Privacy notice
CHAPTER I. NAME OF THE CONTROLLER

The publisher of this information and the Data Controller is: Data Controller: „CSERESZNYEFA UTCA” Trading and Service Company Limited by Shares Company Registration number: 02-06-066627 Tax number: 20111920-1-02 Registered office: 7625 Pécs, Szikla utca 2/1. e-mail address: szitakotosuli@gmail.com website address: www.szitakotokreativsuli.hu (hereinafter referred to as the "Data Controller")

CHAPTER II. DESIGNATION OF DATA PROCESSORS

Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. 1. The operation carried out by him is the storage of personal data on the server. The name of this data processor is. Registered number: 38025280 Tax number: 66715306142 Representative. The name of this data processor is. Registered office: 7627 Pécs, Vadász utca 52, 1st floor, door 2 Company registration number: 02-09-088133 Tax number: 32479092-1-02 Representative: Eszter Tóth

CHAPTER III. CONTRACTUAL AND CONSENT-BASED PROCESSING

1. Processing of data of contracting partners 1) The Data Controller may process the name, name at birth, date of birth, mother's name, address, tax identification number of the natural person contracted with it for the purpose of the conclusion, performance, termination of the contract, or the granting of a contractual discount, tax identification number, entrepreneur's or self-employed person's identity card number, personal identification card number, address, address of registered office, address of premises, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number), online identifier (customer list, supplier list, frequent buyer lists). This processing is also considered lawful if it is necessary to take steps at the request of the data subject prior to the conclusion of the contract. Recipients of personal data: employees and agents of the Data Controller performing customer service tasks, employees and agents of the Data Controller performing accounting and tax tasks and data processors. 2) The natural person concerned must be informed before the processing starts that the processing is based on the legal basis of the performance of the contract, this information may also be provided in the contract. The data subject shall be informed of the transfer of his or her personal data to a processor. The text of the data processing clause relating to the contract with the natural person is set out in Annex 3 to the Data Processing Policy. 2) Purpose of the processing of personal data: performance of a contract with a legal entity partner of the Data Controller, business relationship, legal basis: consent of the data subject. 4) Duration of the storage of personal data: 5 years after the business relationship or the data subject's capacity as a representative has been established. 5) The model of the data collection form is set out in Annex 4 to the Privacy Policy. This form must be presented by the employee in contact with the customer to the person concerned and the latter must give his/her consent to the processing of his/her personal data by signing the form or, in the case of a contract with the customer, by indicating the content of the form in the contract. The declaration must be kept for the duration of the processing. 3. The purpose of the cookie is to make the given infocommunication, internet service easier and more convenient. There are several types, but they generally fall into two broad categories. One is the temporary cookie, which is placed on the user's device by the website only during a particular session (e.g. during the security identification of an online banking transaction), and the other is the persistent cookie (e.g. a website's language setting), which remains on the computer until the user deletes it. According to the European Commission's guidelines, cookies [unless strictly necessary for the use of the service] can only be placed on the user's device with the user's consent. It is not necessary for the full text of the cookie notice to be displayed on the website, it is sufficient for website operators to briefly summarise the substance of the notice and provide a link to the full notice. 3) In the case of cookies requiring consent, the information may also be linked to the first visit to the website, if the processing of data associated with the use of cookies starts as soon as the page is visited. Where the use of the cookie is linked to the use of a function explicitly requested by the user, the information may also be provided in relation to the use of that function. Even in this case, it is not necessary for the full text of the cookie notice to be displayed on the website, a brief summary of the substance of the notice and a link to the full notice. 4) The use of cookies on the website should be disclosed to the visitor in the privacy notice. By means of this notice, the Data Controller shall ensure that the visitor is informed, before and at any time during the use of the information society services of the website, of the types of data processed by the Data Controller for which purposes, including the processing of data which cannot be directly linked to the user. 5. 5) In the event of publication of illegal or offensive content, the Data Controller may exclude the person concerned from membership or delete his/her posts without prior notice. The Data Controller is not liable for any errors, malfunctions or problems resulting from changes in the operation of Facebook. Links to social media providers / social media browser plug-ins. The social browser plug-ins are not initially activated and do not interact with Facebook or other social network operators„ servers without being activated. By activating these deactivated browser plug-ins on the Controller's website, the data subject consents to the transfer of his or her personal data referred to in this section to the social networks. Once activated, the social browser plug-ins will contact the relevant social network. You can then click again to send a recommendation within that social network. If you are already logged in to a social network when you visit the Data Controller's website, no further login dialog box will appear. When you activate social browser plug-ins that are initially switched off, the plug-ins will contact the servers used by the social networks. Each of these social browser extensions will transmit data to the social network. The Data Controller has no control over the amount of data collected by the social network through the social browser extension. If you are already logged in to a social network when you visit our website, the operator of that social network may associate your visit to that social network with your account when you activate the social browser extension. When using social browser plug-in functions (e.g. ”Like„ button, comments, etc.), the relevant information is transmitted directly from the data subject's browser to the social network concerned, where it is stored. The same happens when you click on the corresponding icon to go to the social media operator's website. The social networks may receive and store the IP address and browser and operating system information of the device used by the data subject, even if the data subject is not a member of the social network, after activating the social browser plug-ins. For information on the scope and purposes of the collection, processing and use of data by social networks, please read the privacy notice. The data subject may withdraw his or her consent at any time by turning off the social networking sites. The Controller's websites also contain simple links to Facebook and Instagram. In such cases, data are only transferred to these social media operators when the data subject clicks on the relevant icon (e.g. the ”f„ icon for Facebook or the ”g+„ icon for Google Plus). When the data subject clicks on that icon, the page of that social media operator opens in the form of a pop-up window. On these pages, the data subject may post information about our products in accordance with the social media operator's policies. Data processed: date, time of access to the website, IP address of the data subject and information on the operating system. The Data Controller has no control over the amount of data collected by the social network through the social browser extension. Legal basis for processing. Article 5(1)(a) of the GDPR, Article 6(1)(a) of the GDPR. Purpose of data processing: simple sharing of the data displayed on the website of the Data Controller and the data recorded on the individual social networking sites, displaying additional information, enhancing the user experience Duration of data processing: until the social networking sites are deactivated (until consent is withdrawn) Data transmission: Each social browser plug-in transfers data to the respective social network Legal basis for data transfer: - Data processor: - Method of data provision: voluntary The Data Controller uses plug-ins for the following social networks: - Facebook (operator: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA) - Google Plus (operator: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) - Online forms for data requests by the Data Controller. These forms are only used as input screens, no data is stored and the data is directly transferred to the Controller's computer system (Webgalamb). The online forms are intended to support specific activities or processes, such as enquiries from the Data Controller's business partners, online registration, customer messages, referral coupons, business partner subscriptions. Scope of the data processed: depending on the activities or processes mentioned above, recorded by the customer, partner or employee concerned: date of recording, name, address, telephone number, e-mail address of the customer/partner, name of the product concerned, code number, date of purchase, description of the defect/phenomenon/feature, warranty conditions, other comments, opinions and messages. Legal basis for processing: voluntary consent of the data subject (Info tv. Article 5 (1) (a)) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services, Article 13/A. Purpose of data processing: sending data and information to the Data Controller Duration of data processing: until the withdrawal of consent to data processing (retention of information on complaints to ensure legal compliance 8+1 years) Data transfer: not applicable Legal basis for data transfer: - Data processor: - Method of data transfer: voluntary Google Analytics, AdWords The Data Controller also uses the Google Analytics web analytics service provided by Google Inc. Google Analytics also uses cookies. The information generated by the cookies about the data subject's use of the website is usually transmitted to a Google server in the USA and stored there. Prior to this, Google will shorten the IP address of the data subject within the Member States of the European Union and the States party to the Agreement on the European Economic Area. Full IP addresses will only be transmitted for shortening to Google servers in the USA in exceptional cases. On behalf of the website operator, Google will use this information to evaluate your use of the website, compile reports on website activity for the website operator and provide the website operator with additional services relating to website and internet use. The IP address transmitted by the data subject's browser via Google Analytics will not be linked to any other data held by Google. The data subject may refuse the use of cookies by selecting the appropriate settings on his or her browser. The data subject may also opt-out of the collection and processing by Google of data (including the data subject's IP address) generated by cookies about the data subject's use of the website by uninstalling and installing the browser plug-in at https://tools.google.com/dlpage/gaoptout?hl=en AdWords client, which is also used by the Data Controller to track the Google Conversion Tracking, a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (”Google„). Google AdWords displays the Controller's pages on the Google advertising platform. When the data subject clicks on a Google advertisement and enters the website of the Data Controller, Google AdWords places a cookie (”conversion cookie„) on the device used by the data subject. This cookie expires after 30 days. The cookie will not be used for identification purposes. As long as the cookie is valid, when the data subject visits certain pages, the Data Controller and Google will see that someone has clicked on the advertisement that redirected the user to the Data Controller's website. Each AdWords client receives a different cookie. Cookies are therefore not tracked through the AdWords client websites. The information collected by the conversion cookie is used to generate conversion statistics for AdWords customers who opt for conversion tracking. AdWords clients can see how many users clicked on their own ad and were redirected to a specific page using the conversion ID (the AdWords account of the Data Controller is associated with the email address szitakotosuli@gmail.com). If the data subject does not wish to participate in the tracking process, he or she can refuse to allow the system to place the necessary cookies - for example, by setting his or her browser not to allow cookies to be placed automatically. You can also prevent the placement of conversion cookies by setting your browser to block cookies from the domain ”googleadservices.com„. Duration of processing. Other cookies remain on the data subject's device (usually for one month) and allow the Data Controller to recognise the data subject's browser on the next visit (persistent cookies). In the case of Google Adwords, the data retention period is 14 months. Legal basis for data transfer: - Processor: - Method of data provision: voluntary

CHAPTER IV. PROCESSING BASED ON LEGAL OBLIGATIONS

1. Data processing for the purpose of fulfilling tax and accounting obligations 1) The Data Controller processes the data of natural persons who have business relations with the Data Controller as customers or suppliers for the purpose of fulfilling legal obligations, tax and accounting obligations (accounting, taxation) as provided by law. §-of the Act on Personal Income Tax of 2000 on accounting: name, address, designation of the person or organisation ordering the transaction, signature of the person ordering the transaction and the person certifying the execution of the order, and, depending on the organisation, the signature of the controller; on the receipts of stock movements and cash management vouchers, the signature of the recipient, and on the counterfoils, the signature of the payer, and on the basis of Act CXVII of 1995 on Personal Income Tax: entrepreneur's identity card number, farmer's identity card number, tax identification number. 2) The period of storage of personal data is 8 years after the termination of the legal relationship giving rise to the legal basis. 3) Recipients of the personal data: employees and data processors of the Data Controller performing tax, accounting, payroll and social security tasks. 1) The Data Controller processes the personal data of the data subjects - employees, their family members, workers, recipients of other benefits - to whom it is related as a payer (Act CL of 2017 on the Order of Taxation (Art.), Article 7.31.), for the purposes of fulfilling its legal obligations, tax and contribution obligations prescribed by law (tax, advance tax, contributions, payroll, social security, pension administration). The scope of the data processed is defined in Art. 50.§ of the Art. 40.) and trade union membership (Section 47(2) b./) for the purposes of tax and contribution obligations (payroll accounting, social security administration). 3) Recipients of the personal data: employees and processors of the Data Controller performing tax, payroll, social security (payroll) tasks. 3.): a) the surname and forename of the natural person, b) the surname and forename of birth, c) the nationality, d) the place and date of birth, e) the mother's name at birth, f) the address, or, in the absence thereof, the place of residence, g) the type and number of the identification document; the number of the official identity card proving the address, copies of the documents presented. (§ 7).2) Recipients of personal data: employees and agents of the Controller performing customer service tasks, the Controller's manager and the Controller's designated person pursuant to the Act on the Protection of Personal Data. 3) The period of storage of personal data is 8 years from the termination of the business relationship or from the execution of the transaction order.

CHAPTER V. RIGHTS OF THE DATA SUBJECT

1. Right to prior information The data subject shall have the right to be informed of the facts and information relating to the processing prior to the start of the processing.2. Right of access by the data subject The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and related information specified in the Regulation. 3. Taking into account the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration. Right to erasure („right to be forgotten”) The data subject shall have the right to obtain from the controller, upon his or her request, the erasure of personal data relating to him or her without undue delay and the controller shall be obliged to erase personal data relating to him or her without undue delay where one of the grounds specified in the Regulation applies. 6. 7.Right to data portability Subject to the conditions set out in the Regulation, the data subject shall have the right to receive personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data. 8. Right to object The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on the basis of Article 6(1)(e) (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) (processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the Regulation. 9. Automated decision-making in individual cases, including profiling The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 10.Restrictions Union or Member State law applicable to the controller or processor may, by means of legislative measures, restrict the rights and obligations set out in Articles 12 to 22 and Article 34 and in Articles 12 to 22 11.Informing the data subject of the personal data breach Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay. 12.Right to lodge a complaint with a supervisory authority (right of official redress) The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the Regulation. 13. Right to an effective judicial remedy against a supervisory authority Every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority which is addressed to him or her, or where the supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments concerning the complaint lodged or of the outcome of the complaint. 14. Further details on how to ensure the rights of the data subject are set out in the Regulation.

CHAPTER VI. SUBMISSION OF THE DATA SUBJECT'S REQUEST, ACTIONS BY THE CONTROLLER

1. The Data Controller shall inform the data subject of the action taken on his/her request to exercise his/her rights without undue delay and in any event within one month of receipt of the request.2. The Data Controller shall inform the data subject of the extension of the time limit, stating the reasons for the delay, within one month of receipt of the request. If the data subject has made the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise. 4. If the controller does not act on the data subject's request, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy. 5. Where the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Controller may, taking into account the administrative costs of providing the information or information requested or of taking the action requested: a) charge a proportionate fee, or b) refuse to act on the request. Where the Controller has reasonable doubts as to the identity of the natural person making the request, it may request the provision of further information necessary to confirm the identity of the data subject. „CSERESZNYEFA UTCA” Ltd., 2018. v1.0.