DATA PROCESSING POLICY

WABERER’S INTERNATIONAL Nyrt. (the ‘Data Controller’), as the operator of the website accessible under the domain name www.waberers.com (the ‘Website’), hereby publishes its policy on data processing performed as part of sending out investment newsletters associated with the Website (the ‘Newsletter’).

By subscribing to the Newsletter, the users visiting the Website (the ‘User’) accept all terms of this Data Processing Policy (the ‘Policy’). Therefore, please read this Policy carefully before using the Website.

1. Data Controller’s details

The Data Controller is WABERER'S INTERNATIONAL Nyrt.

Registered office: 1239 Budapest, Nagykőrösi út 351., Hungary
Represented by: Tamás Fejes
Email: marketing@waberers.com
Phone: +36 (1) 421-6300 (central number) 
Data processing registration No: NAIH-142906/2018.

2. Scope of the data processed

Subscription to the Newsletter:

On the Website, the User may subscribe only to the Newsletter of the Data Controller on a dedicated interface. For subscription to the Newsletter, the following personal data need to be provided (it is mandatory to provide the data marked with an asterisk):

· full name*,

· company name,

· email address*,

· industry,

· Waberer’s contact.

Only persons over 18 years of age are entitled to provide data on the Website.

3. Purpose and duration of data processing

The Data Controller may use the data for the following purposes in the event of subscription to the Newsletter:

In case of subscription: Sending offers, news related with the Data processor and communications via electronic newsletter at the specified e-mail address given by the subscriber.

The Data Controller processes the personal data when the purpose of data processing exists and until the User withdraws his or her consent to receiving Newsletters. The personal data will be deleted without delay at the same time as the cessation of the purpose of data processing upon the expiry of the deadline specified in this section or at the request of the User.

4. Legal basis for the processing of personal data

When subscribing to the Newsletter, Users consent to the processing of their personal data by the Data Controller as set out in this Policy. The processing of personal data is based on the User’s voluntary consent granted in the knowledge of the information provided in this Policy.

Users may only enter their own personal data in the Website. If they do not provide their own personal data, the data provider is obliged to obtain the consent of the person concerned.

5. Scope of those entitled to become familiar with personal data and data processing

The Data Controller and the Data Processors used by it are entitled to become familiar with personal data in accordance with the legislation in force.

Processing of data is performed by the following data processor acting on behalf of the Data Controller:

· SalesAutopilot Kft. 
Registered office: 1024 Budapest, Margit körút 31-33. félemelet 4-5.
www.salesautopilot.hu

The Data Controller reserves the right to involve a Data Processor in data processing in the future, about which it will inform the Users by amending this Policy.

Unless expressly otherwise provided by law, the Data Controller will disclose data suitable for personal identification to third parties only with the express consent of the given User.

6. User’s rights

Access to personal data

At the request of the User, the Data Controller provides information on whether the Data Controller processes his or her personal data and, if so, he or she grants it access to the personal data and provides it the following information:

· purpose(s) of data processing;

· types of personal data affected by data processing;

· if the User’s personal data are transmitted, the legal basis for and recipient(s) of data transmission;

· planned duration of data processing;

· the User’s rights relating to the rectification, erasure and restriction of processing of personal data as well as objection to the processing of personal data;

· possibility of turning to the authority;

· source of the data;

· material information relating to profiling;

· name and address of the Data Processors and their activities relating to data processing.

The Data Controller makes available a copy of the personal data constituting the subject-matter of data processing to the User free of charge. The Data Controller may charge a reasonable fee based on its administrative costs for additional copies requested by the User. If the User submitted a request electronically, the information has to be made available in a widely used electronic format unless otherwise requested in the Data Subject.

The Data Controller is obliged to provide the information in a non-technical form at the request of the User without undue delay, but not later than within 25 days from the date of the request. The User may submit his or her request for access to the contact points specified in Section 1.

Rectification of processed data

The User may request (at the contact points specified in Section 1) that the Data Controller rectify his or her inaccurate personal data or supplement incomplete data, subject to the purpose of data processing. The Data Controller carries out the rectification without undue delay.

Erasure (right to be forgotten) and blocking of processed data

The User may request that the Data Controller erase the personal data relating to him or her without undue delay, and the Data Controller is obliged to erase the personal data relating to the Data Subject without undue delay if one of the following reasons exists: 

· the personal data are no longer needed for the purpose for which they have been collected or otherwise processed;

· the User withdraws his or her consent and there is no other legal basis for data processing;

· the User objects to the processing of his or her personal data;

· the personal data have been processed unlawfully;

· the personal data have to be erased for the fulfilment of a legal obligation prescribed in EU or national law applicable to the Data Controller;

· the personal data have been collected on the basis of consent in connection with offering information society-related services to children.

If the Data Controller has published personal data (made them available to a third party) and is obliged to delete them pursuant to the above, it has to take reasonable steps and measures, subject to the available technology and the costs of implementation, in order to inform the Data Controllers processing relevant personal data that the User has requested that they erase the links to the personal data in question or a copy or duplicate of such personal data.

Personal data need not be erased if data processing is required for:

· the freedom of expression and the exercise of the right to be informed;

· fulfilling an obligation under EU or national law prescribing the processing of personal data and applicable to the Data Controller or for performing tasks carried out in the public

· interest or in the exercise of public powers vested in the Data Controller;

· on the basis of public interest in the field of public health care;

· for the purposes of public archiving, scientific and historical research or statistics if the right to erasure is likely to make it impossible or seriously jeopardise such data processing; or

· for submitting, enforcing or protecting legal claims.

Restriction of processed data

The User is entitled to request that the Data Controller restrict the processing of data instead of rectifying or erasing the personal data if one of the following conditions is fulfilled:

· the User disputes the accuracy of the personal data; in this case, the restriction applies to the period that allows the Data Controller to check the accuracy of the personal data;

· data processing is unlawful, the User opposes the deletion of data, and instead he or she requests that their use be restricted;

· the Data Controller no longer needs the personal data for data processing, but the User requests them for submitting, enforcing or protecting legal claims; or

· the User has objected to data processing; in this case, the restriction applies as long as it is established whether the legitimate reasons of the Data Controller take precedence over to the Data Subject’s legitimate reasons.

If data processing is subject to restriction, such personal data may only be processed, except for their storage, with the User’s consent or for submitting, enforcing or protecting legal claims or for protecting the rights of other natural persons or legal entities or in an important public interest of the EU or a Member State.

The Data Controller informs the User at the request of whom data processing has been restricted, in advance, about lifting the restriction of data processing.

Obligation to notify of the rectification or erasure of personal data or the restriction of data processing 

The Data Controller notifies every recipient to whom or which personal data have been disclosed of the rectification or erasure of personal data or the restriction of data processing unless this proves impossible or involves a disproportionate effort. At his or her request, the Data Controller informs the User about such recipients.

Right to object

The User may object to the processing of his or her personal data if the data processing:

· is necessary for performing a task carried out in the public interest or in the exercise of public powers vested in the Data Controller;

· is necessary for enforcing the legitimate interests of the Data Controller or a third party;

· is based on profiling.

If the User objects, the Data Controller may not continue to process the personal data unless it proves that data processing is warranted by compelling legitimate grounds, which take precedence over the User’s interests, rights and freedoms or which are related to the submission, enforcement or protection of legal claims.

If personal data are processed for direct marketing purposes and related profiling, the User is entitled at any time to object to the processing of his or her personal data for this purpose. If the User objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for such purposes.

The Data Controller informs the User about the measures taken after his or her request for access, rectification, erasure, restriction, objection and data portability without undue delay, but not later than within 25 days of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by an additional 2 months. The Data Controller informs the User about the extension of the deadline with an indication of the reasons for the delay within 1 month of receipt of the request. If the User submitted the request electronically, the information has to be given as far as possible electronically unless the Data Subject requests otherwise.

If the Data Controller does not take action after receiving the User’s request, it will inform the User without delay, but not later than 25 days of receipt of the request about the reasons for not taking action and the fact that the User may lodge a complaint with a supervisory authority and may exercise the right of judicial remedy before the court.

Upon request by the User, the information and the action taken on the basis of his or her request has to be provided free of charge. If the User’s request is clearly unfounded or is excessive, in particular, because of its recurring nature, the Data Controller may, subject to the administrative costs incurred in providing the requested information or taking the requested action, charge a fee of a reasonable amount or may deny taking action on the basis of the request. The Data Controller is bound to prove the clearly unfounded or excessive nature of the request.

7. Links

The Data Controller does not assume liability for the contents and data and information protection practice of external websites that can be accessed from the Website through links. If the Data Controller becomes aware that a page linked by it or the link itself infringes third party rights or violates the legislation in force, it will immediately remove the link from the Website.

8. Data security

The Data Controller undertakes to ensure the security of data and takes the technical and organisational measures and devise the rules of procedure that ensure that the recorded, stored and processed data are protected, and prevents their destruction, unauthorised use and unauthorised alteration. It also undertakes to call upon any third party to whom or which it transmits or discloses data on the basis of the consent of the Users to meet the data security requirements.

The Data Controller ensures that no unauthorised person has access to, is able to disclose, transmits, modifies or erases the data processed. Only the Data Controller, its employees and the Data Processor engaged by it may become familiar with the processed data. The Data Controller may not disclose them to third parties that are not authorised to become familiar with the data.

The Data Controller will use its best efforts to ensure that the data are not accidentally damaged or destroyed. The Data Controller prescribes the above commitment to its employees participating in its data processing activity.

The User acknowledges and accepts that if his or her personal data are entered in the Website, notwithstanding that the Data Controller has advanced security tools to prevent unauthorised access to or interception of the data, the protection of the data cannot be fully guaranteed on the internet. Should unauthorised access or data disclosure occur despite our efforts, the Data Controller is not responsible for such disclosure or unauthorised access or for any damage incurred by the User for this reason. In addition, the User may also provide his or her personal data to third parties who may use it for unlawful purposes or in an unlawful manner.

Under no circumstances may the Data Controller collect special data, i.e. data that relate to race, national or ethnic minority status, political opinion or party affiliation, religious or other beliefs, membership in advocacy organisations, health status, addictions, sexual life or criminal record.

9. Handling and reporting of personal data breach

Personal data breach means any event that results in the unlawful management or processing of personal data in respect of personal data managed, transmitted, stored or processed by the Data Controller, in particular, unauthorised or accidental access to, or the alteration, disclosure, erasure, loss or destruction of data, as well as the accidental destruction of and damage to data.

The Data Controller is obliged, without undue delay, but not later than 72 hours after it became aware of a personal data breach, to report the personal data breach to the National Authority for Data Protection and Freedom of Information unless the Data Controller can prove that the personal data breach is not likely to involve a risk to the rights and freedoms of natural persons. If the report cannot be filed within 72 hours, it has to include the reason for the delay and the required information may also be stated in parts, without further undue delay. The report filed with the National Authority for Data Protection and Freedom of Information should include at least the following information:

· nature of the personal data breach, number and category of Data Subjects and personal data;

· name and contact details of the Data Controller;

· probable consequences of the personal data breach;

· measures taken or planned to deal with, eliminate and remedy the personal data breach.

The Data Controller informs the Data Subjects about the personal data breach via the Website of the Data Controller within 72 hours following the personal data breach. The information has to contain at least the details specified in this section.

The Data Controller keeps a record of personal data breaches in order to check the measures relating to the personal data breaches and to provide information to the Data Subjects. The record contains the following details:

· scope of the personal data concerned;

· scope and number of the Data Subjects;

· date of the personal data breach;

· circumstances and effects of the personal data breach;

· measures taken to eliminate the personal data breach.

The Data Controller keeps the data contained in the record for 5 years of detecting the personal data breach.

10. Right enforcement options

The Data Controller uses its best efforts to ensure that personal data are processed in accordance with the legislation. If, however, the User feels that it did not meet this requirement, he or she may write to the marketing@waberers.comemail address or to the 1239 Budapest, Nagykőrösi út 351., Hungary postal address.

If the User feels that his or her right to the protection of personal data has been violated, he or she may seek legal remedy with the competent bodies in accordance with the governing legislation:

· National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, Hungary; ugyfelszolgalat@naih.hu; www.naih.hu)

· the court.

11. Other provisions

This Policy is governed by the laws of Hungary, in particular, Act CXII of 2011 on the right to informational self-determination and freedom of information and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Budapest, May 2018

WABERER’S INTERNATIONAL Nyrt.
Data Controller