Privacy policy

IMPACT DESIGN

This data management information sheet (hereinafter: "Informational") explains in detail that it is Impact Design Limited Liability Company (short name: Impact Design Kft., registered office: 1141 Budapest, Szugló utca 125/D C. ép. B. house. 32. , registered by the Company Registry of the Capital City Court under the company registry number Cg 01-09-373407; His e-mail address: hello@impactbox.net; hereinafter: "Company", „Data controller" obsession "Impact Design") what personal data it collects about its users (hereinafter: "Front", „Affected", „User") is the Data Controller https://www.impactbox.net on his website
(hereinafter: "Website"), browsing, registration, contacting the Data Controller (hereinafter: "Contact"), order the Impact Box or other Product
(hereinafter: "Order"), and subscribing to a notification e-mail or other newsletter indicating the availability of the Impact Box or other Product (hereinafter: "Notification Service") during

The Information Sheet also sets out the rights and obligations related to the management of personal data, as well as other relevant provisions. This Information Sheet is subject to the General Terms and Conditions of Impact Design (hereinafter: "GTC"), is an integral part, therefore the definitions contained in the General Terms and Conditions are also applicable in this Information.

Personal data is collected and managed by the Data Controller in accordance with the directly applicable legislation of the European Union and the applicable Hungarian legislation. Regarding the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: "GDPR"), Act CXII of 2011 on the right to information self-determination and freedom of information, Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising, and Act 2001 on certain issues of electronic commercial services and services related to the information society Act CVIII ofNAIH")'s recommendations and the data protection practice established by it, as well as Article 29. Data Protection Working Group according to Article 68 of the GDPR. the recommendations of the European Data Protection Board according to Article

Based on the above, Impact Design is the data manager of all data that is considered personal data and is provided to the Data Manager during the Contact, Order or Notification Service.

Impact Design is commhereed to the protection of personal data, therefore it treats the received personal data confidentially and takes all measures to promote safe data management.

1. CONCEPTS

The following interpretive provisions have been determined based on the GDPR:

1.1 personal data: to an identified or identifiable natural person ("affected"), the natural person can be identified directly or indirectly, in particular by an identifier such as a name, number, location data, online identifier or the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable on the basis of one or more relevant factors;

1.2 consent of the data subject: a voluntary, concrete and well-informed and clear declaration of the data subject's will, with which the data subject indicates by means of a statement or an unmistakable act of confirmation that he/she consents to the processing of personal data concerning him/her;

1.3 data controller: the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;

1.4 data handling: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or making available in any other way through, alignment or connection, restriction, deletion or destruction;

1.5 data processor: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;

1.6 third party: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data controller, the data processor or the persons who have been authorized to handle personal data under the direct control of the data controller or data processor;

1.7 data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmhereed, stored or otherwise handled;

1.8 addressee: the natural or legal person, public authority, agency or any other body to whom the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or Member State law in the context of an individual investigation are not considered recipients; the management of said data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of data management;

1.9 supervisory authority: in order to protect the fundamental rights and freedoms of natural persons with regard to the management of their personal data, as well as to facilitate the free flow of personal data within the European Union, one or more independent public authorities appointed or established by each member state of the European Union to monitor the application of the GDPR;

1.10 relevant supervisory authority: means the supervisory authority affected by the processing of personal data for one of the following reasons: a) the data controller or data processor has a place of business in the territory of the member state of the said supervisory authority; b) the data processing significantly affects or is likely to significantly affect data subjects residing in the supervisory authority's Member State; or c) a complaint has been submitted to the aforementioned supervisory authority.

2. SCOPE OF DATA COLLECTED BY IMPACT DESIGN

Information collected from Users enables us to enable Users to order Impact Box or other Products and to personalize and improve our services and marketing activities.

The Data Controller collects and manages your personal data exclusively for the purposes specified in this Information Sheet, and ensures that the data management is carried out in accordance with the purpose of the data management at all stages.

2.1 Data You Provide to Impact Design

2.1.1 Data provided during the Order

Data controller through the Website, 6 of the General Terms and Conditions. in order to fulfill the Order according to point

(A) If you, as an individual, order an Impact Box or other Product:

Surname and first name,
e-mail address,
phone number,
Delivery Address,
billing address,
payment data (card data, bank account number).

The data controller draws your attention to the fact that the e-mail address provided does not need to contain personal data, such as your name. You are free to choose to provide an email address that contains information that identifies you.

(B) If you, as a representative of a legal entity, order an Impact Box or other Product:

Surname and first name,
if the specified e-mail address contains your name, in that case e-mail address,
if the given telephone number is not the central telephone number of the legal entity you represent, or the telephone number provided to you by the legal entity, then telephone number.

2.1.2 Data provided during Contact

The Data Controller manages the following personal data of you during Contact via the Website:

Surname and first name,
e-mail address,
phone number,

any other personal data communicated to the Data Controller in the message.

2.1.3 Data provided during the Notification Service

In order to provide the Notification Service available on the Website, the Data Controller manages the following personal data of you:

Surname and first name,
e-mail address,
telephone number.

2.2 Personal data of third parties provided by you to Impact Design

In the course of providing the services, Impact Design also processes the personal data of third parties received from its Users, including the name, address, telephone number, e-mail address or any other personal data of third parties, which are securely stored by Impact Design on its servers.

In the event that the provisions of the GDPR apply to the personal data of third parties, the User is considered a data controller for these third parties, while Impact Design is a data processor, and therefore you, as a client of Impact Design, are also responsible for complying with the provisions of the GDPR. Please note that in this case, the data management relationship between the data manager and the data processor must be regulated by a written contract, which must comply with Article 28 of the GDPR. of the requirements contained in Article In order to comply with the provisions of the GDPR, the data processing legal relationship between you, as a data controller, and Impact Design, as a data processor, is attached to this Information 1. in appendix no (which forms an inseparable part of this Information) the provisions of the Data Processing Agreement are applicable.

2.3 Automatically collected data

When viewing the Website of the Data Controller, due to the technical operation, the start and end time of the user's visit is automatically recorded, and in some cases, depending on the settings of the Data Subject's computer, the browser, the operating system data and the user's IP address, as well as the name of the page from which the Affected received. The system automatically generates statistical data from this data.

The recording and storage of the time of the visit, the IP address, as well as the browser and operating system data is a feature of the system's operation, their management is technically essential, it is done exclusively for statistical purposes, the Company does not carry out further data management with these data.

3. COOKIES

A "cookie" is a small file that stores your computer's browsing history. The content of these files can be checked, especially to make browsing more efficient. These cookies do not contain any data from which we could identify you. Anonymized data may include user session data, such as IP address, browser type, time the User spends on the Website and the buttons you click. The detailed cookie information itt you can read it.

4. HOW DOES IMPACT DESIGN USE YOUR DATA?

Your personal data - managed for different purposes and on different legal bases - is used by the Data Controller as follows:

4.1 Fulfillment of the contract, for the purpose of providing Impact Design's service and on its legal basis (GDPR 6. Article (1) point b) manages your following personal data:

Surname and first name,
e-mail address,
phone number,
Delivery Address,
billing address,
payment data (card data, Bank account number).

4.2 The following personal data with your consent (as a legal basis for processing, GDPR. 6. (1) point a) of Article (1) a) the Data Controller uses for marketing purposes (sending newsletters, sending coupon codes, displaying personalized advertisements) and for sending e-mails:

Surname and first name,
e-mail address
telephone number.

You are entitled to withdraw your consent to data processing for marketing purposes at any time. Withdrawal of consent does not affect the legality of data processing based on consent prior to withdrawal.

4.3 Personal data indicated in point 4.1 of this Notice for the purposes of legal compliance and compliance with relevant legal obligations (which is also the legal basis for data management, GDPR 6. Article (1) point c) is managed by the Data Controller in order for Impact Design to be able to comply with the requirements of certain laws (for example, the requirements of the Accounting Act), as well as to prevent fraudulent transactions, check thefts and otherwise protect its customers and its own himself, and to assist law enforcement and respond to subpoenas and official requests.

4.4 The following personal data is In order to assert the legitimate interests of the Data Controller and for the purpose (which is also the legal basis for data management, GDPR 6. Article (1) point f) is managed by the Data Controller in order to increase the efficiency of its services, Website and marketing efforts, as well as to carry out research and analysis, including focus groups and surveys, and to carry out other business activities as necessary , or perform other activities as described in this Notice.

Personal data collected when visiting the Website and using the Data Controller's services:

Usage information;
Actions performed on the Website;
The time, place and regularity of visiting the Website;
Technical parameters of the browser;
The visited content.

Impact Design may use the following software and programs to collect, compile statistics and analyze the aforementioned data:

Name	Registered office	Country
Google Analytics	1600 Amphitheatre Parkway, Mountain View, California 94043	USA
Facebook Inc. (Facebook Pixel)	1601 Willow Road Menlo Park, California 94025	USA
Shopify Inc.	2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32	Ireland

Impact Design also uses the personal data listed above and the derived, aggregated data for statistical purposes.

4.5 Integrity and purposefulness: The data manager only collects and stores personal data that is relevant to the purposes of data collection, and does not use them in a way that is incompatible with the stated purposes, unless you have authorized this use. We take reasonable steps to ensure that personal information is reliable for its intended use and is accurate, complete and up-to-date. Impact Design may occasionally contact you to ensure that your information remains accurate and current.

5. PERSONAL DATA STORAGE PERIOD

Your personal data will be retained by Impact Design as long as it is necessary to achieve the purposes described in this information sheet, or until you withdraw your consent to data management, unless the law allows or requires a longer retention period (for example, for tax, accounting or other legal reasons ). If the Data Controller has no or no longer has a legal basis for processing your personal data, we will either delete or anonymize your personal data, or, if this is not possible (because, for example, your data is stored on Impact Design's backup), then Impact Design will keep your personal data securely and separately store until they cannot be deleted.

6. SHARING OF PERSONAL DATA COLLECTED BY IMPACT DESIGN

6.1 The data controller does not allow third parties to access your personal data without your prior consent, except in cases where the data transmission is necessary for the fulfillment of the contract, necessary for the enforcement of the Company's legitimate interests, or based on a legal requirement.

6.2 The Data Controller may share certain personal information with third-party service providers located in the European Union or third countries who provide software applications, website operation and other technologies, as well as specific services for Impact Design (hereinafter: "Data processor"). The Data Processor may only access personal data collected by the Data Controller that is necessary to perform its work or to comply with the law. The Data Processor will never use this information for any other purpose, except for the performance of its services to Impact Design. During data processing, the Data Processor must also comply with the provisions of this Notice, the applicable laws in force, and the existing contracts between it and Impact Design.

Impact Design uses the data processing activities of the following companies:

Name	Registered office	Country	Activity (data processing service)
Weiszbart and Associates Law Firm	1052 Budapest, Kristóf tér 3. III. floor	Hungary	Provision of legal services.
Facebook, Inc. (Facebook Pixel is Instagram)	1601 Willow Road Menlo Park, CA 94025	USA	Measuring the effectiveness of Facebook and Instagram ads.
Google, LLC (Google Drive, Google Analytics, Google Tag Manager, Google Adwords, G Suite, YouTube)	1600 Amphitheatre Parkway Mountain View, CA 94043	USA	Hosting service, mail system service, video embedding and statistical service.
Shopify International Ltd.	2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32	Ireland	Web hosting service.
MailerLite	Jonas Basanavičius st. 15, Vilnius 03108, Lithuania	Lithuania	Newsletter sending.
OTP Mobile Service Limited Liability Company (SimplePay platform)	1143 Budapest, Hungária körút 17-19.	Hungary	Credit card payment
GLS General Logistics Systems Hungary Parcel-Logistics Limited Liability Company	2351 Alsónémedi, GLS Európa utca 2.	Hungary	package delivery

6.3 Google, LLC and Facebook, Inc. participate in the EU-US and Switzerland-US Privacy Shield programs, therefore the transfer of personal data to these companies in 2020. July 16 were deemed legal prior to Please note that based on the decision of the Court of Justice of the European Union No. C-311/18, these companies will no longer be regarded as companies providing adequate security for the personal data of Europeans. The full sentence itt can read it.

6.4 Personal data collected from private individuals within the EU will be transferred by Impact Design to a third party with a registered office outside the EU without the necessary safeguards only based on your consent or in order to fulfill the contract. The Data Controller makes every effort to ensure that the personal data provided is secure and that the personal data is processed in accordance with the provisions of the GDPR.

7. YOUR RIGHTS

Impact Design will respond to the Data Subject's request to exercise their rights within a maximum of one month from its receipt. The date of receipt of the application is not included in the deadline.

7.1 Right of access

The Data Subject is entitled to hello@impactbox.net via e-mail address, request information from the Data Controller on whether your personal data is being processed, and if such data processing is underway, you are entitled to know whether

(a) Data controller

what personal data;
on what legal basis;
for what purpose of data management;
how long

handles; furthermore, that

(b) to whom, when, on the basis of which legislation, to whom did the Data Controller provide access to his personal data or to whom did he transmit his personal data;

(d) whether the Data Controller uses automated decision-making and its logic, including profiling.

Impact Design will provide a copy of the personal data that is the subject of data management at the Data Subject's request free of charge for the first time, after which it may charge a reasonable fee based on administrative costs.

In order to meet the data security requirements and protect the Data Subject's rights, the Data Controller is obliged to make sure that the identity of the Data Subject and the person wishing to exercise their right of access match, and for this purpose, information, access to the data, and the issuance of a copy of the data are also subject to the identification of the person concerned.

7.2 Right to rectification

You can request that the Data Controller change any of your personal data via the e-mail address hello@impactbox.net. If the Data Subject can creditably prove the accuracy of the corrected data, the Data Controller will fulfill the request within a maximum of one month and will notify the Data Subject of this at the contact information provided by the Data Controller.

7.3 Right to erasure (forgetfulness).

You have the right to request that Impact Design delete your personal data without undue delay, and the Data Controller is obliged to delete the personal data concerning the Data Subject without undue delay. If the processing of personal data is based on a legal obligation (for example: compliance with the provisions of the Accounting Act), or is based on the legitimate interests of the Data Controller or other Users (for example: enforcement of legal claims), then the Data Controller is entitled to further process personal data as defined by law.

If a deletion request is received by the Data Controller, the Data Controller will first check whether the deletion request really originates from the right holder. To this end, the data controller may request data to identify the existing contract between the Data Subject and the Data Controller (for example, contract number, contract date), the identification number of the document issued by Impact Design for the Data Subject, and the personal identification data registered about the data subject, however, the Data Controller may not request such additional data as identification , which is not kept on record by the Data Subject.

7.4 The right to restrict (block) data processing

You can request that the processing of your personal data be limited by the Data Controller (by clearly indicating the limited nature of data processing and ensuring separate processing from other data) if

disputes the accuracy of your personal data (in this case, the Data Controller limits data processing to the period of time it checks the accuracy of your personal data);
the data processing is illegal and the Data Subject opposes the deletion of the data and instead requests the limitation of its use;
Impact Design no longer needs the personal data for the purpose of data management, but the Data Subject requires them to submit, enforce or defend legal claims; obsession
the Data Subject objected to data processing (in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the Data Subject).

7.5 The right to object to data processing

With regard to the processing of your personal data - for the purpose of asserting legitimate interests - you may be entitled to object to the processing of your personal data if, in your opinion, the Data Controller would handle your personal data inappropriately in connection with the purpose indicated in the Information Sheet. The Data Controller examines the legality of the Data Subject's objection, and if it determines that the objection is well-founded, it terminates the data management and locks the managed personal data, and also notifies all those to whom the personal data affected by the objection were previously transmitted about the objection and the measures taken based on it.

7.6 The right to data portability

In relation to data processing for the purposes set out in points 4.1 and 4.2 of this Privacy Notice - subject to their legal basis - you are entitled to receive the personal data relating to you that you have provided to the Data Controller in a segmented, widely used, machine-readable format, and you are also entitled to that these data are transmitted by Impact Design to another data controller without the Data Controller preventing this.

8. PROTECTION OF PERSONAL DATA OF MINORS

Impact Design does not collect the personal data of minors - in accordance with the General Terms and Conditions of the Data Controller. If you suspect or find out that a child under the age of 16 has registered on the Website, please notify the Data Controller at the following e-mail address: hello@impactbox.net.

9. COMPLAINT, REMEDY

If you consider that Impact Design has violated the applicable data protection requirements when handling your personal data, or if the Data Controller does not provide an adequate response to your request, then:

can submit a complaint to NAIH (National Data Protection and Freedom of Information Authority, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, postal address: 1530 Budapest, Pf.: 5. E-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu), obsession

in order to protect your data, you have the option to go to court, which will act out of turn in the case. In this case, you can freely decide whether to submit your claim according to your place of residence (permanent address) or your place of stay (temporary address). You can contact the court of your place of residence or stay at http://birosag.hu/ugyfelkapcsolatiportal/birosag-kereso page.

10. CHANGE OF NOTIFIER

The Data Controller has the right to modify this Information Sheet and the information related to the use of the Website from time to time, due to various updates, unilaterally without prior notification. Amendments to the Notice shall enter into force upon publication. With this in mind, it is recommended to regularly visit the Website and monitor the acceptability of changes.

11. FURTHER INFORMATION

If you have any questions about this Notice or Impact Design's services, please contact us at hello@impactbox.net at e-mail address.

1. ANNEX NO

DATA PROCESSOR AGREEMENT

This data processing agreement (hereinafter: "Contract") is Impact Design Kft. (seat: 1141 Budapest, Szugló utca 125/D C. ép. B. house. 32., registered by the Company Registry of the Capital City Court under company registry number Cg. 01-09-373407; hereinafter: "Data processor") is an integral or inseparable part of its Privacy Notice and General Terms and Conditions. This Agreement regulates the data processing legal relationship between the Data Processor and the User of the Website, which Agreement the User accepts at the same time as accepting the Data Protection Notice and the General Terms and Conditions.

Preamble

of the General Data Protection Regulation of the European Union ("EU") (hereinafter: "GDPR") 28. subject to the provisions of Article (3), the Parties shall record in writing their rights and obligations regarding their data processing relationship. The terms used in this Agreement shall be interpreted with the content according to the definition contained in this Agreement.

Terms not defined in this Agreement have the meaning given in the Privacy Notice. Apart from the following amendments, the conditions for data processing by the Data Processor contained in the Data Protection Information remain in effect.

Taking into account the mutual obligations defined in this Agreement, the Parties agree that the conditions defined below must be taken into account as an amendment to the Privacy Policy. Unless otherwise indicated by the context, references to the Privacy Notice contained in this Agreement refer to the Privacy Notice supplemented by the content of the Agreement.

1. Concepts

1.1 The terms contained in this Agreement or terms related to these terms have the following meanings:

1.1.1 „Applicable Law": means the law of the European Union or the law of the member state of the European Union in respect of which, with regard to the Data Controller's Personal Data, the Data Controller is subject to the EU Data Protection Legislation;

1.1.2 „Controller's Personal Data": all personal data that is managed by the Contracted Data Processor on behalf of the Data Controller in connection with the Privacy Notice,

1.1.3 „Data Protection Legislation": means the EU Data Protection Legislation and, if applicable, the data protection law of another country,

1.1.4 „Contracted Data Processor": means all Data Processors or Additional Data Processors;

1.1.5 „Services": means the services and other activities performed by the Data Processor or someone else on behalf of the Data Processor under this Agreement for the benefit of the Data Controller;

1.1.6 „Additional Data Processor": all persons (including third parties, with the exception of the employees of the Data Processor or any of its subcontractors) whom the Data Processor or on behalf of the Data Processor, in connection with the performance of this Agreement, are required by the Data Protection Information 6. in addition to the provisions of point

1.1.7 „Services": means the services and other activities that the Data Processor must perform on behalf of or for the Data Controller based on the Data Protection Information.

1.2 Concepts marked with a capital letter and terms related to them have the meaning specified in the GDPR.

1.3 A „contain" and similar expressions are to be understood without any restrictions.

2. Data management related to the personal data of the data controller

2.1 The Data Processor is obliged to:

2.1.1 comply with all applicable Data Protection Legislation in connection with the Data Management of the Data Controller's Personal Data; and

2.1.2 manage the Personal Data of the Data Controller in accordance with the instructions given and documented by the Data Controller, unless the Law Applicable to the Contracted Data Processor makes a deviation from the instruction mandatory, in which case the Data Processor, to the extent permitted by the Applicable Law, prior to the Data Processing deviating from the instruction, must inform the Data Controller about the different Data Management related to Personal Data.

2.2 The Data Controller is obliged to instruct the Data Processor regarding the following:

2.2.1 on the management of the Controller's Personal Data, and

2.2.2 especially on the transfer of the Controller's Personal Data to a country or territory

to the extent necessary to fulfill the provisions of the Services and this Agreement.

2.3 A GDPR 28. in accordance with the requirements set forth in paragraph (3) of this Agreement 1. attachment no contains the information regarding the processing of the Data Controller's Personal Data by the Contracted Data Processors. The Data Processor can unilaterally make reasonable changes to the 1. in the content of attachment no. with the simultaneous notification of the Data Controller in order to comply with the legal regulations. The 1. attachment no. does not grant any rights or impose any obligations on the Parties.

3. Data processor

3.1 The Data Processor is obliged to take reasonable steps in order to ensure the reliability of all employees, agents or contractors of its Contracted Data Processors who have access to the Data Controller's Personal Data, and must also ensure that the Data Controller's Personal Data can only be accessed or known by those, for whom within the organization of the Contractual Data Processor it is absolutely necessary and must be ensured by Article 28 of the GDPR. fulfillment of the provisions of paragraph (3) of Article

4. Safety

4.1 The Data Processor shall take appropriate technical and organizational measures in relation to the Controller's Personal Data, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data management, as well as the variable probability and severity of the risk to the rights and freedoms of natural persons, including, if appropriate, Article 32 of the GDPR. (1) of Article 1, implements appropriate measures in order to guarantee a level of data security appropriate to the degree of risk.

4.2 When evaluating the appropriate level of security, the Data Processor takes into account the risks that may be associated with data processing, especially with regard to possible data protection incidents.

5. Further data processing

5.1 The Data Controller authorizes the Data Processor to use Additional Data Processors in accordance with this 5. in accordance with the provisions in point and the restrictions contained in this Agreement. The Additional Data Processor used before the entry into force of this Agreement may be used by the Data Processor even after the entry into force of this Agreement, if the agreement reached with the Additional Data Processor regarding further data processing can be met as soon as possible with the requirements contained in point 5.3.

5.2 The Data Processor is obliged to notify the Data Controller in writing about the details of the Data Processing to be carried out by the Additional Data Processor before the Data Processing of the Additional Data Processor used after the entry into force of this Agreement begins. If within 8 (i.e. eight) calendar days from the date of receipt of the notification, the Data Controller objects in writing to the Data Processor regarding the planned designation, as follows:

5.2.1 the Data Processor is obliged to cooperate in good faith with the Data Controller in order to make commercially reasonable changes to the Services in order to prevent the use of the Additional Data Processor specified in the notification; and

5.2.2 if these amendments cannot be implemented within 30 (i.e. thirty) calendar days after the Data Controller informs them of their objection, contrary to the provisions of this Agreement, the Data Controller may terminate this Agreement in writing with immediate effect, if it is related to that Service or Services, in connection with which the use of the Additional Data Processor arose.

5.3 In relation to Additional Data Processors, the Data Processor is obliged to:

5.3.1 by the Additional Data Controller, prior to the first Data Processing related to the Data Controller's Personal Data, to make sure that the Additional Data Processor is able to provide a level of protection related to the protection of the Data Controller's Personal Data in accordance with the provisions of this Agreement;

5.3.2 to ensure that the agreement between (a) the Data Processor or (b) the intermediate Additional Data Processor and the Additional Data Processor is in writing, and that the provisions contained in the agreement ensure at least the level of protection established in this Agreement for the Data Controller's Personal Data and comply with GDPR 28. (3) of Article; and

5.3.3 to provide a copy of the agreements concluded by the Contracted Data Processors with Additional Data Processors at the Data Controller's request, so that the Data Controller can examine the content of the agreement.

5.4 The Data Processor is obliged to ensure that the Additional Data Processor will fulfill its obligations under this Agreement.

6. Controller's Personal Data

6.1 The Parties declare that by providing the Services, the Data Processor manages the personal data of the Data Controller's customers. A GDPR 12. (1), the Data Controller is obliged to inform its customers that the Data Controller transmits certain personal data to third parties in the course of data management.

6.2 Taking into account the findings contained in section 6.1 of this Agreement, the Parties agree that the Data Controller will only use the GDPR in accordance with Article 14. is obliged to inform its customers by providing the necessary information prescribed in section

6.3 THE DATA PROCESSOR HEREBY DISCLAIMS ALL LIABILITY UNDER THIS 6. ACCORDING TO THE SUBJECT POINT, THE DATA PROCESSOR IS INCLUDED IN RELATION TO DAMAGE, NON-PROPERTY INJURY AND/OR CONSEQUENTIAL DAMAGES RELATING TO THE FAILURE TO NOTIFY ITS CUSTOMERS AND THE DATA PROCESSOR 14 of the GDPR. IN CONNECTION WITH ANY LOSS OR LIABILITY RESULTING FROM FAILURE TO PROVIDE INFORMATION AS DESCRIBED IN ARTICLE.

6.4 THE DATA PROCESSOR IS OBLIGED TO INDEMNIFY AND INDEMNIFY THE DATA PROCESSOR IN THE CASE OF ANY DAMAGE, NON-PROPERTY INJURY, OR CONSEQUENTIAL DAMAGES ARISING FROM THE DATA PROCESSOR AS A RESULT OF 6. THIS AGREEMENT. IT BREACHES ITS OBLIGATIONS SET FORTH IN THE POINT.

6.5 THE PRESENT 6. VIOLATION BY THE DATA PROCESSOR OF THE OBLIGATIONS CONTAINED IN THIS SECTION IS CONSIDERED A SERIOUS CONTRACT BREACH, ON THE BASIS OF WHICH THE DATA PROCESSOR IS RIGHT TO TERMINATE THIS AGREEMENT WITH IMMEDIATE EFFECT, WITHOUT PRIOR NOTICE.

7. Rights of Data Subjects

7.1 Taking into account the nature of the Data Processing, the Data Processor is obliged to assist the Data Controller with appropriate technical and organizational measures accepted by the Data Controller to the extent possible so that the Data Controller can respond to the Data Subject's requests related to the exercise of his rights contained in the Data Protection Law.

7.2 The Data Processor is obliged to:

7.2.1 immediately notify the Data Controller, if a request has been received from the Data Subject regarding the Data Controller's Personal Data, based on any Data Protection Legislation; and

7.2.2 to ensure that the Contracted Data Processor will not fulfill the request, unless the Data Controller has demonstrably instructed it to do so, or the Law Applicable to the Contracted Data Processor requires it, in which case the Data Processor, to the extent permitted by the Applicable Law, shall, at the Data Subject's request, the Contracted Data Processor by, prior to its performance, the Data Controller must be notified of this.

8. Data Protection Incident

8.1 The Data Processor is obliged to notify the Data Controller without delay, but at the latest within 24 hours of detection, if the Data Processor or any Additional Data Processor detects a Data Protection Incident related to the Data Controller's Personal Data, and is obliged to provide the Data Controller with all necessary information without delay.

8.2 The notice must contain at least the following:

8.2.1 description of the nature of the Data Protection Incident, designation of the categories and number of Data Subjects affected by the Data Protection Incident, as well as the categories and number of Personal Data involved;

8.2.2 disclosure of the name and contact information of the Data Processor's data protection officer or other appropriate contact person, from whom additional information may be requested regarding the Data Protection Incident;

8.2.3 description of the possible consequences of the Data Protection Incident; and

8.2.4 a description of the measures taken or planned to be taken in connection with the Data Protection Incident.

8.3 The Data Processor is obliged to cooperate with the Data Controller and, in accordance with the Data Controller's instructions, take all commercially reasonable steps to assist in the investigation, mitigation of consequences and compensation for individual Data Protection Incidents.

8.4 If the Data Processor does not fulfill or violates this 8. , such non-performance or breach of obligations is considered a serious breach of contract and, contrary to the provisions of this Agreement, the Data Controller may terminate this Agreement in writing with immediate effect.

9. Data Protection Impact Assessment and Preliminary Consultation

9.1 The Data Processor is obliged to cooperate with the Data Controller in relation to all data protection impact assessments and preliminary consultations with the Supervisory Authority or other competent data protection authorities, which are reasonably necessary for the Data Controller to comply with Articles 35 and 36 of the GDPR. as contained in its articles.

10. Deleting or returning Personal Data of Data Controllers

10.1 The Data Processor, taking into account the provisions of points 10.2 of this point, the date of termination of any Service related to the Processing of Personal Data of the Data Controller (hereinafter: "Cessation Day"), without delay, but within 3 (i.e. three) calendar days at the latest, and at any time upon written request by the Data Controller, (i) must delete the Data Controller's Personal Data and all copies related to the deleted Data Controller's Personal Data, or (ii) must return the Data Controller is obliged to delete all Data Controller Personal Data and all related copies and (iii) the Data Controller Personal Data Processed at the Data Processor and Additional Data Processors, as well as all copies made of them.

10.2 All Contracted Data Processors are entitled to further process the Controller's Personal Data only to the extent that the Applicable Law requires this, and only for as long as the Applicable Law requires this. The Data Processor is also obliged to ensure that the further processing of such Data Manager's Personal Data is confidential, and is also obliged to ensure that the Data Manager's Personal Data will be processed only to the extent necessary for the purpose determined by the Applicable Law requiring further storage.

11. Audit Rights

11.1 The Data Processor is obliged, upon the Data Controller's request, to make available to the Data Controller all data that proves the Data Processor's compliance with this Agreement, and is also obliged to enable and facilitate audits carried out by the Data Controller or an inspector commissioned by the Data Controller, including on-site inspections . The Data Controller shall endeavor to avoid or, if unable to avoid, to reduce damages and disruptions caused by the persons conducting the audit or control, in the premises of the Contracted Data Processor, to its employees and to its business operations.

12. Final provisions

12.1 Governing Law and Jurisdiction

12.1.1 Legal disputes arising from this Agreement, as well as disputes related to the validity, effectiveness or termination of this Agreement, as well as the legal consequences of its nullity, are subject to the exclusive jurisdiction of a competent Hungarian court.

12.1.2. In relation to contractual, non-contractual or other obligations arising from or related to this Agreement, as well as the interpretation of the Agreement, the Parties stipulate Hungarian law.

12.2 Ranking

12.2.1 None of the provisions of this Agreement mitigates the Data Processor's obligations related to the management of Personal Data arising from this Agreement, or authorizes the Data Processor to carry out Data Management prohibited under the Agreement, or to manage Personal Data in a manner that, under this Agreement prohibited.

12.2.2 With regard to the provisions of point 12.2.1, as well as the subject of this Agreement, any other agreement concluded between this Agreement and the Parties, including any agreement established or intended to be established between the Parties after the entry into force of this Agreement, in the event of a conflict, the this Agreement shall apply.

12.3 Amendment of the Data Protection Law and amendment of the Agreement

12.3.1 The Data Controller is entitled to:

12.3.1.1 to amend this Agreement from time to time by written notice, setting a deadline of at least 15 (i.e. fifteen) calendar days, if it becomes necessary to amend this Agreement as a result of amendments to the Data Protection Law or a decision of the competent authority based on the Data Protection Legislation; and

12.3.1.2 The Data Controller verifies that the proposed amendment is necessary in order to comply with the Data Protection Law.

12.3.2 If the Data Controller notifies the Data Processor in writing regarding the provisions of point 12.3.1.1, the Data Processor is obliged to cooperate without delay and to ensure that the relevant Additional Data Processors also cooperate without delay.

12.3.3 If the Data Controller notifies the Data Processor in writing regarding the provisions of point 12.3.1.2, the Parties are obliged to negotiate the proposed amendments in good faith without delay, with the aim of applying the proposed amendments or amendments that differ from them.

12.4 Continuation of this Agreement

In the event that any point of this Agreement is invalid or unenforceable, the remaining parts of this Agreement shall remain valid and effective. Invalid or unenforceable provisions must either (i) be replaced by a provision that corresponds to the original will of the Parties for the sake of validity or enforceability, or (ii) interpret this Agreement as if the invalid or unenforceable provisions had never been contained.

• • •

1. ATTACHMENT NO

DETAILS OF PROCESSING PERSONAL DATA OF DATA CONTROLLERS

Present 1. Annex No. 28 of the GDPR contains the processing of the Data Controller's Personal Data. the details prescribed in paragraph (3) of Article

1. Subject and duration of the processing of the Controller's Personal Data

Personal data relating to the Data Controller's customers will be processed by the Data Processor as long as they are necessary to fulfill the Data Processor's contractual obligations, or as long as their processing is in the legitimate interest of the Data Processor, or for the period prescribed by law.

2. The nature and purpose of the processing of the Controller's Personal Data

The Data Controller's Personal Data are necessary for the provision of the Data Processor's Services.

3. Types of Data Controller Personal Data to be managed

Personal data provided by the Data Controller, which are necessary to provide the Service.

4. Categories of Data Subjects to whom the Controller's Personal Data apply

Customers of the Data Controller whom the Data Controller wishes to gift with an Impact Box or other Products.

5. Rights and obligations of the Data Controller

The Data Controller's rights and obligations are set out in the Data Protection Notice and this Agreement.