Privacy Policy

1. Introduction

1.1. Purpose of the data processing notice

The purpose of this Data Processing Notice (hereinafter: “Notice”) is to present in a transparent and detailed manner how we process personal data in the course of the activities of Nagy-Erdei Gyöngyi Noémi E.V. (hereinafter: “Data Controller”) and to provide information on the rights of data subjects and how to exercise them.

1.2. Legal compliance (GDPR, Act CXII of 2011)

Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR): lays down uniform EU rules on the protection of personal data.
Act CXII of 2011 (Infotv.): the law forming the basis of Hungarian data protection regulations, which deals with the right to informational self-determination and freedom of information.

This Notice seeks to comply with the requirements set out in the above legislation.

2. Data controller details

2.1. Name and contact details of the data controller

Nagy-Erdei Gyöngyi Noémi E.V.
Registered office: 4030 Debrecen, Bajnok utca 41.
91322742-1-29
Email: info@anima-mundi.hu
Phone number: +36 30 440 2264

2.2. Availability of the data processing information

This Policy is available in electronic form on the anima-mundi.hu website and in printed form upon request at our customer service office.

3. Definitions

3.1. Basic concepts of the GDPR

Personal data: any information relating to an identified or identifiable natural person (“data subject”).
Data controller: the natural or legal person who determines the purposes and means of the processing of personal data.
Processor: a natural or legal person who processes personal data on behalf of the controller.
Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data subject: any identified or identifiable natural person to whom the personal data relates.

3.2. Definition of a data breach

A data breach is any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data that has been transferred, stored or otherwise processed.

4. Data processing guidelines

4.1. Legal basis and principles

Lawfulness, fairness and transparency: We only process data for specific and lawful purposes.
Purpose limitation: We only process data for predefined purposes and to the extent necessary to achieve those purposes.
Data minimization: We collect and process only personal data that is essential for the purpose.
Accuracy: We ensure that the personal data we process is accurate and, where necessary, kept up to date.
Storage limitation: We only store personal data for as long as necessary to achieve the purpose.
Integrity and confidentiality: We use appropriate technical and organizational measures to protect personal data.

4.2. Accuracy and security of data

Both the Data Controller and the data subject are responsible for regularly updating the data; the latter is obliged to notify the Data Controller of any changes in their personal data.
The Data Controller shall make every effort to ensure that the data recorded are accurate and shall protect them from unauthorized access by appropriate security measures.

5. Purposes and legal basis of data processing

5.1. Order processing

Purpose: Processing orders, performing the contract, invoicing, and delivery/providing services.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)).
Scope of data processed: Name, delivery and billing address, contact details (phone number, email), order details.

5.2. Invoicing

Purpose: Compliance with applicable accounting legislation (e.g., Act C of 2000).
Legal basis: Compliance with a legal obligation (GDPR Article 6(1)(c)).
Scope of data processed: Name/company name, address, tax number (in the case of legal entities), other data necessary for invoicing.

5.3. Use of cookies

Purpose: To ensure the proper functioning of the website, improve the user experience and for analyzation of visitor data.
Legal basis:
- Consent (GDPR Article 6(1)(a)) – for all cookies that are not essential for the functioning of the website.
- Legitimate interest or performance of a contract (GDPR Article 6(1)(f) or (b)) – for technical cookies that are essential for operation.

For more details, see the section “Use of cookies” (point 11) in this Policy.

5.4. Data processing on social media sites

Purpose: Keeping in touch, sharing information (Facebook, Instagram, etc.).
Legal basis: Voluntary decision, consent (GDPR Article 6(1)(a)).
Note: The data processing practices of social media platforms should be reviewed in the data processing notices of the respective platforms.

6. Scope of data processed

6.1. Types of personal data

Identification data: name.
Contact details: email address, telephone number, address.
Technical data: IP address, browser type, cookies.
Billing data: billing name, address, tax number (for companies).

6.2. Method and duration of data storage

In electronic form on secure servers, protected by passwords and other security measures.
In paper form (if any) at the registered office or place of business, in a locked location.
Storage period: until the legal obligations and the purpose of data processing have been fulfilled, or until consent has been withdrawn. After that, the data will be deleted or anonymized.

7. Rights of data subjects

7.1. Right to information

The data subject has the right to request information about the purpose, legal basis, source, duration of processing, and access rights of their personal data.

7.2. Right to rectification

If the data subject believes that their personal data being processed is inaccurate or incomplete, they may request that it be rectified or supplemented.

7.3. Right to erasure ("right to be forgotten")

The data subject may request the erasure of their personal data if the data is no longer needed for its original purpose or if the data subject withdraws their consent and there is no other legal basis for the processing.

7.4. Right to data portability

The data subject has the right to receive the data provided by him or her in a widely used, machine-readable format and may request that it be transferred to another data controller.

7.5. Right to object

The data subject may object to the processing of their personal data at any time if the legal basis for the processing is the legitimate interest of the Data Controller.
The data subject shall have the specific right to object to the processing of personal data for direct marketing purposes.

8. Data security

8.1. Protection of electronic data

Multi-level authorization system.
Regular backups.
Virus protection and firewall use.

8.2. Technical and organizational measures

Closed office network and secure Wi-Fi use.
Storage of paper-based documents in locked cabinets.
Regular data protection training for employees and data processors.

9. Handling data protection incidents

9.1. Reporting incidents to the authorities (72-hour rule)

In the event of a data protection incident, the Data Controller shall report it to the National Authority for Data Protection and Freedom of Information (NAIH) without undue delay and, if possible, within 72 hours, unless it is unlikely to pose a risk to the rights and freedoms of the data subjects.

9.2. Informing data subjects in the event of high risk

If the incident is likely to pose a high risk to the rights and freedoms of data subjects, the Data Controller shall also inform the data subjects without delay, describing the nature of the incident and the measures taken.

10. Data processors and third parties

10.1. Hosting provider

Rackhost Zrt.
6722 Szeged Tisza Lajos körút 41.
info@rackhost.hu
Data processing activities: web server operation, technical maintenance. The data is stored on the servers of the hosting provider. Processes personal data only on the instructions of the Data Controller.

10.2. Accountant and other partners

The Data Controller may use accountants, courier services, marketing agencies, and other partners for the processing of personal data.

Accountant: Andrea E.V. Mező, activity: accounting, payroll accounting, tax-related tasks.

The Data Controller always enters into a written contract with these partners (data processors) in accordance with the requirements of the GDPR. The contracts stipulate that the partners may only process the data on the basis of the Data Controller’s instructions, for the specified purpose and for the necessary period of time.

11. Use of cookies

11.1. Purpose and types of cookies

Session cookies: these are essential for the website to function and are deleted when you close your browser.
Functional cookies: these enhance user convenience, for example by remembering login details or the selected language.
Analytical cookies (e.g., Google Analytics): serve statistical purposes, help understand user behavior, and improve website performance.

11.2. Managing user settings

Users can control the management of cookies in their browser settings, allowing them to disable or delete them.
When changing cookie settings, some features of the website may not function properly.
When you first visit the website, you will be given the option to accept or reject non-essential cookies (e.g. analytical cookies) via a pop-up window.

12. Data Protection Officer

12.1. Conditions for appointment and tasks

Pursuant to Article 37 of the GDPR, the Data Controller is required to appoint a Data Protection Officer (DPO) if its main activities:

involve data processing operations which, by virtue of their nature or scope, require regular and systematic monitoring, or
is based on the processing of sensitive data on a large scale.

The duties of the officer include:

continuously monitoring compliance with the GDPR,
advising the Data Controller and employees,
liaising with the supervisory authority (NAIH) and data subjects.

13. Data subjects' options for enforcing their rights

13.1. Filing a complaint with the National Authority for Data Protection and Freedom of Information (NAIH)

If the data subject believes that the processing of their personal data violates the applicable laws, they may lodge a complaint with the National Authority for Data Protection and Freedom of Information:

Address: 1055 Budapest, Falk Miksa utca 9-11.
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu

13.2. Possibility of judicial remedy

In the event of a violation of your rights, you may turn to the courts. You may initiate legal proceedings at the court of your place of residence or domicile, at your discretion.

14. Legal basis for data processing

14.1. GDPR (EU Regulation 2016/679)

Regulation (EU) 2016/679 of the European Parliament and of the Council, which aims to protect natural persons in relation to the processing of personal data and to ensure the free movement of such data within the EU.

14.2. Act CXII of 2011 on the right to informational self-determination

The Hungarian data protection law, which regulates the basic principles and limitations of personal data processing in Hungary.

14.3. Other relevant Hungarian legislation

Act C of 2000 on Accounting.
Act V of 2013 on the Civil Code (Ptk.).
Act XLVIII of 2008 on the Basic Conditions of Economic Advertising Activities.

15. Final provisions

15.1. Scope of the data processing notice and possibilities for amendment

This Policy shall enter into force on November 17, 2025.
The Data Controller is entitled to unilaterally amend the Policy, in particular in order to take into account changes in legislation, the introduction of new data processing activities or the recommendations of the supervisory authority.
Amendments will be published on the website, and after they come into effect, data subjects will accept the new rules by continuing to use the services.

Date: Debrecen, November 17, 2025.

Nagy-Erdei Gyöngyi Noémi E.V.