Privacy notice

Table of Contents

What is the purpose of this Notice?
Data of the Controller
Certain data processing operations
What data processing do we carry out in the course of our activities?
What rights do Users have?
Our procedure for handling rights-related requests
Possible recipients of personal data, processors
Data security
Cookies
Miscellaneous provisions
Annex 1 – Relevant legislation
Annex 2 – Definitions relating to the processing of personal data
Annex 3 – Rights of data subjects

 
1. What is the purpose of this Notice?
We have adopted this Notice in order to provide all essential information and explanations, in a concise, transparent, intelligible and easily accessible form, in clear and plain language, to natural persons using our services and to the representatives of legal entities (hereinafter together: Users), and to assist Users in exercising their rights set out in Section 4 below.

Our obligation to provide information is based on Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council applicable from 25 May 2018 (hereinafter: GDPR), Section 16 of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: Infotv.), and Section 4 of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Services Related to the Information Society (Elkertv.).

This Notice has been prepared having regard to the GDPR, the Infotv., as well as any other legislation relevant to specific data processing activities. The list of applicable laws is set out in Annex 1 to this Notice, while the most important definitions are included in Annex 2.

When drafting and applying this Notice, we have followed the findings of the recommendation of the Hungarian National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information, and we have acted in the spirit of Article 5 of the GDPR, in particular the accountability principle laid down in Article 5(2).

We also closely follow the practice of the European Union in the field of personal data protection; accordingly, we incorporate into our data processing practice the content of the guidelines on transparency of the Article 29 Working Party of the European Commission.

 
2. Data of the Controller
Name: MG Media Kft.

Website: https://performate.gg

Company registration number: 09-09-034458

Registered seat: 4271 Mikepércs, Szent István utca 3/B.

Tax number: 26759584-2-09

E-mail: info@performate.gg

Phone: +36 20 203 48 27

 
3. Certain data processing operations
In this Section we set out, for each processing activity, those key circumstances which the GDPR and other sector-specific laws require from every controller.

 
4. What data processing do we carry out in the course of our activities?
4.1. Data processing relating to newsletter subscription
In order to provide Users with up-to-date information relating to the use of our services, Users may subscribe to our newsletter via the Website. The related data processing is described below.

4.1.1. Personal data processed and the purpose of processing
Personal data processed:

name: enables us to identify the User in our correspondence
e-mail address: enables us to know the User’s electronic contact address to which we can send our newsletter on current news and updates
4.1.2. Legal basis of processing
The User’s consent (Article 6(1)(a) GDPR, Section 5(1)(a) Infotv., and Section 6(1) of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities – Grt.).

4.1.3. Duration of processing
We process personal data until withdrawal of consent. The User may withdraw consent at any time by clicking on the “Unsubscribe” button in the newsletter.

4.1.4. Method of processing
In electronic form.

 
4.2. Data processing relating to invoicing
Following the execution of orders – in accordance with Act C of 2000 on Accounting (hereinafter: Accounting Act or Sztv.) – we issue an accounting document. The related data processing is as follows.

4.2.1. Personal data processed and the purpose of processing
We process the name and residential address (or registered office in case of a sole trader) of our natural person Users for the purpose of supporting accounting in respect of the performance of the transaction (economic event).

4.2.2. Legal basis of processing
Mandatory processing based on law (having regard to Article 6(1)(c) GDPR, Section 5(1)(b) Infotv. and Sections 166(1)–(3) of the Accounting Act).

4.2.3. Duration of processing
For 8 years following the issue of the accounting document (having regard to Section 166(6) and Section 169(1) of the Accounting Act).

4.2.4. Method of storage of personal data
Both in paper and in electronic form.

4.2.5. Provision of personal data
Since we are unable to issue an accounting document without the personal data set out in this Section, the provision of such personal data is required by law.

 
4.3. Data processing relating to orders and purchases
4.3.1. Personal data processed and the purpose of processing
Personal data processed:

name: enables us to identify the person placing the order during performance
address (postcode, town/city, street name and number together): enables us to deliver the ordered product by post to the specified address
phone number: enables us to contact and inform the customer regarding details of the order
e-mail address: enables us to contact and inform the customer regarding details of the order
purchase information in the loyalty scheme: ensures participation in our loyalty / regular customer programme
4.3.2. Legal basis of processing
Performance of a contract to which the Controller and the User are parties (Article 6(1)(b) GDPR).

4.3.3. Duration of processing
For 5 years from performance of the order, having regard to Section 6:22(1) of Act V of 2013 on the Civil Code (Ptk.).

4.3.4. Method of storage of personal data
Both in paper and in electronic form.

4.3.5. Provision of personal data
Since we are unable to fulfil orders without the personal data set out in this Section, the provision of such personal data constitutes a precondition for entering into the contract.

 
4.4. Data processing relating to contact
Via our Website, Users may request assistance and information from our colleagues under the “Kérdezek” (Ask us) tab. The related data processing is set out below.

4.4.1. Personal data processed and the purpose of processing
Personal data processed:

name: identification of the User
e-mail address: contact and, if services are used, ongoing communication with the User
4.4.2. Legal basis of processing
If the User contacts us for the purpose of general information, our processing is based on law; having regard to Article 6(1)(c) and (2) GDPR, Section 5(1)(b) Infotv. and Sections 13/A(1) and (3) Elkertv.

If the User contacts us for the purpose of ordering products, processing is necessary for taking steps at the request of the User prior to entering into a contract (Article 6(1)(b) GDPR).

Where the User acts as a contact person on behalf of a legal entity, the legal basis of processing such personal data is the legitimate interests of us and of the legal entity represented by the User (Article 6(1)(f) GDPR). Both parties have a legitimate interest in ensuring effective business communication during the ordering process and in providing information about any material matters relating to the contract between them to their designated representatives. The contact person’s right to informational self-determination is not adversely affected, as it is part of his/her job or contractual obligations to facilitate communication between the parties and to provide his/her personal data for this purpose.

4.4.3. Duration of processing
We process personal data until the purpose of processing has been achieved.

4.4.4. Method of processing
In both electronic and paper form.

 
4.5. Data processing relating to registration
Users may register on our Website and subsequently participate in a loyalty / regular customer programme. The related data processing is as follows.

4.5.1. Personal data processed and the purpose of processing
Personal data processed:

name: identification of the User
address: provision of additional information relating to orders
e-mail address: communication with the User
phone number: communication with the User
password: performance of technical operations
4.5.2. Legal basis of processing
Processing based on law; having regard to Article 6(1)(c) and (2) GDPR, Section 5(1)(b) Infotv. and Section 13/A(1) Elkertv.

4.5.3. Duration of processing
Until deletion upon the User’s request. Where the User does not use his/her account or profile, we will delete it 5 years after the last order.

As regards data stored in the loyalty scheme, we process the personal data provided there until the User withdraws consent.

4.5.4. Method of processing
In electronic form.

 
4.6. Data processing relating to customer service
We operate a customer service on our Website in order to respond to Users’ queries and to investigate potential complaints.

4.6.1. Personal data processed and the purpose of processing
Personal data processed:

name: identification of the User
e-mail address: communication with and provision of information to the User
phone number: communication with and provision of information to the User
4.6.2. Legal basis of processing
Processing based on law; having regard to Article 6(1)(c) and (2) GDPR, Section 5(1)(b) Infotv. and Act CLV of 1997 on Consumer Protection (Fgytv.).

4.6.3. Duration of processing
For 5 years from receipt of the complaint, having regard to Section 17/A(7) Fgytv.

4.6.4. Method of processing
In electronic form.

 
5. What rights do Users have?
We attach great importance to ensuring that our data processing complies with the requirements of fairness, lawfulness and transparency. Accordingly, in this Section we briefly present the individual data subject rights, which are then explained in more detail in Annex 3 to this Notice.

Our Users may request free information about the details of the processing of their personal data and, in cases specified by law, may request the rectification, erasure, blocking or restriction of their data and may object to the processing of such personal data. Requests for information and any requests under this Section may be sent by the User to our contact details specified in Section 2.

5.1. Right of access
Our Users are entitled to receive confirmation from us as to whether or not their personal data are being processed, and, where that is the case, to access such personal data and information on the details of processing.

5.2. Right to rectification
At the User’s request, we rectify without undue delay any inaccurate personal data relating to the User, and the User is also entitled to request the completion of incomplete personal data, including by means of a supplementary statement.

5.3. Right to erasure
At the User’s request, we erase personal data relating to the User if we no longer need such data for processing, or if the User withdraws consent, or objects to the processing, or if processing is unlawful.

5.4. Right to be forgotten
If the User so requests, we will endeavour to inform all controllers to whom the User’s potentially publicly disclosed personal data have been or may have been made available of the User’s request for erasure.

5.5. Right to restriction of processing
At the User’s request, we restrict processing if the accuracy of personal data is contested, or processing is unlawful, or the User has objected to processing, or if we no longer need the personal data provided.

5.6. Right to data portability
Our User has the right to receive the personal data concerning him/her, which he/she has provided to us, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another controller.

5.7. Right to object
Our User has the right, on grounds relating to his/her particular situation, to object at any time to processing of personal data based on legitimate interest (see Section 3.5.2). In such a case we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or which relate to the establishment, exercise or defence of legal claims. If the User objects, personal data shall no longer be processed for this purpose.

5.8. Response to requests
We examine the request as soon as possible, but within a maximum of 30 days – or 15 days in the case of an objection – from its submission, decide on its merits and notify the applicant in writing. If we do not comply with the User’s request, our decision will set out the factual and legal reasons for refusing the request.

5.9. Remedies
We place great emphasis on the protection of personal data and on respect for Users’ right of informational self-determination, and therefore strive to respond to all requests properly and within the prescribed time-limits. For this reason, we kindly ask Users to first contact us – for the purpose of lodging a complaint – with any concerns, so that any disputes can be resolved amicably.

If this does not lead to a satisfactory outcome, our User may:

bring an action before the courts under Act V of 2013 on the Civil Code (proceedings may also be initiated before the regional court having jurisdiction at the User’s place of residence or habitual residence; the list of regional courts and their contact details is available at: http://birosag.hu/torvenyszekek); and
lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) under the Infotv. (address: 1055 Budapest, Falk Miksa utca 9–11.; phone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu; website: https://www.naih.hu).
 
6. Our procedure for handling rights-related requests
6.1. Notification of recipients
We notify all recipients to whom the personal data of the User have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves disproportionate effort. At the User’s request, we inform the User about those recipients.

6.2. Method and time-limit of information
We provide information on measures taken pursuant to requests relating to Section 5 within one month of receipt of the request, in electronic form unless the User requests otherwise. Where necessary, this period may be extended by two further months taking into account the complexity and number of the requests. We will inform the User of any such extension within one month of receipt of the request, together with the reasons for the delay.

At the User’s request, information may also be provided orally, provided that the User’s identity has been otherwise verified.

If we do not act on the User’s request, we shall inform the User without delay and at the latest within one month of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with the NAIH and seeking judicial remedy (Section 4.9).

6.3. Verification
In exceptional cases, where we have reasonable doubts concerning the identity of the natural person making the request, we may request the provision of additional information necessary to confirm the identity of the data subject. This measure is necessary in order to promote the confidentiality of processing as required by Article 5(1)(f) GDPR, i.e. to prevent unauthorised access to personal data.

6.4. Costs of information and measures
We provide information and take measures relating to requests connected to Section 4 free of charge.

Where a User’s request is manifestly unfounded or – in particular because of its repetitive character – excessive, we may, taking into account the administrative costs of providing the information or communication or taking the action requested, either:

charge a reasonable fee, or
refuse to act on the request.
 
7. Possible recipients of personal data, processors
7.1. In connection with the operation of our Website
Our Website hosting provider and the operator of our newsletter system, acting as processors, are entitled to have access to Users’ personal data provided on the Website. The processor’s details are as follows:

Name: Global Information Technologies Kft.
Registered seat / e-mail: 8243 Balatonakali, Liliom utca 17. / info@makeitonline.hu
Website: https://makeitonline.hu

7.2. In connection with the fulfilment of orders
The delivery of products to our customers is carried out by iLogistic Kft., acting as processor. The processor’s details:

Name: iLogistic Kft.
Address: 2051 Biatorbágy, Verebély László utca 2.
Website: https://ilogistic.hu

7.3. In connection with social media platforms and other websites
Our Website is also present on several social media platforms (e.g. Facebook); thus, if the User “likes” our page on Facebook or registers on our Website via Facebook, we may gain access to all personal data linked to the User’s profile and made available to the public. For data processing carried out on those platforms, the relevant information is set out in the given service provider’s own privacy policy. We do not accept responsibility for the data processing practices of websites visited by the User via links placed on our Website.

7.4. In connection with invoicing
In relation to invoicing, the tax authority is entitled, in the course of its activities, to have access to the personal data provided by Users for this purpose. Details of the tax authority:

Name: Nemzeti Adó- és Vámhivatal (National Tax and Customs Administration of Hungary)
Website and contact: https://www.nav.gov.hu/nav/kapcsolat

 
8. Data security
Our and our processors’ employees are entitled to access Users’ personal data only to the extent necessary for the performance of their tasks. We take all security, technical and organisational measures necessary to guarantee the security of the data.

8.1. Organisational measures
Access to our IT systems is granted on the basis of personal access rights. When allocating access rights, the “need-to-know and need-to-use” principle applies, meaning that each employee may use our IT systems and services only to the extent necessary for the performance of his/her tasks, with the corresponding access rights and for the necessary period of time. Only persons who are not restricted for security or other reasons (e.g. conflict of interest) and who have the professional, business and information security knowledge necessary for their safe use may be granted access.

We and our processors undertake strict confidentiality obligations in writing and must comply with these confidentiality rules while performing our activities.

8.2. Technical measures
Except for data stored by our processors, we store data on our own equipment in a data centre. The IT equipment used to store data is placed separately in a closed server room, protected by a multi-level access control system.

We protect our internal network with a multi-layered firewall system. At all entry points of public networks used, there is always a hardware firewall (border protection device). We store data in a redundant manner, i.e. in several locations, in order to protect them from destruction, loss, damage resulting from IT equipment failure and from unlawful destruction.

We protect our internal networks from external attacks with multi-level, active, complex protection against malicious code (e.g. virus protection). Any essential external access to the IT systems and databases operated by us is established via encrypted connections (VPN).

We strive to ensure that our IT equipment and software continuously comply with generally accepted technological standards in commercial practice.

When developing our systems, we design them in such a way that operations carried out can be monitored and traced by means of logging, and that incidents, such as unauthorised access, can be detected.

Our server is located on a separate, dedicated server of the hosting provider, in a protected and closed environment.

Taking into account the recommendation of the NAIH on the data protection requirements of data processing on political parties’ websites, our Website uses the https protocol, which ensures a higher level of data security compared to the http protocol.

 
9. Cookies
To ensure the proper functioning of our Website, in some cases we place small data files (cookies) on the User’s device, similar to most modern websites.

9.1. What is a cookie?
A cookie is a small text file that a website places on the User’s device (including mobile phones). It allows the website to “remember” the User’s settings (such as language used, font size, display preferences, etc.), so that they do not need to be set again each time the User visits our Website.

Types of cookies used on the Website
Session cookies: temporary cookie files that are deleted when the browser is closed. If the User restarts the browser and returns to the site that created the cookie, the site will treat the User as a new visitor.
Persistent cookies: remain in the browser until the User deletes them manually or until they are deleted by the browser after the expiry date set in the cookie. These cookies recognise the User as a returning visitor.
Strictly necessary cookies: indispensable for the proper functioning of the www.performate.gg website. These enable the User to navigate the site and use its features.
Cookies sending information to us: these are cookies that we place on the www.lampaszalon-hu website and only that website can read them. These are so-called “first-party cookies”.
These cookies can be deleted or blocked by the User; however, in such a case the Website may not function properly.

We do not use cookies to personally identify the User. Cookies are used solely for the purposes described above.

 
10. Miscellaneous provisions
10.1. Data collection relating to activity
We may collect data about Users’ activity, which cannot be linked to other data provided by the User at the time of registration, nor to data generated when using other websites or services.

10.2. Processing for a different purpose
If we intend to use data provided for a purpose other than that for which they were originally collected, we will inform Users thereof and obtain their prior, explicit consent, or provide them with the possibility to object to such further processing.

10.3. Record-keeping obligation
We maintain records of processing activities under our responsibility (records of processing activities) in accordance with Article 30 GDPR.

10.4. Personal data breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In the event of a personal data breach, we are required to act in accordance with Articles 33 and 34 GDPR. We keep a record of personal data breaches, indicating the relevant facts, their effects and any remedial action taken.

10.5. Amendments
We reserve the right to unilaterally amend this Notice at any time.

Effective as of: 1 November 2024

 
Annex 1 – Relevant legislation
When drafting this Notice, the Controller has taken into account the applicable laws and relevant international recommendations, in particular the following:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);
Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.);
Act V of 2013 on the Civil Code (Ptk.);
Act CXXX of 2016 on the Code of Civil Procedure (Pp.);
Act C of 2000 on Accounting (Accounting Act);
Act CLV of 1997 on Consumer Protection (Fgytv.);
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Services Related to the Information Society (Elkertv.).
 
Annex 2 – Definitions relating to the processing of personal data
controller: the legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data;
processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
data transfer: making data available to a specific third party;
erasure: rendering data unrecognisable in such a way that their restoration is no longer possible;
marking of data: marking data with an identifier for the purpose of distinguishing them;
restriction of processing: marking stored personal data with the aim of limiting their processing in the future;
destruction of data: complete physical destruction of the data-carrying medium;
processor: any legal person which processes personal data on behalf of the controller;
recipient: a natural or legal person, public authority, agency or another body, to which/to whom the personal data are disclosed, whether or not a third party;
cookie: a small data package (text file) sent by the web server and placed for a specified period on the User’s computer, which, depending on its nature, may be supplemented by the server on subsequent visits; that is, if the browser returns a previously saved cookie, the service provider handling the cookie can link the User’s current visit to previous visits, but only in respect of its own content;
data subject / user: an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity;
third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
IP address: in any network in which communication is carried out according to the TCP/IP protocol, servers have IP addresses (identification numbers) which enable them to be identified on the network. Every computer connected to a network has an IP address by which it can be identified;
personal data: any information relating to an identified or identifiable data subject;
objection: the data subject’s statement by which he or she objects to the processing of his or her personal data and requests the termination of processing and the erasure of the data.
 
Annex 3 – Rights of data subjects
Access
The User has the right, upon submitting a request via any of our contact channels, to obtain access to personal data processed by us. In this context, the User receives information on:

whether or not his/her personal data are being processed;
the purposes of processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom personal data have been or will be disclosed;
the envisaged period for which personal data will be stored;
his/her rights;
available remedies;
information on the sources of the data.
The User may also request a copy of the personal data undergoing processing. In that case, we provide the personal data in a structured, commonly used and machine-readable format (PDF/XML) and, if requested, in printed paper form. One copy is provided free of charge.

Rectification
The User has the right, upon a request submitted via our contact channels, to obtain the rectification of inaccurate personal data relating to him/her and the completion of incomplete data. Where we do not have the information necessary to rectify or complete inaccurate information, we may ask the User to submit such additional data and to verify the accuracy of the data. Until the data can be rectified or completed – due to missing additional information – we restrict the processing of the relevant personal data; all operations on such data – other than storage – are temporarily suspended.

Erasure
The User has the right, upon a request submitted via our contact channels, to obtain the erasure of personal data concerning him/her where one of the following grounds applies:

we no longer need the data for the purposes for which they were collected;
the User has concerns about the lawfulness of our processing.
If, on the basis of the User’s request, we determine that the conditions for erasure are met, we cease processing the data and destroy the personal data previously processed. In addition, the obligation to erase personal data may arise from the withdrawal of consent, the exercise of the right to object, or from statutory obligations.

Restriction of processing
The User has the right, upon a request submitted via our contact channels, to obtain the restriction of processing of personal data concerning him/her in the following cases:

the User has concerns about the lawfulness of our processing and requests restriction instead of erasure;
we no longer need the data, but the User requires them for the establishment, exercise or defence of legal claims.
We automatically restrict the processing of personal data where the User contests the accuracy of the personal data, or where the User exercises his/her right to object. In such cases, the restriction applies for a period enabling us to verify the accuracy of the personal data or to determine whether the conditions for continuing processing are met.

During the period of restriction, no processing operations may be performed on the designated personal data except for storage. Personal data subject to restriction may be processed only:

with the data subject’s consent;
for the establishment, exercise or defence of legal claims;
for the protection of the rights of another natural or legal person;
for important reasons of public interest.
We will inform Users in advance of the lifting of the restriction.

Data portability
The User has the right, upon a request submitted via our contact channels, to obtain the personal data concerning him/her that we process, for further use as specified by the User. The User may also request that we transmit those personal data to another controller designated by the User.

This right is limited to personal data that the User has provided to us and which we process for the performance of a contract. Other data are not subject to portability. We provide the personal data in a structured, commonly used and machine-readable format (PDF/XML) and, if requested, in printed paper form.

We inform the User that exercising this right does not automatically entail erasure of personal data from our systems. The User remains free to contact us again or to continue to maintain a relationship with us after data portability.

Objection
The User has the right, upon a request submitted via our contact channels, to object at any time to the processing of his/her personal data for the purposes set out in Section 4.5.2. In such cases, we examine whether processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the User or are related to the establishment, exercise or defence of legal claims. If we determine that such grounds exist, we continue processing the personal data. Otherwise, we cease to process the personal data.