling the obligation according to the law applicable to the Company that prescribes the controlling of personal data (e.g. fulfilling tax and accounting obligations), or for the purpose of performing a task carried out in the public interest or in the context of the exercise of public authority granted to the Company; based on public interest concerning public health, pursuant to GDPR, Article 9 (2) h) and i), as well as Article 9 (3). 

in accordance with Article 89 (1) of the GDPR for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, if the right to erasure would likely make this data management impossible or seriously jeopardize it; or to submit, enforce or protect legal interests. 

4.5. Right to restriction of processing (GDPR, Article 18) 

The Data Subject is entitled to request the Company to restrict controlling of some of his/her personal data, if any of the following criteria is met:  

the Data Subject disputes the accuracy of the personal data; in this case the limitation applies to the period available for the Company to verify the accuracy of the personal data;  

the data controlling is illegitimate, and the Data Subject objects the deletion of the data, and requests their limited use instead;  

the Company no longer needs the personal data for data controlling purposes, but the Data Subject requests them to submit, enforce or protect legal needs; 

The Data Subject objected the data controlling referring to GDPR, Article 21 (1), and time is needed to investigate, whether there is any overriding legitimate reason for data controlling. In this case, the restriction applies to the period of time required to verify, whether there is overriding legitimate reason for data controlling, i.e. whether legitimate reasons of the Company related to preserving and controlling the data by the Company override the Data Subject’s legitimate reasons to have the data erased. 

During the period of the restriction the Company will only store the data, but no data controlling operations are performed, except, if i) the Data Subject grants his or her consent to additional operations, or ii) the data controlling is necessary to submit, enforce or protect legal demands, furthermore, iii) if it is necessary to protect the rights of other natural persons or legal entities, or iv) if data controlling is necessitated by an important public interested of the EU or any of its Member States.   

In case is data controlling is restricted, the Company shall notify the Data Subject on lifting the restriction in advance, in the same form and manner the Data Subject had requested the restriction of data controlling.  

The Company informs all recipients of the correction, deletion or restriction of data processing requested by the Data Subject and carried out by the Company, to whom or to which the personal data was disclosed, unless this proves to be impossible or requires a disproportionately large effort. Upon the Data Subject’s request, the Company informs the Data Subject about the recipients notified as described above. 

4.6. Right to object (GDPR, Article 21) 

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data for public interest or to enforce legitimate interest of third persons concerning him or her ((e) or (f) of Article 6(1) of the GDPR), including profiling based on those provisions. In this case, the Company is no longer allowed the insurance the personal data, except if proves that data controlling is due to coercing legitimate reasons that have priority over the interests, rights and liberties of the Data Subject, or which are related to submission, enforcement or protection of legal requests. 

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing (provided that the Company applies such method, on which it must give appropriate notification). In case of objection, the personal data shall no longer be processed by the Company for direct marketing purposes. 

In case of data controlling for statistical purposes the Data Subject is entitled to object such controlling of his or her personal data for reasons related to the Data Subject’s own situation, except if the data controlling is necessary to perform a task for public interest. 

4.7. Right to data portability (GDPR, Article 20) 

With respect to the fact that the Company stores the Data Subject’s data also in an electronic database, the Data Subject is entitled to receive his or her personal data provided to the Company in a structured, commonly used, machine-readable format, and to forward these data to another data controller without hindrance from the Company. The Data Subject is entitled to the right of data portability with respect to data, the controlling of which is based on the Data Subject’s consent (GDPR, Article 6 (1) a) or Article 9 (2) a) or on the fulfillment of a contract (GDPR, Article 6 (1)). Should the Data Subject request for direct transfer of the data between data controllers, the Company shall indicate, whether such transfer is technologically feasible.  

4.8. Right to lodge a complaint with a supervisory authority (GDPR, Article 77) 

Without prejudice to any other administrative or judicial remedy, the Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the provisions of the GDPR.  

The supervisory in Hungary is the Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information) (1024 Budapest, Szilágyi Erzsébet fasor 22/C., e-mail: ugyfelszolgalat@naih.hu, +36-1-3911400, chairman: dr. Attila Péterfalvi, www.naih.hu). 

The supervisory authority to which the Data Subject submitted the complaint is obliged to inform the Data Subject, as a customer, of the procedural developments related to the complaint and its result, including the fact that the Data Subject is entitled to legal remedies based on Article 78 of the GDPR.  

4.9. Right to an effective judicial remedy against a supervisory authority (GDPR, Article 78) 

Without prejudice to any other administrative or non-judicial remedy, the Data Subject shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority (in Hungary: Nemzeti Adatvédelmi és Információszabadság Hatóság) concerning them. Without prejudice to any other administrative or non-judicial remedy, the Data Subject shall have the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the Data Subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established (in Hungary, judicial procedures against the Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information) fall under the authority and competence of the Capital City Administrative and Labor Court). 

Right to an effective judicial remedy against the Company or data processor (GDPR, Article 79) 

Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to section 4.8., the Data Subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed by the Company as a result of the processing of his or her personal data in non-compliance with GDPR. 

Proceedings shall be brought before the courts of the Member State where the Company is established, i.e. before the courts of Hungary. The proceedings can also be initiated before the court according to the Data Subject’s usual place of residence (if different from Hungary).  

4.11. Communication of a personal data breach to the data subject (GDPR, Article 34) 

If the data protection incident is probably represents high risk to the Data Subject’s rights and liberties, the Company shall notify the Data Subject without unjustified delay on the data protection incident.   In this notification, the nature of the data protection incident must be described in a clear and understandable way, and at least the following information and measures must be provided: 

name and contact information of the data protection commissioner or other contact person providing further information;  

the likely consequences of the data protection incident must be described;  

the measures taken or planned by the data controller to remedy the data protection incident must be described, including, where appropriate, measures aimed at mitigating any adverse consequences resulting from the data protection incident.  

The Data Subject does not need to be notified on the data protection incident, if any of the following conditions is met: 

the Company has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular those measures - such as the use of encryption - that make the personal data unintelligible to persons not authorized to access the personal data; 

following the data protection incident, the Company took additional measures to ensure that the high risk to the rights and liberties of the Data Subject is unlikely to appear in the future; 

the information provision would require disproportionate efforts.  

In the above cases, the Data Subject must be notified by way of public announcements or similar measures have to be taken to ensure efficient information provision to the Data Subject. 

 

V. ENFORCEMENT OF THE DATA SUBJECT’S RIGHTS  

SUBMITTING HIS OR HER APPLICATION, ESTABLISHING CONTACT WITH THE COMPANY 

5.1. In case of enforcing the Data Subject's rights, he or she should preferably i) deliver the request in writing, by post ii) personally to the Company's headquarters or iii) send it by e-mail to the Company's e-mail address. 

Details and contact information of the Company/Data Controller: 

Postal address: 1076 Budapest, Sajó utca 4-8.. 01/Ü. 

Telephone: +36-1/443 32 29 

Email: ugyfelszolgalat [at] gal.hu

5.2. Should any doubt arise as to the identity of the Data Subject or the provided data are not sufficient to identify the Data Subject, the Company is entitled to request from the Data Subject additional data necessary to and suitable for the verification of the identity.    

5.3. If the submitter of the application is unable to verify his or her identify beyond doubt, and thus the Company is unable to identify him or her, the Company may refuse to take care of the application. 

5.4. The Company shall inform the Data Subject of the measures taken following the request without undue delay, but in any case within one month of the receipt of the request. If necessary, taking into account the complexity and the quantity of applications, this deadline can be extended by another two months. The Company shall inform the Data Subject of the extension of the deadline, indicating the reasons for the delay, within one month of receipt of the request. 

5.5. If the Data Subject submitted his/her application electronically, the response shall also be given electronically, unless requested otherwise by the Data Subject. 

5.6. If the Company does not take measures following the Data Subject's request, it shall inform the Data Subject without delay, but not later, than within one month of the receipt of the request, of the reasons for the failure to take action, as well as of the fact that the Data Subject may file a complaint with a supervisory authority and exercise his right to judicial remedy. 

5.7. Information pursuant to Articles 13 and 14 of the GDPR, as well as notification and actions pursuant to Articles 15-22 and 34 of the GDPR shall be provided by the Company free of charge, If a request is clearly unfounded or - especially due to its repetitive nature - excessive, taking into account the administrative costs associated with providing the requested information or notification, or taking the requested action, the Company:  

a) may charge a reasonable fee, or 

b) may refuse to take actions based on the request. 

 

Budapest, May 18, 2023