DATA PROTECTION AND DATA MANAGEMENT POLICY

I. Purpose of the Policy

The purpose of this Policy is to establish the data protection and management principles and policies applied by ServFaces Hungary Kereskedelmi és Szoltáltató Kft. (1138 Budapest, Váci út 175.; Company Registration Number: 01-09-339822; Tax Number: 26697550-2-41; hereinafter: Company). The Company acknowledges the binding nature of these principles and policies. In formulating these rules, the Company has particularly considered Act CXII of 2011 on the right to informational self-determination and freedom of information (“Infotv.”), Act V of 2013 on the Civil Code (Ptk.), Act CIV of 2010 on the freedom of the press and the fundamental rules of media content, Act CLXXXV of 2010 on media services and mass communication, Act CXIX of 1995 on the handling of name and address data for research and direct marketing purposes, Act VI of 1998 on the protection of individuals in the case of automated personal data processing, the Strasbourg Convention of January 28, 1981, and Act XLVIII of 2008 on the essential conditions and limitations of economic advertising activities, as well as the recommendations of the "ONLINE PRIVACY ALLIANCE." The purpose of this Policy is to ensure that the rights and fundamental freedoms of every individual, regardless of nationality or place of residence, are respected during the processing of their personal data (data protection).

II. Definitions

Personal data or data: any data that can be associated with a specific natural person (hereinafter: data subject), or any inference that can be drawn about the data subject from the data. Personal data retains its nature as such during the data management process until the relationship with the data subject can be restored; Data file: the totality of the data stored in a single record; Data management: any operation or set of operations carried out on personal data, regardless of the applied procedure, including the collection, recording, organization, storage, alteration, use, querying, transmission, disclosure, alignment, or combination, blocking, deletion, and destruction of data, as well as preventing further use of the data; Data controller: the entity carrying out data management, which may be: ServFaces Hungary Commercial and Service Ltd. (1138 Budapest, Váci út 175.; Company Registration Number: 01-09-339822; Tax Number: 26697550-2-41); Data processing: the technical tasks carried out on the data regardless of the method and tools used or the location of application, provided that the tasks are performed on the data; Data destruction: the complete physical destruction of the data storage medium; Data transfer: when the data is made available to a third party; Disclosure: when the data is made accessible to anyone; Data processor: a natural or legal person, or an entity without legal personality, who processes personal data on behalf of the data controller; Data deletion: making the data unrecognizable in such a way that recovery is not possible; Automated data file: a series of data to be processed automatically; Automated processing: operations involving logical or arithmetic operations, data storage, data alteration, deletion, retrieval, and distribution performed, in whole or in part, by automated means; System: the technical solutions for the operation of the websites and services of the data controllers and their partners, accessible via the internet; User: a natural person who expresses their desire for services on this website and provides the data listed in point III.

III. Scope of Managed Personal Data

3.1 During data management, based on the User’s decision, the Company manages the following data when the login button is clicked: Name, email address, phone number provided by the User.

IV. Additional Data Managed by the Company

4.1 For customized service, the Company places a small data package (i.e., "cookie") on the User's computer. The purpose of the cookie is to ensure the high-quality functioning of the given page to enhance the User's experience. The User can delete the cookie from their computer and can set their browser to block cookies. By blocking cookies, the User acknowledges that the page's functionality will be incomplete without cookies. 4.2 Technically recorded data during the operation of systems: the data from the User’s login computer, which is generated during the use of the service, and which is automatically recorded by the Data Controller's system as a result of technical processes. The system automatically logs these data upon login and logout, without any specific action or declaration from the User. These data can only be accessed by the Data Controller.

V. Legal Basis, Purpose, and Method of Data Management

5.1 Data management is carried out based on the voluntary and informed declaration of the User, which includes the User’s explicit consent for the processing of personal data provided during the use of the site. The legal basis for data management is the voluntary consent of the data subject according to Section 5 (1) a) of the Infotv. Furthermore, the data management referred to in point 3.2 is based on the Civil Code (2013 Act V), the freedom of the press and media content regulations of Act CIV of 2010, and the guidelines of the Supreme Court (PK 12 and 14). 5.2 The purpose of data management is to ensure the provision of services accessible through the Company’s websites, including providing internet content, displaying personalized content and advertisements, statistics, technical development of the IT system, and protection of Users’ rights. Data provided by Users during the use of the service may be used to create user groups and show targeted content and/or advertisements. The Data Controller may not use the provided personal data for purposes other than those described in this point. Data transfer between the Data Controllers may occur without the User’s explicit consent. The release of personal data to third parties or authorities is only allowed if mandated by law or with the User's prior explicit consent. 5.3 The Data Controller does not verify the personal data provided. The person providing the data is solely responsible for the accuracy of the provided data. 5.4 By providing their email address, any User assumes responsibility that only they will use the services from the given email address.

VI. Principles of Data Management

6.1 Data must be obtained and processed fairly and lawfully. 6.2 Data should only be stored for a specific and lawful purpose and not used for any other purposes. 6.3 The data must be relevant and necessary for the purpose of storage and must not exceed what is necessary for that purpose. 6.4 Appropriate security measures must be taken to protect personal data stored in automated data files against accidental or unlawful destruction, loss, unauthorized access, alteration, or dissemination.

VII. Data Protection Principles Applied by the Company

7.1 Personal data essential for the provision of services will be used by the Company based on the consent of the data subjects and only for the specified purpose.

7.2 The Company, as the Data Controller, commits to handling the collected data in accordance with the provisions of the Infotv., the laws referred to in point 5.1, and the data protection principles stated in this Policy, and will not disclose the data to third parties other than the Data Controllers listed in this Policy. Exceptions to this include the statistical use of data in aggregated form, which cannot contain any personal identifiers.

7.3 The data controller strives to ensure that the processing of personal data complies with data protection regulations, with particular attention to the protection of data subjects' rights. The data controller ensures that personal data is kept secure during processing and takes all necessary measures to prevent unauthorized access, modification, disclosure, deletion, or destruction.

7.4 The Company only collects data necessary for the provision of services. The data will be processed only for as long as needed to fulfill the specified purposes. During data processing, the Company adheres to the principle of data minimization, ensuring that only necessary data is collected and no unnecessary processing occurs.

7.5 In the course of data processing, the Company ensures that only authorized personnel have access to the personal data and implements appropriate safeguards to protect the integrity and confidentiality of the data.

7.6 The Company provides the data subjects with all the necessary information about the data processing activities. This includes information about the purpose of data processing, the legal basis for processing, data retention periods, and the rights of the data subjects.

7.7 Data subjects have the right to access their personal data, request correction, deletion, or limitation of its processing, and object to its processing. Data subjects may exercise these rights by contacting the Company through the contact details provided in this policy.

7.8 If the data subject believes that their personal data has been processed in violation of applicable data protection laws, they have the right to lodge a complaint with the relevant supervisory authority.

7.9 In cases where personal data is transferred to a third party (including third-party service providers), the Company ensures that appropriate safeguards are in place to protect the data, such as standard contractual clauses or binding corporate rules.

7.10 The Company commits to reviewing and updating its data protection policies regularly to ensure continued compliance with data protection laws and best practices. This may include updating this privacy policy or implementing new technical and organizational measures as needed.

7.11 In the case of an incident involving a personal data breach, the Company will take immediate steps to mitigate the effects of the breach and notify the relevant supervisory authority and affected data subjects if necessary, in accordance with applicable laws.

VIII. Data Security

8.1 The Company is committed to ensuring the security of personal data through the implementation of appropriate technical and organizational measures. These measures are designed to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

8.2 The Company regularly evaluates its security measures to ensure they are effective and up to date. This includes conducting vulnerability assessments, penetration testing, and ensuring that staff are adequately trained in data protection best practices.

8.3 The Company ensures that personal data is only accessible to authorized personnel and that access is strictly controlled based on need-to-know principles. All personnel who have access to personal data are bound by confidentiality agreements.

8.4 In the event of a personal data breach, the Company will take immediate corrective actions to address the issue and mitigate any potential harm. Depending on the severity of the breach, the Company may notify affected data subjects and the relevant supervisory authorities in accordance with applicable laws.

IX. Data Retention

9.1 The Company will only retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. The retention periods will vary depending on the type of data and the purpose for its processing.

9.2 After the retention period has expired, personal data will be securely deleted or anonymized, ensuring that it can no longer be identified or used.

9.3 The Company may retain certain data for longer periods if required for legal or regulatory purposes or for the establishment, exercise, or defense of legal claims.

X. Data Transfers

10.1 The Company may transfer personal data to third parties or outside the European Economic Area (EEA) for processing, storage, or other purposes related to the services provided. In these cases, the Company will ensure that adequate safeguards are in place to protect personal data.

10.2 Data transfers outside of the EEA will only take place when there is an appropriate legal basis, such as the use of Standard Contractual Clauses, Binding Corporate Rules, or other mechanisms approved by the relevant authorities to ensure that personal data is protected.

10.3 If personal data is transferred to third parties who are located outside the EEA, the Company will ensure that these third parties are bound by appropriate contractual agreements that impose strict requirements on how they handle and protect personal data.

XI. Third-Party Service Providers

11.1 The Company may engage third-party service providers to perform certain functions or services on its behalf, such as hosting, data storage, or marketing services. In these cases, the Company will ensure that the third-party service providers comply with applicable data protection laws and maintain adequate security standards.

11.2 The Company will enter into appropriate data processing agreements with third-party service providers to ensure that they process personal data only in accordance with the Company's instructions and for the purposes specified in the agreement.

XII. Rights of Data Subjects

12.1 Data subjects have the right to request access to their personal data, rectify any inaccuracies, request the deletion of their personal data, or restrict the processing of their data. In certain circumstances, data subjects may also object to the processing of their data.

12.2 Data subjects can exercise their rights by contacting the Company using the contact details provided in this Privacy Policy. The Company will respond to such requests in accordance with applicable data protection laws.

12.3 The Company may charge a reasonable fee for processing requests if they are manifestly unfounded, excessive, or repetitive. If the Company denies a request, it will provide the data subject with an explanation for the refusal.

XIII. Changes to this Privacy Policy

13.1 The Company reserves the right to modify or update this Privacy Policy at any time. When changes are made, the Company will update the "Last Updated" date at the top of this Privacy Policy.

13.2 The Company will notify data subjects of any significant changes to this Privacy Policy, including how their personal data is processed. In some cases, the Company may seek consent for specific changes if required by applicable laws.

13.3 It is recommended that data subjects periodically review this Privacy Policy to stay informed about how their personal data is being processed.

XIV. Contact Information

14.1 The User can exercise their rights in relation to legal enforcement before a court based on the provisions of the Information Act (Infotv.) and the Civil Code (Act V of 2013), and may also seek assistance from the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/C; postal address: 1530 Budapest, P.O. Box 5) in any matter related to personal data.

14.2 Any questions or comments related to data processing can be directed to the Data Controller's staff at info@premiumcarservices.hu.

The current regulation was approved by the company's Board of Directors on April 2, 2019. The Privacy Policy entered into force on April 3, 2019.