PRIVACY STATEMENT

HD-ROTATECH Kft. PRIVACY AND DATA PROCESSING INFORMATION

I. Introduction, Purpose, and Scope of the Privacy and Data Processing Statement

1.1 The purpose of this Statement is to establish the principles of privacy and data processing applied by HD-Rotatech Ltd. (located at 2371 Dabas, Bánki Donát út 7528/5. hrsz., hereinafter referred to as the Company) and the Company's privacy and data processing policy, which the Company, as the data controller, acknowledges as binding upon itself.

1.2 This Statement contains the principles of handling Personal data provided by Users on the Services' websites. The aim of this statement is to ensure, in all areas of the services provided by the Company, for every individual, regardless of nationality or place of residence, the respect of their rights and fundamental freedoms, particularly the right to privacy, during the processing of their personal data (data protection).

1.3 In developing the provisions of this Statement, the Company has taken into particular account the Regulation (EU) 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation" or "GDPR"), Act CXII of 2011 on informational self-determination and freedom of information ("Infotv."), Act V of 2013 on the Civil Code ("Ptk."), Act XLVIII of 2008 on the fundamental terms and limitations of economic advertising activity ("Grtv."), Act CVIII of 2001 on electronic commerce services and services related to the information society, Act C of 2000 on accounting (regarding the issuance and retention of documents), Act CXIX of 1995 on the processing of personal data for the purpose of research and direct business acquisition, and Act VI of 1998 on the proclamation of the Convention of Strasbourg of January 28, 1981, on the protection of individuals with regard to the processing of personal data, as well as the recommendations of the "ONLINE PRIVACY ALLIANCE."

1.4 Unless otherwise stated, this Statement does not apply to services and data processing related to promotions, contests, services, and other campaigns by third parties outside the Data Controller, as advertised on certain websites referred to in this Statement or otherwise. Similarly, unless otherwise stated, this Statement does not apply to services and data processing by providers to which links on the websites covered by this Statement lead. The data processing statements of third-party operators operating such services are applicable to such services, and the Data Controller assumes no responsibility for these data processing activities.

II. Data Controller; Definitions

2.1 Data Repository: the entirety of data managed in a registry.

2.2 Data Processing: any operation or set of operations performed on Personal data, irrespective of the applied procedure, including, in particular, the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, making available, alignment, or combination, restriction, erasure, and destruction of Personal data.

2.3 Data Controller: the entity that determines the purposes and means of the Data Processing – independently or jointly with others.

For the Services referred to in this Statement, the Data Controller is: • HD-Rotatech Kft. (located at 2371 Dabas, Bánki Donát 7528/5, registered at the Company Court of Pest County, registration number: 13-09-190660; tax number: 13752305-2-13; hereinafter referred to as the "Data Controller").

The Data Controller is a registered business entity in Hungary.

The Data Controller is engaged in courier services, operates websites, and is involved in the manufacturing and trading of tanks, providing products and services available on its websites.

2.4 Personal Data: any data or information based on which a natural person, the User, becomes identifiable, directly or indirectly.

2.5 Data Processor: a service provider who processes Personal data on behalf of the Data Controller. For the Services referred to in this Statement, data processors are the organizations listed in section 9.1 of this Statement.

2.6 Website(s): websites operated by the Data Controller: rotationalmouldingtools.com and the associated social media platforms.

2.7 Publication(s): Advertising leaflets, Product information.

2.8 Service(s): online publications operated by the Data Controller, periodic publications appearing, job advertisements displayed by the Data Controller, and services provided by the Data Controller, available on the Websites, Events, and Publications.

2.9 User: a natural person who registers for the Services and provides the data listed in section III below.

2.10 Employee: a natural person in an employment relationship or any other legal relationship involving work with the Data Controller.

2.11 Potential Employee: a natural person applying for a position announced by the Data Controller.

2.12 External Service Provider: third-party service providers engaged by the Data Controller for organizing events, contests, transportation, operating specific Websites, publishing periodic Publications, or providing Services accessible through the Websites, Publications, whether directly or indirectly, involving the transmission of Personal data to ensure their services, or who may transmit Personal data to the Data Controller. External service providers also include those providers who, not in collaboration with the Data Controller, by accessing the Websites' services, collect data about Users, which, either independently or combined with other data, may be suitable for identifying the User.

2.13 Information: this data processing information by the Data Controller.

2.14 Data Destruction: the complete physical destruction of the data carrier.

2.15 Data Transmission: making the data accessible to a specified third party; Disclosure: making the data accessible to anyone.

2.16 Data Deletion: making data unrecognizable in a way that their restoration is not possible.

2.17 Automated Data Set: a series of data subject to automatic processing.

2.18 Machine Processing: includes the following operations, whether carried out partially or wholly by automated means: data storage, logical or arithmetic operations on the data, alteration, deletion, retrieval, and dissemination of data.

2.19 System: the technical solutions operating the pages and services of the Data Controller and its partners accessible on the internet.

III. Scope of Processed User Personal Data

3.1 When the User visits any surface of the Website, the Data Controller's system automatically records the User's IP address.

3.2 Based on the User's decision, the Data Controller may process the following data related to the use of Services available through the Websites: name, residence, place of stay, phone number, email address, image, customer identification number registered with the Data Controller, and the content of telephone conversations with the Data Controller.

3.3 If the User sends a message (e.g., email, reader's letter) to any part of the Services, or contacts by phone, the Data Controller records the User's address, email address, phone number, call time, and manages them to the extent and duration necessary to provide the service.

3.4 The Data Controller processes the following Personal data about speakers and participants of events organized by them: name, professional title (e.g., Dr., Prof.), email address, position, phone number, secondary phone number, name of the company with which they are associated, sectoral and professional interests, membership rights entitling to discounts, and speakers' biographical data.

3.5 For occasional contests organized by the Data Controller, the following Personal data are processed: name, date of birth, address, email, phone number, occupation, membership in a pension fund, and the name of the pension fund the individual is affiliated with, as indicated in the announcement of the contest.

3.6 Regarding the webshop service, the Data Controller may process the following Personal data: name, residence, place of stay, phone number, email address, as well as Personal data related to the billing name and address provided by the User, and Personal data related to the products selected for purchase and the chosen payment method.

3.7 In connection with contracts with the Data Controller, the name, phone number, and email address of the legal or authorized representative of the contracting party and the contractual contact person may be processed.

3.8 Regardless of the above, it may occur that a service provider technically related to the operation of Services carries out data processing activities on one of the Websites without informing the Data Controller. Such activities do not qualify as Data Processing carried out by the Data Controller. The Data Controller makes every effort to prevent and filter out such data processing activities.

IV. Additional Scope of Data Processed by the Data Controller

4.1 For personalized service, the Data Controller places a small data package (so-called "cookie") on the User's computer. The purpose of the cookie is to ensure the high-quality operation of the specific page, provide personalized services, and enhance the user experience. The User can delete the cookie from their computer or configure their browser to disable the use of cookies. By disabling the use of cookies, the User acknowledges that the operation of the specific page is not fully functional without cookies.

4.2 In providing personalized services, the Data Controller processes the following Personal data through the use of cookies: demographic data (based on the data referred to in points 3.2 and/or 3.4) as well as information about interests, habits, preferences (based on browsing history).

4.3 Data technically recorded during the operation of systems: data generated during the use of the Services on the User's logging computer, automatically recorded by the Data Controller's system as a result of technical processes. This includes the User's IP address, the type of operating system and browser program used, data from the websites the User visited before reaching the page and those visited on the page, as well as the time and duration of the visit. The automatically recorded data is logged by the system automatically at login and logout without the User's separate statement or action. Only the Data Controller has access to the recorded data.
 

V. Purpose and Legal Basis of Data Processing

5.1 The purposes of the Data Processing conducted by the Data Controller are as follows: a) online content provision; b) maintaining business-related communication with the Company; c) user identification and communication with the user; d) identification of user rights (services available to the user); e) ensuring the provision of services accessible through the Company's websites; f) displaying personalized content and advertisements, compiling statistics; g) facilitating the customization of services used by the user and advertisements, utilizing convenience features; h) handling and managing individual user requests; i) creating statistics and analyses; j) direct business acquisition or marketing-related communication (e.g., newsletters, eDM, etc.); k) providing storage for user-generated content (e.g., comments, forums, etc.); l) organizing and conducting occasional contests, notifying winners, and providing prizes; m) establishing, defining, modifying, and monitoring contracts between parties in the case of webshop services, delivering ordered products or services, invoicing, and enforcing related claims, documenting the conformity of performance, fulfilling accounting obligations; n) maintaining records required by law about the employees of the Data Controller, sending declarations and reports; o) recruiting and selecting potential employees for the Data Controller; p) technical development of the information system; q) protecting the rights of users; r) asserting the legitimate interests of the Data Controller; s) facilitating the conclusion and performance of contracts within the scope of the Data Controller's activities. The data made available by users during the use of the services may be used by the Company to create user groups and display targeted content and/or advertisements on the Company's websites to these user groups. The Data Controller may process Personal data for the realization of any of the data processing purposes described in these points. The Personal data provided will not be used for purposes other than those stated in these points.

5.2 If the processing is based on the voluntary, informed declaration of the users, which includes the explicit consent of the users for the use of their Personal data or the Personal data generated about them during the use of the website, and in case of data transmission during data processing, this information is included in the notification. In the case of consent-based data processing, the user is entitled to withdraw their consent at any time, without affecting the lawfulness of the processing before the withdrawal. The Data Controller records the User's IP address when entering individual websites without the separate consent of the User, based on the legitimate interest of the Data Controller and for the lawful provision of services (e.g., to prevent illegal use or filter illegal content). The legal basis for data processing within the framework of content provision is to ensure the fundamental rights to information and freedom of expression within the limits defined by laws.

The legal basis for data processing in various services may be the voluntary consent of the user, as well as the contract concluded and fulfilled by the user, the provisions specified in the laws applicable to the Data Controller, and support for the Data Controller's marketing/sales activities. The user, as a buyer, by registering on the website or using the service, consents to the storage, processing, and use of their Personal data provided during registration or use of the service for the fulfillment of orders in accordance with the applicable legal regulations. The Personal data on the receipt issued by the Data Controller is processed in accordance with the provisions of the accounting law.

5.3 Data transmission to the processors specified in this Information is possible without the separate consent of the user. The disclosure of Personal data to third parties or authorities is only possible based on an official order or with the prior explicit consent of the user unless otherwise provided by law.

5.4 The user guarantees that the user has lawfully obtained the consent of the individuals' Personal data provided or made available by the user during the use of the services (e.g., posting user-generated content, etc.). The user is solely responsible for user-generated content uploaded or shared within the services.

5.5 When providing an email address and Personal data during registration, the user is responsible for ensuring that: a./ the provided data and consents are genuine and correspond to reality, b./ the user is the sole user of the service using the provided data. Due to this assumption of responsibility, any liability related to login activities on a given email address and/or data is solely the responsibility of the user who registered the email address and provided the data. If the user provided the data of a third party during registration for the use of the service, the responsibility lies with the user, and the Company is entitled to claim damages from the user. In such cases, the Company will provide all possible assistance to law enforcement authorities to determine the identity of the infringing person.

5.6 The Data Controller may conduct research related to the development, evaluation, improvement, and expansion of services and may create anonymous statistics related to the data it manages (hereinafter: Research Activity). During Research Activity, the Data Controller uses the data only in an anonymous manner, where the identity of individual users cannot be identified. The Company is entitled to use the anonymous research results for the development of services, the introduction of new services, and sending targeted online and traditional advertisements, as well as newsletters, to specific users. The user gives explicit consent to data processing for this purpose.

VI. Principles and Methods of Data Processing

6.1 The Data Controller handles Personal data in accordance with the principles of good faith, fairness, transparency, and the provisions of applicable laws and regulations outlined in this Notice.

6.2 The Data Controller processes the Personal data essential for using the services based on the explicit consent of the respective user and uses it strictly for the intended purpose.

6.3 The Data Controller processes Personal data only for the purposes specified in this Notice and relevant legal regulations. The scope of processed Personal data is proportionate to the purpose of data processing and may not exceed it.

6.4 In cases where the Data Controller intends to use Personal data for a purpose other than the original data collection, the user is informed, and explicit consent is obtained, or the user is provided with the opportunity to prohibit such use.

6.5 The Data Controller does not verify the accuracy of the provided Personal data; responsibility for the accuracy of the provided Personal data lies solely with the individual providing it.

6.6 Personal data of individuals under the age of 16 can only be processed with the consent of a parent or legal guardian exercising parental supervision. The Data Controller cannot verify the authority of the consenting person or the content of their statement, and therefore, the user or the legal guardian asserting parental supervision guarantees that the consent complies with legal requirements. In the absence of a consenting statement, the Data Controller does not process or collect Personal data related to individuals under the age of 16, except for the IP address used during the use of the service, which is automatically recorded due to the nature of online services.

6.7 The Data Controller does not transfer the Personal data it manages to any third party other than the specified Data Processors and, in certain cases referenced in this Notice, External Service Providers. An exception to this provision is the use of data in a statistically aggregated form, which, in no way, contains any data capable of identifying the individual user. Such use is not considered data processing or data transfer. In specific situations, such as official court or police requests, legal proceedings, infringement of copyrights, property rights, or other violations, or reasonable suspicion thereof, the Data Controller may make the available Personal data of the affected user accessible to third parties.

6.8 The Data Controller's system may collect data about user activity that cannot be linked to other data provided by users during registration or data generated during the use of other websites or services.

6.9 The Data Controller notifies the affected user and all those to whom the Personal data was previously transmitted for data processing purposes about the correction, restriction, or deletion of the processed Personal data. Notification may be omitted if it does not violate the legitimate interests of the affected user concerning data processing purposes.

6.10 The Data Controller ensures the security of Personal data by implementing technical and organizational measures and establishing procedural rules to protect the recorded, stored, or processed data. These measures aim to prevent accidental loss, unlawful destruction, unauthorized access, unauthorized use, and unauthorized alteration or dissemination of data. To fulfill this obligation, the Data Controller informs any third parties to whom Personal data is transmitted.

6.11 In accordance with the relevant provisions of the GDPR, the Data Controller appoints a Data Protection Officer:

Name of the Data Protection Officer: Róbert Hüse

Email address: hd-rotatech@hd-rotatech.hu

Phone number: +36305574772

VII. Duration of Data Processing

7.1 Automatically recorded IP addresses are stored by the Data Controller for a maximum period of 7 days after recording.

7.2 In the case of emails sent by the User, if the User is not otherwise registered, the Data Controller deletes the email address 90 days after the closure of the referenced case, unless, in specific cases, the legitimate interests of the Data Controller justify the further processing of Personal data until the existence of such legitimate interest.

7.3 The processing of Personal data provided by the User in connection with the services offered by the Data Controller will continue until the User unsubscribes from the specific service with the associated username or requests the deletion of Personal data. In such cases, the Personal data is deleted from the Data Controller's systems. Personal data provided by the User, even if the User does not unsubscribe from the service or only terminates access by deleting the registration, and comments and uploaded content stored therein will be processed by the Data Controller until the User expressly requests the termination of data processing in writing. A request for the termination of data processing does not affect the User's right to use the services associated with the subscription; however, the User may be unable to use certain services without providing Personal data. The Personal data of participants in events and contests organized by the Data Controller will be processed until the end of the respective event or contest, unless the User has consented to additional data processing for other purposes. For marketing purposes and the provision of Personal data for direct marketing, the Data Controller will continue to process data until the User requests its deletion.

7.4 In the case of the unlawful or deceptive use of Personal data or the commission of a crime by the User or a system attack, the Data Controller is entitled to immediately delete the Personal data upon the termination of the User's registration. However, in cases of suspicion of a crime or civil liability, the Data Controller is authorized to retain the Personal data for the duration of the proceedings.

7.5 Data automatically recorded during the operation of the system will be stored in the system for a period justified by the operational needs of the system. The Data Controller ensures that these automatically recorded data cannot be linked to other Personal data, except in cases required by law. If the User withdraws consent to the processing of Personal data or unsubscribes from the service, the technical data will not be identifiable with the User's identity, excluding law enforcement authorities and their experts.

7.6 If a court or authority orders the deletion of Personal data with legal force, the Data Controller will execute the deletion. Instead of deletion, the Data Controller may, with the User's request or if it can be presumed based on the available information that deletion would harm the User's legitimate interest, restrict the use of Personal data. The Data Controller will not delete the Personal data as long as the purpose of data processing that prevented the deletion of Personal data exists, unless a court or authority orders its deletion.

VIII. User Rights and Methods of Enforcement

8.1 The User may request any Data Controller to inform whether they process the User's personal data, and if so, provide access to the Personal data they process. Personal data provided by the User in connection with a specific Service can be viewed in the access system settings of the Services or on the profile pages associated with individual Services. Nevertheless, the User can request information about the processing of Personal data in writing at any time by sending a registered or return receipt letter to the address of the Data Controller or by emailing office@hd-rotatech.hu. The Data Controller considers a request for information sent by letter to be authentic if, based on the submitted request, the User can be clearly identified. An information request sent by email is considered authentic by the Data Controller only if it is sent from the User's registered email address; however, this does not preclude the Data Controller from identifying the User in other ways before providing the information. The information request may cover the data held by the Data Controller, their source, purpose, legal basis, duration, the names and addresses of any Data Processors, activities related to data processing, and, in the case of the transmission of Personal data, who received or will receive the User's data and for what purpose.

8.2 The User may request the correction or modification of Personal data processed by the Data Controller. Considering the purpose of the data processing, the User may request the supplementation of incomplete Personal data. Personal data provided by the User in connection with a specific Service can be modified in the access system settings of the Services or on the profile pages associated with individual Services. After the fulfillment of a request for the modification of Personal data, the previously (deleted) data cannot be restored.

8.3 The User may request the deletion of Personal data processed by the Data Controller. Deletion can be refused (i) for the exercise of the freedom of expression and information or (ii) if legislation authorizes the processing of Personal data; as well as (iii) for the presentation, validation, or defense of legal claims. The User is informed by the Data Controller in each case of the refusal to delete, indicating the reason for the denial. After the fulfillment of a request for the deletion of Personal data, the previously (deleted) data cannot be restored. Newsletters sent by the Data Controller can be unsubscribed through the unsubscribe link found in them. Upon unsubscribing, the Data Controller deletes the User's Personal data from the newsletter database.

8.4 The User may request the Data Controller to restrict the processing of Personal data if the User disputes the accuracy of the processed Personal data. In this case, the restriction applies for the period that allows the Data Controller to verify the accuracy of the Personal data. The Data Controller marks the Personal data it processes if the User disputes its accuracy or precision, but the inaccuracy or imprecision of the disputed Personal data cannot be clearly determined. The User may request the restriction of the processing of Personal data by the Data Controller even if the processing is unlawful, but the User opposes the deletion of the processed Personal data and instead requests the restriction of its use. The User may also request the restriction of the processing of Personal data by the Data Controller if the purpose of the processing has been achieved, but the User requires their processing by the Data Controller for the presentation, validation, or defense of legal claims.

8.5 The User may request the Data Controller to provide the Personal data provided by the User and processed by automated means in a structured, widely used, machine-readable format and/or to transmit it to another data controller.

8.6 The User may object to the processing of their Personal data by the Data Controller (i) if the processing of Personal data is necessary solely for the fulfillment of a legal obligation applicable to the Data Controller or for the exercise of the legitimate interests of the Data Controller or a third party; (ii) if the purpose of the processing is direct marketing, public opinion research, or scientific research; or (iii) if the processing is carried out to perform a task carried out in the public interest. The Data Controller examines the legality of the User's objection, and if the validity of the objection is established, the Data Controller terminates the processing, locks the processed Personal data, and informs all those to whom the Personal data affected by the objection were previously transmitted about the objection and the measures taken based on it.
 

IX. Data Processing

9.1 To perform its activities, the Data Controller engages the following Data Processors. The Data Controller does not use external Data Processors for sending a large quantity of direct online inquiries. The Data Controller does not use Data Processors to facilitate contact with participants at events organized by them.

Details of the hosting service provider:

Company name: Shoprenter Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (Shoprenter Commercial and Service Limited Liability Company) Registered office: 4028 Debrecen, Kassai út 129 Tax number: 23174108209 Company registration number: 09 09 020636 Customer service: Email: info@shoprenter.hu

The Data Controller does not use Data Processors for recording and storing phone calls.

9.2 Data Processors do not make independent decisions; they only act according to the contract concluded with the Data Controller and the instructions received.

9.3 The Data Controller monitors the work of Data Processors.

9.4 During the research activities, the Company may engage additional Data Processors for the processing, analysis, and evaluation of data.

9.5 Data Processors are only authorized to engage another data processor with the consent of the Data Controller.
 

X. External Service Providers

10.1 In order to provide the Services, the Data Controller may engage various External Service Providers, with whom the Data Controller collaborates. Regarding Personal data processed in the systems of External Service Providers, the guidelines in the privacy policy of the respective External Service Providers shall apply. The Data Controller makes every effort to ensure that External Service Providers handle the Personal data transmitted to them in compliance with the law and use them exclusively for the purposes defined by the User or as specified in this Privacy Policy.

10.2 External Service Providers for Registration or Login The Data Controller may cooperate with External Service Providers who provide applications facilitating registration and login for Users in connection with the provision of Services. Within this collaboration, certain Personal data (e.g., IP address, email, registration name) may be transferred to the Data Controller and/or Data Processor by these External Service Providers. These External Service Providers collect, process, and transmit Personal data according to their own privacy policies. External Service Providers cooperating with the Data Controller for Registration or Login include Facebook Inc.

10.3 Web Analytics and Ad-serving External Service Providers The Data Controller collaborates with web analytics and ad-serving External Service Providers in connection with the pages of the Services. These External Service Providers may have access to the User's IP address and, in many cases, use cookies, web beacons (web markers used to record the IP address and visited website on websites, occasionally in emails or mobile applications), clicktags (a marker code identifying a click on a specific ad), or other click trackers to personalize or analyze the Services, and compile statistics. Cookies placed by these External Service Providers can be deleted from the User's device at any time, and the use of cookies can generally be rejected by selecting the appropriate settings in the browser(s). Identification of cookies placed by External Service Providers can be based on the domain associated with the specific cookie. It is not possible to reject web beacons, clicktags, and other click trackers. These External Service Providers handle the transmitted Personal data in accordance with their own privacy policies.

Web analytics and ad-serving External Service Providers cooperating with the Data Controller may include:

• Google Analytics
• Gemius AdOcean
• Gemius Prism
• Google AdExchange
• Google Doubleclick for Publishers
• TEN Media
• Netadclick
• Hoppex

10.4 Payment Service External Providers For certain services provided by the Data Controller in exchange for consideration, or in connection with the provision of webshop services, the Data Controller contracts payment service External Providers. Payment service External Providers handle the Personal data provided to them (e.g., name, credit card number, bank account number, etc.) in accordance with the provisions of their own privacy policies, for which more information can be found on the respective payment service External Provider's website.

Payment service External Providers cooperating with the Data Controller include:

• Unicredit Bank
• OTP bank

10.5 External Service Providers Assisting in the Fulfillment of Contracts To ensure the provision of webshop services and the delivery of products ordered from them, the Data Controller engages courier services that qualify as data controllers concerning the user's Personal data provided to them (e.g., name, address, telephone number, email, etc.). External Service Providers assisting in the fulfillment of contracts handle the provided Personal data in accordance with the provisions of their own privacy policies, for which more information can be found on the respective website of the given payment service External Provider.

External Service Providers cooperating with the Data Controller include:

• Magyar Posta Zrt. (Hungarian Post), 1138 Budapest, Dunavirág utca 2-6.

10.6 Other External Service Providers There are External Service Providers with whom neither of the Data Controllers has a contractual relationship, or with whom they intentionally do not cooperate concerning the given data processing. However, they may still access the Website/Services, either through the User's involvement (e.g., linking their individual account to the Service) or without it. By doing so, they collect data about Users or user activities on the Services' websites, which, occasionally—either independently or combined with other data collected by these External Service Providers—may be suitable for identifying the User. Such External Service Providers may include, but are not limited to, Facebook Ireland Inc., Google LLC, Instagram LLC., Pinterest Ltd., Infogram Software Inc, PayPal Holdings Inc., Playbuzz Ltd., Twitter International Company., Viber Media LLC, Vimeo Ltd., Yahoo! EMEA Ltd., YouTube LLC. These External Service Providers handle the transmitted Personal data in accordance with their own privacy policies.

XI. Data Transfer Possibility

11.1 The Data Controller is entitled and obligated to transmit any Personal data in their possession and lawfully stored to competent authorities if such data transmission is mandated by law or a binding authority order. The Data Controller cannot be held responsible for such data transmission and its consequences.

11.2 The Data Controller may transmit Personal data specified in the explicit consent of the User, for the purpose and duration indicated in the consent, to a third party specified in the consent. The processing of transmitted data by the third party is subject to their data processing provisions.

11.3 For the purpose of verifying the legality of data transfer and ensuring User information, the Data Controller maintains a record of data transfers.

XII. Data Processing Related to Employees and Visitors of the Data Controller's Premises

12.1 The Data Controller processes the following Personal data concerning its employees: name, birth name, tax identification number, social security number, mother's name, place, date of birth, personal identification number, nationality, permanent address, mailing address, bank account number, educational qualifications, certificate number confirming the qualifications, spouse's name, spouse's birth name, spouse's tax identification number, children's names, children's tax identification numbers, children's social security numbers, children's mother's name, children's place and date of birth, children's disabilities.

12.2 The purpose of processing data concerning the Data Controller's employees is to fulfill legal (registration and reporting) obligations imposed on the Data Controller.

12.3 The duration of data processing concerning the Data Controller's employees is determined by the applicable laws.

12.4 The legal basis for processing data concerning potential employees is the voluntary, informed declaration of the data subject. The purpose of data processing is the recruitment and selection of potential employees for the Data Controller.

12.5 By submitting their resume and other necessary documents for application to the Data Controller, the potential employee consents to the storage, processing, and use of their Personal data provided during the application process by the Data Controller in accordance with the applicable legal provisions until the User withdraws their consent, but for a maximum of 2 years from the date of the relevant application. The Data Controller is entitled to use the Personal data written in the potential employee's resume and other application documents for the potential future placement of the potential employee at the Data Controller in a position where the potential employee may be deemed suitable by the Data Controller to establish an employment or other relationship, for the purpose of forming the Data Controller's position and directly contacting the potential employee.

12.6 For security or performance of the employment contract-related reasons, the Data Controller operates or may establish surveillance cameras at its headquarters, branches, warehouses, offices, and premises. The cameras may capture images that the Data Controller may view and use for security or performance of the employment contract-related reasons. If the recordings are not used according to the provisions outlined in this section, they must be deleted within 72 hours of their creation.

XIII. Modification of the Data Processing Information

13.1 The Data Controller reserves the right to unilaterally modify this Information at any time.

13.2 By the User's next login, they accept the provisions of the Information in effect at that time; furthermore, no further consent is required from individual Users.

XIV. Legal Remedies

14.1 Any questions or observations related to data processing can be directed to the Data Controller's staff at office@hd-rotatech.hu and the following phone number: +36-30-9953337.

14.2 In case of a complaint related to data processing, the User can directly contact the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; email: ugyfelszolgalat@naih.hu; website: www.naih.hu).

14.3 In the event of a violation of the User's rights, they may bring the matter to court. The court with jurisdiction over the case is determined by the residence or stay of the affected party. At the request of the User, the Data Controller shall inform them about the possibilities and means of legal remedy.

Dabas, 2024-01-01