GDPR

The
Hungary-Meat Food Industry Production Service and Trading
Limited Liability Company
Data Protection and Data Security Regulation
- consolidated with amendments -

Introduction:
The HUNGARY-MEAT Food Industry Production Service and Trading Limited Liability Company (hereinafter: Data Controller, Company) pays particular attention to the protection of personal data, compliance with mandatory legal provisions, and secure and fair data management in its business and economic activities. Therefore, HUNGARY-MEAT Ltd. handles personal data confidentially as per the provisions of this regulation and takes all necessary security, technical, and organizational measures to guarantee data security and compliance with data protection and data security requirements. The Data Controller considers it important to respect and enforce the data management rights related to its Employees, Customers, Partners, and all other natural persons concerned (hereinafter: Data Subject).

The Data Controller therefore undertakes that its data management related to its service complies with the expectations defined in this regulation and the applicable laws. HUNGARY-MEAT Ltd. manages, records, processes, and transmits personal data of the data subjects in accordance with the provisions of Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Infotv.), Regulation (EU) 2016/679 (hereinafter: GDPR Regulation), and other relevant legal provisions.
This regulation has been developed based on the following applicable laws:

Fundamental Law of Hungary
Act CXII of 2011 – on the right to informational self-determination and freedom of information (hereinafter: Infotv.),
Regulation (EU) 2016/679 (GDPR - April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC,
Act I of 2012 – on the Labor Code,
Act V of 2013 – on the Civil Code,
Act CVIII of 2001 on certain issues of electronic commerce services and information society services,
Act CXXXIII of 2005 on the rules of personal and property protection and private investigative activities,
European Data Protection Board's Guidelines 3/2019 on the processing of personal data through video devices.

This Data Protection and Data Security Regulation is linked to and should be interpreted in conjunction with all internal regulations of the Data Controller that have a data protection aspect.
The terms used in this Regulation and its annexes correspond to the definitions set out in the GDPR Regulation.

I. Data of the Data Controller:

HUNGARY-MEAT Food Industry Production Service and Trading Limited Liability Company
Company registration number: 03-09-104730
Headquarters: 6100 Kiskunfélegyháza, Majsai út 30.
Tax number: 11421702-2-03
Data Controller's email: hm@hungarymeat.hu
Data Controller's representative: László Kovács, Managing Director
Website: https://www.hungarymeat.com

The Data Controller always handles the personal data provided to it in compliance with the applicable Hungarian and European laws and ethical expectations, and always takes the necessary technical and organizational security measures to ensure appropriate secure data management, which protect the security of the data.
The Data Controller undertakes to unilaterally comply with this Regulation and requests its Customers to accept the provisions of the Regulation.
The current version of the data protection regulation is always available on the Data Controller's website, posted in the Data Controller's central office, and in the Data Controller's HR office.
The Company considers compliance with the Hungarian legal requirements related to data management in connection with its activities to be of utmost importance and reserves the right to change this Regulation, provided that the amended Regulation is published publicly in the usual manner.
Inquiries regarding the Regulation and its interpretation, as well as questions or potential problems arising in connection with the use of HUNGARY-MEAT Ltd.'s services, can be addressed through the contact details available on the website under the contact menu, or sent electronically to the email address hm@hungarymeat.hu.

II. General Rules of Data Protection

II.1. Purpose and Scope of Data Protection
The purpose of the Data Protection and Data Security Regulation is to define the legal framework for data management at the Data Controller, to ensure the enforcement of constitutional principles of data protection and the right to informational self-determination, to facilitate compliance with data security requirements, and to prevent unauthorized data management. This Data Protection and Data Security Regulation establishes the important tasks and responsibilities regarding data security from the perspective of data protection.

This Regulation applies to and its rules govern the data flow towards data processors used by HUNGARY-MEAT Ltd. as the Data Controller, as well as the communication involving personal data between the Data Controller and other data controllers. Accordingly, the personal scope of this Regulation covers the Data Controller, its employees, and individuals or economic entities performing personal data management or data processing in contractual or other relationships with the Data Controller. The scope of the Regulation does not extend to the data management or data processing of legal entities or organizations that are not considered legal entities. Furthermore, the scope of this Regulation includes all data management, data transmission, and information transfer activities conducted at the Data Controller’s headquarters and premises – exclusively affecting natural persons (employees, clients, contractual partners) – and the treatment and protection of data that is the subject of such data management and information transfer as business secrets as defined in this Regulation.

The material scope of the Regulation covers all personal data managed by the Data Controller that can be linked to natural persons, the full range of data processing operations performed on them, regardless of their origin, handling, processing location, and their form of appearance.

GOVERNANCE/SUPERVISION: This Regulation is approved and stored by the managing director of HUNGARY-MEAT Ltd. The Regulation is reviewed and approved at least annually.

RESPONSIBILITY AND REPORTING: The managing director is responsible for the implementation of this Regulation. All employees are obligated to report if they become aware of or suspect any circumvention or violation of the Regulation. Reports should primarily be made through the usual reporting channels, i.e., by contacting the data protection officer.

II.2. Principles of Data Management and the Legal Basis for Data Management

Principles of Data Management:

Purpose limitation principle – personal data may only be managed for specified purposes, for the exercise of rights, and the fulfillment of obligations.
Fair data management principle – data management must comply with the purpose of data management at all stages, and data collection and management must be fair and lawful.
Data minimization principle – only personal data that is essential for achieving the purpose of data management and suitable for achieving that purpose may be managed.
Necessity principle – personal data may only be managed to the extent and for the duration necessary to achieve the purpose.
Data quality principle – data accuracy, completeness, and, if necessary for the purpose of data management, up-to-dateness must be ensured during data management.
Data protection principle – the data controller and the data processor within their scope of activities must ensure the protection of the privacy of the data subjects and the security of the data. They must also take the necessary technical and organizational measures and develop the procedural rules required to enforce the provisions of the Info Act and other data and secrecy protection rules.

Legal basis for data management:

Personal data can thus be managed considering the listed principles, and the management of personal data is only lawful if at least one of the following conditions is met:

the data subject has given consent to the processing of their personal data for one or more specific purposes;
data management is necessary for the performance of a contract in which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract;
data management is necessary for compliance with a legal obligation to which the data controller is subject;
data management is necessary to protect the vital interests of the data subject or another natural person;
data management is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
data management is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, especially if the data subject is a child.

Only personal data that is essential for achieving the purpose of data processing and suitable for achieving that purpose may be processed, and only to the extent and for the duration necessary to achieve the purpose. Personal data may be transferred, and different data processing activities may be linked if the data subject has consented, or the law permits, and the conditions of data processing are met for each personal data.
Personal data may be transferred to a data controller or data processor in a third country – regardless of the data carrier or the mode of data transfer – if the data subject has explicitly consented, or the law permits, and the third country ensures an adequate level of protection for the transferred data during its processing.

In the case of mandatory data processing, the purpose and conditions of data processing, the scope of data to be processed, and the duration of data processing, as well as the person of the data controller, are determined by the law or municipal decree ordering the data processing.

Law may order the disclosure of personal data in the public interest – with the express indication of the scope of data. In all other cases, the consent of the data subject is required for disclosure, and written consent is required for the disclosure of special data. In case of doubt, it must be presumed that the data subject has not given consent. The data subject’s consent must be considered given in respect of data disclosed by them during their public appearance or data provided by them for the purpose of disclosure. In proceedings initiated at the request of the data subject, consent to the necessary processing of their data must be presumed. The data subject must be informed of this fact. The data subject may also give their consent within the framework of a written contract with the Data Controller for the purpose of fulfilling the contract. In this case, the contract must contain all the information that the data subject needs to know for the purposes of personal data processing, including the definition of the data to be processed, the duration of processing, the purpose of use, data transfer, and the use of a data processor. The contract must clearly state that by signing it, the data subject consents to the processing of their data as specified in the contract.

The right to the protection of personal data and the data subject’s privacy rights – unless the law provides otherwise – may not be infringed by other interests related to data processing, including the publicity of data of public interest.

II.3. Bases of Data Processing

If the legal basis for data processing is the consent of the data subject, the prior and explicit consent required for the processing of personal data can only be considered acceptable by law if all three substantive requirements are met, namely

voluntariness,
clarity (unambiguity), and
informedness.

In the case of data processing based on consent, the data subject's consent to the processing of their personal data must be obtained in writing. Consent to data processing may be given by the data subject through a written declaration or by filling out and signing a form provided by the Data Controller. Consent to data processing is also considered given if the data subject checks the box indicating such consent while viewing the Company’s website, performs technical settings related to the use of services related to the information society, or any other statement or action that clearly indicates in the given context the data subject’s consent to the planned processing of their personal data. Silence, pre-ticked boxes by the Data Controller, or inaction does not constitute consent. Consent extends to all data processing activities carried out for the same purpose, regardless of how it is given. If data processing serves multiple purposes, consent must be given for all purposes of data processing.

If the data subject gives their consent as part of a written declaration covering other matters, the request for consent must be presented in a manner clearly distinguishable from those other matters, in an understandable and easily accessible form, using clear and plain language. Any part of such a declaration that violates the GDPR regulation will not be binding.

The Data Controller may not make the creation or performance of a legal transaction, or the conclusion or fulfillment of a contract, conditional on the processing of personal data that is not necessary for the creation, conclusion, or performance of the legal transaction or contract.

Withdrawal of consent must be made possible in the same manner as giving it.
If personal data is collected with the data subject's consent, the Data Controller may process the collected data without further consent for the purpose of complying with a legal obligation or for the legitimate interests of the Data Controller or a third party, if such interest is proportionate to the restriction of the right to the protection of personal data.

The Data Controller publishes a data management information notice on its website, which provides detailed information to the data subjects about all facts related to the processing of their data, including the purpose and legal basis of data processing, the persons entitled to data processing and data processing, the duration of data processing, and whether the Data Controller processes the personal data of the data subject on the basis of legitimate interest, and who can access the data. The information must also cover the data subject's rights and remedies related to data processing. Data subjects must be informed of the availability of the notice.

Personal data may also be processed if it is impossible or disproportionately costly to obtain the data subject's consent and the processing of personal data is necessary for the Data Controller to fulfill its legal obligation, or for the legitimate interest of the Data Controller or a third party, and such interest is proportionate to the restriction of the right to the protection of personal data.

If the data subject is unable to give their consent due to incapacity or other unavoidable reasons, personal data may be processed to the extent necessary to protect the vital interests of the data subject or another person, or to prevent or avert an immediate danger to the life, physical integrity, or property of persons, during the period of the obstacles to consent.

If personal data is collected with the data subject's consent, the Data Controller may process the collected data without further consent for the purpose of complying with a legal obligation, or for the legitimate interests of the Data Controller or a third party, if such interest is proportionate to the restriction of the right to the protection of personal data, and also after the withdrawal of the data subject's consent.

In certain cases, data processing without consent is based on other legal grounds according to Article 6 of the GDPR regulation.

II.4. Storage of Data
The managed data must be stored in a way that unauthorized persons cannot access it.

For paper-based data carriers, this is ensured by establishing the rules for physical storage and archiving, and for data managed electronically, by using a central authorization management system. Paper-based data carriers must be stripped of personal data using a shredder or by employing an external company specialized in document destruction.

The method of storing data electronically must be chosen in such a way that their deletion can be carried out at the expiration of the data deletion deadline or if necessary for other reasons. The deletion must be irreversible. For electronic data carriers (hard drives, optical media, magnetic media, printers, multifunction machine storages, flash (NAND) media, SIM cards, mobile devices, phones, PDAs, tablets, laptops, etc.), the rules for the disposal of electronic data carriers must ensure physical destruction or, if necessary, prior secure and irreversible deletion of data. The destruction of data carriers must be monitored, documented, and the documentation must be preserved in a retrievable manner or disposed of.

II.5. The Rights of Data Subjects:

The Data Subject has the right to request information from the Data Controller at any time about the personal data processed by the Data Controller that concerns them, to request the correction of their personal data, to request the deletion, withdrawal, or restriction of the processing of their personal data (with the exception of mandatory data processing), and to exercise their right to data portability, objection, and legal remedy by sending a letter to the email address specified in this regulation, as follows:

II.5.1. Right to Prior Information
The Data Subject has the right to be informed about the facts and information related to data processing before the data processing begins. (GDPR Articles 13-14)

A.) Information to be provided if personal data is collected from the Data Subject:
In the case of newly initiated data processing, if the Data Controller collects personal data concerning the Data Subject from the Data Subject, the following information must be provided to the Data Subject at the time of the collection of personal data, or if the Data Subject subsequently requests information, at the time of the request:
1. the identity and contact details of the Data Controller and, if designated, the representative of the Data Controller;
2. the contact details of the data protection officer (person responsible for data protection);
3. the purpose of the intended processing of personal data and the legal basis for the data processing;
4. if the data processing is based on legitimate interests, the legitimate interests of the Data Controller or a third party;
5. the recipients or categories of recipients of the personal data, if any;
6. if applicable, the fact that the Data Controller intends to transfer personal data to a third country or international organization, the existence or absence of an adequacy decision, or in the case of such a data transfer, the indication of appropriate and suitable guarantees and the ways to obtain a copy of them or where they are available;
7. the duration of the storage of personal data, or if that is not possible, the criteria used to determine that duration;
8. information about the Data Subject's right to request from the Data Controller access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject, and to object to such processing as well as the right to data portability;
9. if the data processing is based on the Data Subject's consent, information about the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
10. the right to lodge a complaint with a supervisory authority;
11. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the personal data and the possible consequences of failure to provide such data;
12. if applicable, the existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and the expected consequences of such processing for the Data Subject.

B.) Information to be provided if personal data is not collected from the Data Subject
If the Data Controller does not collect personal data concerning the Data Subject from the Data Subject, the Data Controller shall provide the above information to the Data Subject at the time of obtaining the personal data, as well as additional information on the source of the personal data and whether the data came from publicly accessible sources.

Procedure for providing prior information:
Upon the Data Subject's request, the Data Controller shall provide information about the personal data processed by the Data Controller concerning the Data Subject, as well as the above information. The information can be requested via the email address specified in this regulation.

The Data Controller is obliged to provide the information:
1. taking into account the specific circumstances of the processing of personal data, within a reasonable period from obtaining the personal data, but at the latest within one month;
2. if the personal data is used for communication with the Data Subject, at the latest at the time of the first communication with the Data Subject; or
3. if it is expected that the personal data will be disclosed to another recipient, at the latest at the time of the first disclosure of the personal data to the recipient in a comprehensible form, upon the Data Subject's request in writing.

The information must be provided to the Data Subject in the manner requested by the Data Subject, and in the absence of an express request, primarily via email, and secondarily by postal mail, provided that the Data Controller has the data necessary to use the communication form and the Data Subject's identity can be unequivocally established. If the Data Subject cannot be unequivocally identified, the Data Controller shall inform the Data Subject in an appropriate manner, if possible. In such cases, the Data Controller shall ensure the Data Subject's rights if the Data Subject provides additional information enabling their identification to exercise their right.
If the Data Controller intends to process the personal data for a purpose other than that for which it was collected, and this is possible, the Data Controller shall inform the Data Subject of this other purpose and any relevant information before further processing, in accordance with the relevant provisions of the GDPR.

The Data Controller may only refuse to provide the information in the cases and to the extent specified by law, such as:
1. if the Data Subject already has the information;
2. if the provision of such information proves impossible or would require a disproportionate effort, particularly in the context of processing for public interest archiving purposes, scientific or historical research purposes, or statistical purposes, taking into account the conditions and guarantees referred to in the applicable regulations, or if this obligation would likely render impossible or seriously jeopardize the achievement of the objectives of that processing. In such cases, the Data Controller shall take appropriate measures to protect the Data Subject's rights, freedoms, and legitimate interests, including making the information publicly available;
3. if the acquisition or disclosure of the data is explicitly provided for by the European Union or Member State law applicable to the Data Controller, which provides appropriate measures to protect the Data Subject's legitimate interests; or
4. if the personal data must remain confidential subject to a statutory obligation of professional secrecy under Union or Member State law, including a statutory obligation of confidentiality.

If the Data Controller refuses to provide the information, the Data Controller shall inform the Data Subject in writing of the legal provision on which the refusal is based. In case of refusal, the Data Controller shall inform the Data Subject about the possibility of seeking judicial remedy and lodging a complaint with a supervisory authority.

The information shall be provided free of charge if the Data Subject has not yet submitted a request for information concerning the same data set to the Data Controller in the current year. In other cases, and if the request is clearly unfounded or, particularly due to its repetitive nature, excessive, the Data Controller may charge a fee or refuse to take further action on the request.

Any fees already paid shall be refunded if the data was processed unlawfully or the request for information led to correction.

II.5.2. Right of Access
The Data Subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information:
1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. where the personal data is not collected from the Data Subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject;
9. where personal data is transferred to a third country or international organization, the Data Subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

II.5.3. Right to Rectification
The Data Subject has the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning them.
If the Data Subject indicates that any data processed by the Data Controller does not correspond to reality, the data protection officer identifies the Data Subject and ensures the correction of the data, informing the relevant system administrator of the Data Controller's information system of the request for rectification, indicating the correct data.

If the correct data is not available, the data protection officer shall seek clarification from the Data Subject about the correct data. If the correct data cannot be established, the data protection officer ensures the inaccurate data is blocked and informs the Data Subject that rectification is not possible without the correct data, but the data has been blocked.

II.5.4. Right to erasure ("right to be forgotten")

A.) The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data concerning the Data Subject without undue delay where one of the following grounds applies:
1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. the Data Subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
3. the Data Subject objects to the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller or for the purposes of the legitimate interests pursued by the Data Controller or by a third party, and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing of personal data concerning him or her for direct marketing purposes;
4. the personal data have been unlawfully processed;
5. the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;
6. the personal data have been collected in relation to the offer of information society services referred to in the Regulation.

If the Data Controller has made the personal data public and is obliged to erase the personal data, taking account of available technology and the cost of implementation, it shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

B.) The erasure shall not be applicable to the extent that processing is necessary:
1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law to which the Data Controller is subject;
3. for reasons of public interest in the area of public health;
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right referred to in paragraph A is likely to render impossible or seriously impair the achievement of the objectives of that processing;
5. for the establishment, exercise or defense of legal claims.

The Data Controller shall also delete or anonymize the personal data of the Data Subject in its IT systems and paper-based documentation if no legal provision states otherwise and the purpose of the data processing has ceased.

C.) If the deletion of the personal data is not possible without damaging the document containing it:
1. if the Data Controller or a third party has a legitimate interest in preserving the document, the Data Controller shall preserve the document according to the document management rules, handle the document in a closed manner in the case of a deletion request, inform the Data Subject about this, and destroy the document together with the personal data after the expiry of the retention period specified in the document management rules;
2. if neither the Data Controller nor a third party has a legitimate interest in preserving the document, the Data Controller shall destroy the document together with the personal data.

In all cases, the person responsible for data protection shall arrange for the deletion of personal data in cooperation with the organizational unit concerned with the processing of the personal data and the system administrator of the IT system.

The Data Controller shall irreversibly delete personal data from its IT systems if possible, and ensure that the deletion is also reflected in the archived version of the IT system. The person responsible for the IT system is responsible for the deletion.

If irreversible deletion is not feasible for technical reasons, the Data Controller shall carry out logical deletion. In the context of logical deletion, the personal data must be replaced by an identifier that prevents any connection with the Data Subject.

For paper-based documentation, the destruction shall be recorded in a protocol. The protocol must include: the type of documents destroyed, the information necessary for the identification of the destroyed documents, the time of destruction, and the name and position of the person carrying out the destruction, and in the case of an external partner, the name of the external partner.

If the deletion of data is a legal requirement but not feasible due to the legitimate interest of the Data Subject, the personal data or the electronic or paper-based documentation containing the personal data must be locked. In this case, only the system administrator of the IT system or the person responsible for data protection shall have access to the data stored in the IT system. In the case of paper-based documentation, the document must be kept in a lockable cabinet. The Data Controller shall terminate users' access to the electronic copies of paper-based documentation uploaded to the internal system.

II.5.5. Right to object
The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller) or point (f) (processing necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party) of Article 6(1) of the GDPR.

In such cases, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims.

Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

At the latest at the time of the first communication with the Data Subject, the right referred to in this paragraph shall be explicitly brought to the attention of the Data Subject and shall be presented clearly and separately from any other information.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the Data Subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The Data Subject shall have the right to object by e-mail to the Data Controller, unless otherwise provided by law. The person responsible for data protection shall identify the Data Subject as soon as possible, examine the objection as soon as possible after the submission of the request, make a decision on the merits of the objection, and inform the applicant of the decision.

II.5.6. Right to Restriction of Processing
The Data Subject shall have the right to obtain from the Data Controller restriction of processing where one of the following applies:
1. The Data Subject contests the accuracy of the personal data, for a period enabling the Data Controller to verify the accuracy of the personal data;
2. The processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. The Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims;
4. The Data Subject has objected to processing pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

The Data Controller shall inform the Data Subject who has obtained restriction of processing before the restriction is lifted.

II.5.7. Right to Data Portability
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided, where:
1. The processing is based on consent or on a contract and
2. The processing is carried out by automated means.

In exercising his or her right to data portability pursuant to paragraph 1, the Data Subject shall have the right to have the personal data transmitted directly from one Data Controller to another, where technically feasible.

The exercise of the right to data portability shall be without prejudice to the right to erasure. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.

II.5.8. Rights Related to Automated Decision-Making, Including Profiling
The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except where the decision:
1. Is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller;
2. Is authorized by Union or Member State law to which the Data Controller is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests; or
3. Is based on the Data Subject's explicit consent.

In the cases referred to in points (1) and (3), the Data Controller shall implement suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Data Controller, to express his or her point of view, and to contest the decision.

II.5.9. Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing
The Data Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1), and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the Data Subject about those recipients if the Data Subject requests it.

II.5.10. Right to be Informed About a Data Breach
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the Data Subject without undue delay.

The communication to the Data Subject shall describe in clear and plain language the nature of the personal data breach and contain at least the following information:
The name and contact details of the data protection officer or other contact point where more information can be obtained;
The likely consequences of the personal data breach;
The measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the Data Subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
1. The Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
2. The Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects referred to in paragraph 1 is no longer likely to materialize;
3. It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.

If the Data Controller has not already communicated the personal data breach to the Data Subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

II.5.11. Right to Remedy
Right to lodge a complaint with the supervisory authority (right to administrative remedy)
The Data Subject has the right to lodge a complaint with the supervisory authority if they believe that the processing of personal data relating to them infringes the GDPR regulation. The supervisory authority to which the complaint has been submitted shall inform the client about the procedural developments and the outcome of the complaint, including the right of the client to seek judicial remedy.

Right to an effective judicial remedy against a supervisory authority
Any natural or legal person has the right to an effective judicial remedy against a legally binding decision concerning them by the supervisory authority, or if the supervisory authority does not handle the complaint or does not inform the Data Subject within three months about the procedural developments or the outcome of the submitted complaint.

Right to an effective judicial remedy against a data controller or data processor
Any Data Subject has the right to an effective judicial remedy if they believe that the processing of their personal data in breach of the GDPR regulation has violated their rights under the regulation.

If the Data Subject's rights are violated, they can turn to the court or the data protection authority against the data controller. Remedies and complaints can be made to the National Authority for Data Protection and Freedom of Information at the following contact details:
Address: 1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf.: 9.,
Phone: +36 (30) 683-5969/+36 (30) 549-6838/+36 (1) 391 1400,
Fax: +36 (1) 391-1410,
Email: ugyfelszolgalat@naih.hu
Website: www.naih.hu

II.5.12. SUBMISSION OF THE DATA SUBJECT'S REQUEST, ACTIONS OF THE DATA CONTROLLER
The Data Controller shall facilitate the exercise of the Data Subject's rights set out in this chapter and in the legislation. The Data Controller cannot refuse to comply with the Data Subject's request to exercise their rights unless it proves that it is not in a position to identify the Data Subject.

The Data Controller shall inform the Data Subject without undue delay and at the latest within 30 days from the receipt of the request about the measures taken in response to the request to exercise their rights. If necessary, considering the complexity of the request and the number of requests, this period can be extended by a further two months. The Data Controller shall inform the Data Subject about the extension and the reasons for the delay within one month from the receipt of the request.

The information shall be provided electronically where possible unless the Data Subject requests otherwise.

If the Data Controller does not take action on the Data Subject's request, it shall inform the Data Subject without delay and at the latest within 30 days from the receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The Data Controller shall provide the information relating to the processing of the personal data, the information about the Data Subject's rights, and the measures taken free of charge. If the Data Subject's request is clearly unfounded or - especially due to its repetitive nature - excessive, the Data Controller may charge a fee, taking into account the administrative costs of providing the requested information or communication or taking the requested action, or refuse to act on the request.
The fee that can be charged is HUF 3,000 per data request.
The Data Controller bears the burden of demonstrating the clear unfounded or excessive nature of the request. If the Data Controller has reasonable doubts concerning the identity of the natural person making the request, it may request the provision of additional information necessary to confirm the Data Subject's identity.

II.5.13. MEASURES TO BE APPLIED DURING DATA PROCESSING
Users of the Data Controller's IT system, as well as persons who come into contact with personal data in other ways, are obliged to comply with the following requirements to protect personal data.

Documents containing personal data created during work can only be opened on computing devices used for work purposes. The access codes to the devices used for work purposes must be treated confidentially by the employees.

Emails containing documents with personal data received on work mobile phones should preferably be opened only on desktop computers. If opening on a mobile phone is necessary, the local copy must be deleted from the mobile phone in all cases. The work mobile phone, which contains personal data processed by the Data Controller, must always be used with built-in graphical or coded protection.

In the case of notebooks and other workstations provided for work purposes, the devices may only be used by the users, and their use by family members or other persons is not allowed.

Paper-based work documents, if no longer needed, must be destroyed in such a way (e.g., by shredding) that their content cannot be determined after destruction.

If the employment relationship of an employee is terminated, all paper-based and electronic documents and data containing personal data must be returned to the Data Controller before the last day of the employment relationship, and no copies may be retained.

It is prohibited to store personal data processed by the Data Controller on private devices, unless the storage is indispensable for work, the Data Controller's representative has given permission, and the storage is terminated immediately and irreversibly after the work is completed.

Every employee must use their work area in such a way that documents containing personal data processed by the Data Controller are not freely accessible as far as possible. Such measures include, in particular: password protection of computing devices, locking the office, placing documents in a protected place.

Personal data can only be transmitted using a secure communication channel or appropriate encryption solution. Until otherwise indicated, data flow within the Data Controller's internal email system is considered a secure delivery channel. During external data transfer, personal data must be encrypted, and on paper, transmitted through sealed envelopes.

If the Data Controller receives personal data from another Data Controller related to the processing, all users in contact with the data are obliged to take into account the provisions of the data transferor.

In the case of personal data transfer, the information necessary for keeping the data transfer register must be sent to the person responsible for data protection within 3 working days via email.

Personal data cannot be transferred to external persons.

III. Hungary-Meat Ltd. Data Protection System

The Data Controller determines the organization of data protection within the Company, as well as the specific tasks and competences related to data protection activities, considering its business and economic activities and related tasks, and appoints the person responsible for overseeing data processing and data protection.
The supervision of the data protection system of Hungary-Meat Ltd. is carried out by the Managing Director.

RESPONSIBILITIES AND TASKS RELATED TO DATA PROTECTION

The Managing Director of Hungary-Meat Ltd. regarding data protection:

is responsible for ensuring the conditions necessary for the exercise of the rights of the data subjects as defined in the GDPR and the Information Act;
is responsible for ensuring the personal, material, and technical conditions necessary for the protection of personal data processed by the Company;
is responsible for eliminating any deficiencies or unlawful conditions identified during the audit of data processing, initiating and conducting the procedure necessary to establish personal responsibility;
may order an investigation;
issues the Company's internal rules and instructions related to data protection and data security;
in case of particularly serious legal violations, initiates disciplinary proceedings based on labor law rules against the person who unlawfully processed personal data;

Employees involved in data processing

are obliged to handle personal data in accordance with the provisions of this Policy;
are responsible for the processing, modification, deletion, transfer, and disclosure of personal data within their scope of duties in accordance with this Policy, and for the accurate and traceable documentation of the data;
if necessary, consult with their superior on issues related to the handling of personal data;
immediately inform their superior of any data protection violations that come to their knowledge.

IV. Data Processing Activities and Their Implementation at Hungary-Meat Ltd., Their Basis, Legal Basis, Consent, and Storage and Destruction of Existing Data

IV.1. The following data processing activities are carried out at Hungary-Meat Ltd. as a data controller:
The record of data protection activities at Hungary-Meat Ltd. is the central register of individual personal data processing and data processing activities, in which existing and new data processing activities must be recorded, and changes to previous data processing activities must be noted, while discontinued data processing activities must be deleted from the register. The detailed description of the data processing processes and activities listed here, and the specific list of personal data involved, as well as its criteria, are included in the document called Record of Data Processing Activities, which forms an integral part of this Data Protection and Data Security Policy and its Appendix No. 2.

IV.1.1.) Data processing related to employment relationships (employment and contractor relationships):

data collected and processed through job applications,
data collected and processed during the establishment of an employment relationship,
data processed during the term of the employment relationship,
employee data management, handling of personal files and personal documents, payroll data,
health data processing related to occupational health and regulatory inspections – lung screenings, vaccinations,
modification of employment contracts,
professional training (trainings, education, professional courses),
data processing related to occupational safety (health fitness, accident records, random alcohol tests),
data processing related to photographs and video recordings,
travel log data and data related to reimbursement for the use of personal vehicles, GPS data,
data processing related to asset protection (package inspection),
data processed during the termination of the employment relationship,

-> Data processing activities related to the personal data of applicants for work at the Company: The Data Controller is committed to the development of its activities, thus aiming to carry out work processes with the most suitable employees for the task. The Company processes personal data in the context of job searches and recruitment. The availability of the data processing information must always be indicated in the job advertisement, and the data controller ensures that it is always available at the Company's headquarters and, upon request, provided to the applicant in electronic form.

The publication of anonymized job advertisements is prohibited. The name of the Company as the Employer must be indicated in job advertisements. The resumes and other documents related to the job application process received by the Data Controller are stored separately from the personal data of those not involved in the job search, in a locked cabinet by the HR manager/HR staff/manager of the Data Controller during the period open for submitting resumes. Additionally, the submitted resumes and other documents related to the job application process are stored electronically in a password-protected folder on the computer in the HR manager's office. The HR manager and/or the manager and owners of the Company review the resumes and other documents received within 30 (thirty) days following the deadline for submitting resumes. No notes or conclusions about the applicants are made regarding the job application materials. After the selection process is closed, the HR manager and/or HR staff notify the unsuccessful applicants within 30 (thirty) days, and the resumes and other application materials must be destroyed on the 60th (sixtieth) day following the notification date, and the electronic files must be deleted in a way that they cannot be recovered. Unsuccessful applicants must be notified. The data protection information and consent form used by the data controller for job applicants are included in Appendix No. 3 of this Policy, while the data protection information for unsuccessful applicants is included in Appendix 3/1/A of this Policy.

-> Activities related to the processing of data of natural persons in employment relationships with the Company: The Company, as an Employer, may require the Employee to make a statement or provide personal data that is relevant to the establishment, performance, termination (cancellation), or enforcement of claims arising from the employment relationship under the Labor Code.

The Company, as an Employer, may require the Employee to make a statement or provide data for the purpose of exercising its rights or fulfilling its obligations, including the presentation of documents. However, the Labor Code does not authorize the Company to copy documents verifying personal data, and the Company cannot copy or store these documents without specific legal authorization.
Employees may be subject to suitability examinations prescribed by regulations related to the employment relationship or necessary for exercising rights or fulfilling obligations defined in regulations related to the employment relationship.
Without legal authorization, the Company may process the photographs of employees in its publications, presentations, and website based on the consent of the data subject.
The Company, as an Employer, shall inform the data subject (employees) in writing about the data processing and its circumstances before the conclusion of the employment contract. The data protection information and consent form used by the Company for these employees are included in Appendix 3/2 of this Policy.

-> Processing of data related to the suitability examinations of natural persons in employment relationships with the Company: Employees may only be subjected to suitability examinations prescribed by regulations related to the employment relationship or necessary for exercising rights or fulfilling obligations defined in regulations related to the employment relationship. Employees undergo health medical examinations. For employees, only the fact of suitability - "suitable," "not suitable," or "suitable with conditions" - is recorded and processed by the Company. The results can be known to the examined employees and the specialist (doctor) conducting the examination. Therefore, the Data Controller (Employer) can only receive information on whether the examined person is suitable for work and what conditions must be ensured. The details of the examination and its complete documentation, however, cannot be known. Mandatory vaccinations and lung screening results required by food safety regulations are recorded accordingly.

-> Processing of data related to the monitoring of tools provided by the Company for work (computer, laptop, company email account, mobile phone): According to the Labor Code, the Employer may monitor the conduct of the Employee in connection with the employment relationship. In this context, the Company, as an Employer, may also use technical tools and must inform the Employee in advance in writing about this and the circumstances of data processing, according to the data protection information provided in Appendix 3/4 of this Policy.

The Employee may use the IT or computing devices and systems (hereinafter referred to as computing devices) provided by the Employer for work purposes exclusively for fulfilling the employment relationship, unless otherwise agreed. The Company, as an Employer, may inspect the data stored on the computing devices used for fulfilling the employment relationship. For the purposes of this inspection, data related to private use is also considered employment-related data. This applies even if the Employee uses their own computing device for fulfilling the employment relationship based on a separate agreement. The Company, as an Employer, provides "company email accounts" to certain Employees to maintain contact with each other or to correspond with clients, partners, and other persons or organizations on behalf of the Employer. For data protection reasons, the Company does not allow private use of the company email account. To protect the Company's business secrets and confidential information and to ensure compliance with the Employer's instructions defined in this Policy, the Company may inspect the content of the "company email account" and the correspondence conducted by Employees. Before inspecting the content of the email account, the Employer must inform the Employee of the specific interest that necessitates the employer's action. The first step of the inspection is to check the email address and the subject of the email since in certain cases, it is possible to determine from the email address structure and subject that it is a private email, and therefore, there is no need to view the content of the email. The Company, as an Employer, is not entitled to view private content. Subsequently, a more detailed inspection of the email account may take place, but the principles of graduality and proportionality must be observed, and the information available to the Company regarding the specific violation must be considered. The inspection and related security backup are performed by the Company's IT staff. The backed-up data is retained for 30 (thirty) days, after which the IT staff deletes it. The data is processed for 30 (thirty) days from the inspection or, in the case of suspicion of an infringement or crime, until the related official procedure is concluded. As a general rule, the presence of the Company, as an Employer, must be ensured when using the email account. In this form of employer control, various personal data of Employees and third parties may be present in the email system, which the Company, as an Employer, is not entitled to know. If the Employee is present during the inspection and can indicate before viewing any email content that it contains personal data, this can ensure that the Company, as an Employer, does not violate this prohibition. The information on data processing related to the monitoring of the use of the company email account must be fulfilled by familiarizing and acknowledging the data protection information for Employees found in Appendix 3/4 of this Policy. The Company provides "company laptops" and computers to Employees in certain positions to perform their work. For data protection reasons, the Company, as an Employer, does not allow the private use of the company laptop and computer. To protect the Company's business secrets and confidential information and to ensure compliance with the Employer's instructions defined in this Policy, the Company may inspect the content of the "company computer and laptop" and the correspondence conducted by Employees in accordance with their job role. The inspection and related security backup are performed by the Company's IT staff. The backed-up data is retained for 30 (thirty) days, after which the IT staff deletes it. The data is processed for 30 (thirty) days from the inspection or, in the case of suspicion of an infringement or crime, until the related official procedure is concluded. During the security backup of the data stored on the laptop and computer and during the inspection of the data stored on the laptop and computer, the Data Controller must pay particular attention to not processing personal data related to the Employees' private lives. Before inspecting the content of the laptop and computer, the Data Controller must inform the Employee of the specific interest that necessitates the employer's action. Additionally, the Data Controller must develop a gradual inspection system based on the principles of graduality and proportionality, ensuring the protection of personal data and minimizing the impact on the Employees' private sphere. Therefore, as a general rule, the presence of Employees must be ensured during the inspection of the laptop and computer content, considering that various personal data of Employees and third parties may be present on the laptop, which the Data Controller is not entitled to know. If the Employee is present during the inspection and can indicate before viewing any email content that it contains personal data, this can ensure that the Company, as an Employer, does not violate this prohibition. The "company computer and laptop" can only be used for work-related purposes, so the Company, as an Employer, may inspect all data stored on the computer and laptop. However, the Company, as an Employer, may only record the fact that the Employee stored personal data on the laptop and computer - contrary to the provisions of this Policy - but cannot process personal data beyond this. The Company, as an Employer, must provide detailed information to Employees about the inspection in advance, including the purpose, the employer's interests for the inspection, who can conduct the inspection, the rules for the inspection (compliance with the principle of graduality), the procedure, and the rights and remedies available to Employees regarding data processing associated with the inspection of the laptop and computer. The information on data processing related to the monitoring of the use of the company laptop and computer must be fulfilled by familiarizing and acknowledging the data protection information for Employees found in Appendix 3/4 of this Policy. The Company provides "company mobile phones" to Employees in certain positions. The Company, as an Employer, allows the private use of these company mobile phones according to a separate agreement, but expressly excludes its liability for any data loss or data protection incident occurring on such devices. To protect the Company's business secrets and confidential information, the Data Controller may inspect the mobile phone provided to the Employee. The Company, as an Employer, is not entitled to know who the Employee called privately and when, as this knowledge is not strictly necessary for the inspection's purpose, and Section 11 (1) of the Labor Code also states that the Employee's private life is not subject to monitoring. The proposed data protection solution for Employees regarding the inspection is to use two prefixes for outgoing calls: one prefix for official calls and another prefix for private calls, or the Company, as an Employer, may request a call detail record from the phone service provider and ask the Employee to make the called numbers for private calls unrecognizable on the document. The remaining phone numbers can be known to the Company, as they were called by the Employee in connection with their employment-related duties. The Company can know the official call data but not the private call data. The Data Controller must provide detailed information to the Employee in advance, including the purpose, the employer's interests for the inspection of the "company mobile phone," who can conduct the inspection, the rules for the inspection, and the rights and remedies available to Employees regarding data processing associated with the inspection of the "company mobile phone." The information on data processing related to the monitoring of the use of the company mobile phone must be fulfilled by familiarizing and acknowledging the data protection information for Employees found in Appendix 3/4 of this Policy. Without legal authorization, the Company may process the photographs of employees in its publications, presentations, and website based on the consent of the data subject, according to the record of data processing activities. The data protection information and consent form for the processing of photographs and video recordings for employees are included in Appendix 3.5 of this Policy.

IV.1.2.) Data processing related to customers/clients/contractual partners:

contracting for the purpose of using services and purchasing goods or products, followed by data processing related to the performance of the contract,
management of customer relationships, partner relationships, customer records, handling cases, managing complaints,
data processing related to contact and communication tasks,
data processing activities during cash payments, bank transactions, record-keeping, and invoicing.

Employees of the Company are required to act in accordance with laws, professional protocols, and internal regulations while performing their duties. Customers, clients, and partners of the Company are entitled to the protection of their personal data and privacy. During data processing procedures, special attention must be paid to ensuring that only authorized persons have access to the data of customers and partners.
All employees of Hungary-Meat Ltd. are obliged to preserve the personal data and business secrets entrusted to them or that have come to their knowledge without any time limitation, even after the termination of their employment relationship, based on Section 8 (4) of Act I of 2012 on the Labor Code. Employees can only become acquainted with personal data within the scope of their job description.
The data controller must act and take measures to ensure that certain personal data and specific databases are only known to those employees or subcontractors whose access is necessary due to their job responsibilities to uphold the principles of data storage and accessibility, as well as integrity and confidentiality.
Moreover, they cannot provide information to unauthorized persons or bodies about facts that have come to their knowledge during their activities and whose disclosure would be disadvantageous or unlawfully beneficial to the Company, its employees, or its clients/guests.
The Data Controller informs customers/partners in writing about data processing and its circumstances according to the data protection information published on the Company's website, which is also posted at the Company's reception area, while contracted partners are informed in the respective contract that the Company processes the data of contracted partners and suppliers based on Article 6 (1) (b) of the GDPR, i.e., data processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; the Company processes the data of contacts of contracted partners and suppliers based on Article 6 (1) (f) of the GDPR, i.e., data processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party. Therefore, the purpose and legal basis of data processing, the scope of the data concerned, and the provisions for data processing and retention are specified in the contract, with the data being processed only for the duration of the contract and for a maximum of five years after its termination, which is the civil law limitation period. The Company always informs contracted partners about the data processing circumstances related to them as an annex to the concluded contracts.

IV.1.3.) Data processing related to creating a marketing database and sending newsletters

The data controller does not build a marketing database and does not operate a newsletter system.

IV.1.4.) Data processing arising from the operation of electronic monitoring systems:

The Data Controller has a separate policy and data protection information regarding the use of the electronic monitoring system (camera system) for employees within the framework of the data protection information for employees (see: Appendix 3/3 of this Policy) and for occasional visitors (see: Appendix 3/3/A of this Policy). The information related to electronic monitoring systems must be provided to employees when the employment contract or other work-related contract is concluded and acknowledged by them, and visitors and service users can access the information related to the camera system posted at the headquarters and at the reception area (entrance point).

IV.1.5.) Data Processing Related to the Website:
The website serves to inform visitors, but it is not suitable for contact, registration, or sending newsletters, and does not provide such opportunities. The data protection information related to the website can be found as Appendix 3/7 of this Policy.

IV.1.6.) Data Processing Related to Complaint Handling, Handling of Public Interest Disclosures, and Internal Whistleblowing System:
The Data Controller ensures the possibility of filing a complaint if its employees or contracted partners have complaints, quality objections, or would make public interest disclosures.

The Data Controller also operates a system for reporting suspected misconduct involving its employees and contracted partners, in line with its obligation under Act XXV of 2023, to ensure the investigation of suspected misconduct. The purpose of the whistleblowing system is to examine reported information on illegal or allegedly illegal acts, omissions, or other misconduct, in accordance with the requirements of Act XXV of 2023 on complaints, public interest disclosures, and rules related to reporting misconduct (hereinafter: Complaint Act). The internal whistleblowing system is operated by the Company's contracted partner, Platform Hungária Ltd. (Cgj.: 01-09-418727). The data processing rules related to the whistleblowing system are governed by the always current information and procedures published on Platform Hungária Ltd.'s website (www.bejelentek.hu).

IV.2. The Data Controller Utilizes the Services and Assistance of the Following Data Processors for its Activities:
A data processor is a natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the Data Controller.
The Company may use an external data processor for processing data managed by the Company if the data processor's activity and the system used for data processing meet the data protection and data security requirements defined in this Policy. Thus, the contract or other document (compliance statement) concluded between the Company and the data processor must include provisions that the data protection and data security regulations and provisions of this Policy are acknowledged, adhered to during their activities, and that the Data Controller Company is entitled to verify compliance.
The prior consent of the data subject(s) is not required for engaging a data processor, but they must be informed. Therefore, the always current list and contact details of the Company's data processors are included in Appendix 4 of this Policy, which the Data Controller publishes in the same manner and place as the Policy.

IV.3. Data Security
The Company, as Data Controller, ensures the security of data and takes the technical and organizational measures and establishes the procedural rules necessary to enforce the applicable data and secrecy protection regulations.
The Data Controller protects personal data from unauthorized access; unauthorized alteration; unauthorized transfer; unauthorized disclosure; unauthorized or accidental deletion, destruction; damage; and from becoming inaccessible due to changes in the applied technology.

Hungary-Meat Ltd., as Data Controller:

protects the data with appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure, or unauthorized access,
classifies and treats personal data as confidential and imposes confidentiality obligations on employees regarding the handling of personal data,
restricts access to personal data by assigning authorization levels,
protects its IT systems with firewalls and antivirus software,
conducts electronic data processing and record-keeping through computer programs that meet data security requirements. Thus, the program ensures that data is accessed only for specific purposes, in a controlled manner, and only by individuals who need it for their job tasks or who are authorized to do so,
ensures the monitoring of incoming and outgoing electronic communications to protect personal data,
stores the personal data it manages on a physically protected server at its headquarters, with electronic access to the server possible only after providing a unique identifier name and password,
ensures the proper physical protection of data and the devices and documents carrying the data.
The internal server is disconnected from the internet and operates only on an internal network. All workstations have non-basic antivirus protection, with internet security and firewalls to protect against various types of intrusions, such as ransomware, etc. We use a separate guest network on Wi-Fi, which runs external users in a completely separate IP range, preventing communication with the internal network,
only authorized administrators can access documents being processed or in progress. Personnel, payroll, employment, and other personal data documents must be securely locked,

-> For the security of personal data managed and stored on paper, Hungary-Meat Ltd. implements the following measures:

the data can only be accessed by authorized persons and cannot be disclosed to others,
documents are placed in a well-closed, dry room equipped with fire protection devices, and documents stored in lockable cabinets have restricted access, so only authorized persons - based on their job tasks or roles - can access active and ongoing documents,
the current data processing employee can only leave the room where the data processing is taking place by locking the office or securing the entrusted documents, and at the end of work, the documents that serve as the basis for data processing must be secured,
if personal data managed on paper is digitized, the rules of IT security applicable to digitally, electronically stored documents and electronic data processing must be followed.

-> For the security of personal data stored on computers and the internal network, the Company implements the following measures:

the personal computers and laptops (hereinafter referred to as computers) used for data processing are owned by the Company or are under ownership-like rights,
data on the computers can only be accessed with a valid, personal, identifiable authorization, user name, and password, with the Company ensuring the change of passwords if necessary,
all computer records of data handling are traceably logged,
only individuals with appropriate authorization and designated by the Company can access the data stored on the network server (hereinafter: server),
the server and the computers used by the Company are not in the same location. The Data Controller stores the personal data it manages on a physically protected server located elsewhere from the Company's headquarters, with electronic access to the server only possible after providing a unique identifier name and password,
Data security is further ensured by periodic backups to a separate server, involving daily backups of active data in databases containing personal data, covering the entire data set of the central server and stored on magnetic media, which is kept in a specially designed safe,
the Company continuously ensures virus protection on the network managing personal data,
if the purpose of data processing is achieved or the data processing deadline has expired, the files containing the data are irretrievably deleted, and the data cannot be recovered,
the Company prevents unauthorized network access using the available computing devices and their applications.

IV.3.1. Principles of Data Security
Principle of Confidentiality: Protecting the confidentiality of data guarantees that data cannot be accessed or disclosed without authorization.
Principle of Integrity: Data integrity means that data can only be modified by authorized persons.
Principle of Availability: Ensuring that data is always accessible and not unlawfully destroyed or deleted.

IV.3.2. Data Security Audit
The Company performs a data security audit at least once a year or as needed to ensure the security of personal data it manages, testing, assessing, and evaluating the effectiveness of the technical and organizational measures taken to guarantee data security. The data security audit is conducted by an organization or individual with expertise (IT and/or data management) engaged by the Data Controller.
A record of the audit is made, signed by those present during the audit. Based on the record, the engaged expert prepares an evaluation and an action plan, which is handed over to the Company's management.

The process of data security audit:

A.) Identifying the need for protection:
Select the key data processing systems of the Company that need protection. Corporate data protection consists of three components: physical protection, procedural protection, and IT protection.
->Physical protection includes the protection of premises, objects, and paper-based and other traditional documents.
->Procedural protection includes defining, complying with, and monitoring compliance with data protection and data security rules and raising the awareness of Company employees.
->IT protection consists of hardware and software protection.

B.) Threat Analysis:
Identify the threatening factors that may endanger the data and applications to be protected. The data security audit record must document the threatening factors.
Major risk factors endangering data security:
External threat factors:
a) natural disasters;
b) violent acts committed by external persons;
c) utility supply disruptions;
d) external persons staying in the premises;
e) technical failure of protective equipment, emergencies (e.g., short circuit, fire, burst pipe).

Threats to hardware devices:
a) technical errors, malfunctions;
b) harmful environmental effects (voltage fluctuations, contamination, electromagnetic radiation, electrostatic charging);
c) errors related to the handling and maintenance of devices;
d) unauthorized access to peripherals;
e) manipulation, damage, theft of devices;
f) incorrect selection of premises or workplaces for device placement.

Threats to data carriers:
a) manufacturing defect;
b) damage due to improper storage or handling;
c) use of unknown or dubious origin data carriers;
d) uncontrolled access to data carriers, copying;
e) use of own data carriers for official or private purposes without control (virus risk, illegal copying).

Risk factors related to documents and IT documentation:
a) complete or partial lack of system documentation;
b) lack of traceable organization of documents;
c) lack of relevance;
d) unauthorized, incorrect, unknown origin modifications;
e) uncontrolled access, duplication.

Threats related to software:
a) use of non-licensed, unknown software;
b) software error;
c) possibility of unauthorized access, copying;
d) uncontrolled introduction of software into the IT system;
e) virus risk;
f) intentional or negligent handling and maintenance error;
g) software damage due to hardware error;
h) lack or damage of documentation.

Risk factors related to user activities and data:
a) data loss, damage due to hardware or software error;
b) complete or partial data loss due to faulty data carrier;
c) intentional or accidental data deletion, modification by authorized data handler;
d) copying, deleting, modifying by unauthorized data handler;
e) incorrect data handling due to lack of knowledge;
f) non-compliance with handling instructions, lack of training.

Threats in communication:
a) unauthorized access to the network through uncontrolled connections;
b) intentional or negligent manipulation of network hardware and software;
c) eavesdropping on data traffic;
d) unexpected traffic obstacles, disturbances in transmission;
e) message loss, message alteration;
f) damage to data transmission devices.

Person-related threats:
a) incorrect data handling due to lack of knowledge, fatigue, inattention;
b) disregard of data handling regulations due to incomplete "security awareness," underestimating threats;
c) intentional incorrect data handling due to internal motivation or external influence;
d) unauthorized access;
e) lack of control

C.) Risk Analysis: Examine the impact of threatening factors on the IT system, determine the frequency and value of potential damages. Identify possible measures to minimize risk. A deadline for implementing the measures must be set. The Managing Director arranges the planning and implementation of necessary measures.

Compare the factors defined in the previous chapter and determine their occurrence according to the current state of science. The occurrence possibility is classified into four groups based on probability:
1. cannot occur under normal operations (e.g., war, state bankruptcy)
2. slight possibility of occurrence (e.g., power outage, storm damage)
3. realistic possibility of occurrence (e.g., burglary, virus infection)
4. will most likely occur (e.g., incorrect data entry)

The threatening factors defined in the data security audit record must be evaluated according to the classification described in the previous paragraph. External experts can be engaged for risk assessment, with the Company's IT specialist or system administrator evaluating IT-related risks.

During the automated processing of personal data, ensure:
- preventing unauthorized data entry;
- preventing unauthorized use of the systems by unauthorized persons;
- the ability to check and determine which bodies received or can receive personal data using data transmission equipment;
- the ability to check and determine which personal data was entered into the automated data processing systems, by whom, and when;
- restoration of installed systems in case of malfunction.

D.) Risk Management: Selecting and evaluating appropriate measures to reduce damage.

IV.4. Duration of Data Processing: The Company processes personal data exclusively for lawful purposes and for the duration necessary to achieve these purposes. If personal data is no longer needed, it must be securely and documentedly destroyed. Deletion records must be kept for 10 years.

IV.5. Confidentiality and Data Protection: All employees of HUNGARY-MEAT Kft. who handle or have access to personal data are obliged to maintain the confidentiality and data protection according to this Data Protection and Data Security Policy, as well as the relevant laws, indefinitely, even after the termination of their employment relationship. Employees may only access personal data within the scope of their job description.
HUNGARY-MEAT Kft. places great emphasis on fulfilling its confidentiality obligations arising from its scope of activities and services, and ensures compliance with these obligations by its employees, partners, supporters, beneficiaries, clients/guests, and contractors.
Employees and personal visitors (customers, guests, partners, and suppliers) of HUNGARY-MEAT Kft. can only access a defined set of personal data relevant to their inquiries. These individuals have limited rights to modify, delete, or archive personal data, as their modification rights are restricted to contact information, while they do not have deletion or archiving rights. The managing director of HUNGARY-MEAT Kft. has unlimited access rights to all personal data, including modification, correction, deletion, and archiving.
The person responsible for data processing within their activity scope is responsible for processing, modifying, deleting, transmitting, and disclosing data, as well as for accurately and traceably documenting the data. During their activities, the data processor handles and retains the data acquired during task execution, ensures the secure handling and storage of personal data records, prevents unauthorized access to the data they manage, complies with data processing laws and internal instructions, and participates in training related to data processing and data protection.

IV.6. Handling Data Protection Incidents
All employees of the Data Controller are obliged to report any data protection incident immediately to the designated data protection officer. The report must include the following information:
- the name of the person who detected or reported the data protection incident,
- a brief description of the data protection incident,
- and whether the detected data protection incident affects the Data Controller's IT system or not.

Investigation of Data Protection Incidents
The data protection officer examines the report and, if necessary, requests additional information from the reporter about the incident.
The data protection officer must investigate the following information (if not included in the report) to the extent possible:
- the time and place of the data protection incident,
- the scope of data affected by the data protection incident,
- the range and number of individuals affected by the data protection incident.

Based on this information, the data protection officer prepares a summary of the expected impacts of the data protection incident and creates an action plan to mitigate the consequences. The data protection officer may involve the heads and employees of organizational units affected by the data protection incident, who must cooperate with the data protection officer. The investigation must be completed within three working days of the arrival of the data protection officer, and the data protection officer must inform the Managing Director of the results of the investigation.

Evaluation of Data Protection Incidents
The Data Controller evaluates the data protection incident based on the following criteria:
- type of incident (confidentiality, integrity, or availability),
- nature of personal data (personal data / special category),
- number of personal data,
- number of affected individuals,
- categories of affected natural persons,
- identifiability of the affected natural persons,
- likelihood and severity of consequences for the natural person,
- legal basis for the affected data processing.

The Data Controller classifies the data protection incident as risky under the following conditions:
- the incident involves personal data in special categories,
- the number of personal data involved in the incident exceeds 100,
- the incident involves natural persons under the age of 16,
- the number of affected natural persons exceeds 100,
- the incident involves personal data that can be used to directly contact the affected person,
- the personal data can be used for identity theft or misuse of identity,
- the incident involves personal data that can cause financial loss to the affected person.

The Data Controller classifies the data protection incident as likely low-risk if at least one of the above conditions is met, and the Data Controller cannot prove that the affected personal data was protected by physical and/or IT security measures that have not been compromised since the incident. The Data Controller classifies the data protection incident as likely high-risk if at least two of the above conditions are met, and the Data Controller cannot prove that the affected personal data was protected by physical and/or IT security measures that have not been compromised since the incident.

Reporting Data Protection Incidents to the NAIH
If the severity of the data protection incident is at least low, the data protection officer, after evaluation (but no later than 72 hours after becoming aware of the data protection incident), reports the data protection incident to the NAIH.

Informing Affected Individuals about the Data Protection Incident
If the severity of the data protection incident is likely to have a high risk to the rights of the affected individuals, the Data Controller immediately informs the affected individuals after the risk assessment. The affected individuals must be informed in writing, electronically, or by mail, which can only be omitted if the contact details of the affected person are unknown. The affected individuals must always be informed in a way that the fact, content, and group of informed individuals can be proven.

Recording Data Protection Incidents
The Data Controller acknowledges that a data protection incident may cause physical, property, or non-property damage to natural persons without appropriate and timely action. To manage data protection incidents, a data protection incident log is maintained, in which the circumstances of the data protection incident are recorded by the data protection officer within a maximum of 72 hours after the incident is reported. The data protection officer keeps a record of the data protection incident.
The record includes:
- the scope of affected personal data,
- the scope and number of individuals affected by the data protection incident,
- the time of the data protection incident,
- the circumstances of the data protection incident,
- the impacts of the data protection incident,
- the measures taken to mitigate the incident,
- the corrective and preventive measures introduced as a result of the investigation of the data protection incident.

IV.7. Interest Assessment and Conducting an Interest Assessment Test
If data processing is necessary for the legitimate interests of the Company or a third party (e.g., electronic surveillance systems, monitoring of electronic devices provided to employees for work), an interest assessment test must be conducted before starting the data processing to ensure the protection of the privacy, interests, and fundamental rights of the affected individuals.

The interest assessment test covers the following
- defining the personal data to be processed,
- identifying the person whose legitimate interest necessitates the data processing,
- presenting the legitimate interest,
- examining whether the data processing is absolutely necessary to enforce the identified legitimate interest,
- examining whether the legitimate interest can be enforced by another process,
- if the legitimate interest cannot be enforced by another process, examining how the interests and fundamental rights of the affected individuals will be limited or violated by the data processing,
- comparing the legitimate interest with the restriction of fundamental rights of the affected individuals,
- the result of the interest assessment test,
- the date of the interest assessment test,
- if the result of the interest assessment test allows the processing of personal data, determining the start date of the data processing process.

The structure of the interest assessment test:
- reason for conducting the interest assessment test,
- the legitimate interest of the Company as data controller,
- the interests and fundamental rights of the affected individuals,
- comparing the interests of the Company and the affected individuals,
- safeguards,
- right to object,
- result of the interest assessment test.

If the Data Controller concludes that the interests and fundamental rights of the affected individuals take precedence over the legitimate interests related to the data processing, the Company or a third party's legitimate interest cannot be used as a legal basis for data processing.

IV.8. Data Protection Impact Assessment
If the nature, scope, circumstances, and purposes of a type of data processing, particularly using new technologies, are likely to result in a high risk to the rights and freedoms of natural persons, the data controller conducts an impact assessment before the data processing to determine how the planned data processing operations affect the protection of personal data.

A data protection impact assessment is particularly required in the following cases:
a) systematic and extensive evaluation of personal characteristics of natural persons based on automated data processing, including profiling, on which decisions affecting the natural person are built that have legal effects on them or similarly significantly affect them;
b) large-scale processing of special categories of personal data or personal data related to criminal convictions and offenses;
c) systematic monitoring of publicly accessible areas on a large scale.

The impact assessment covers at least:
a) a systematic description of the planned data processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller;
b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
c) an assessment of the risks to the rights and freedoms of the affected individuals; and
d) the measures to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and compliance with the GDPR, considering the rights and legitimate interests of the affected individuals and other persons.
The data controller, if necessary and without prejudice to commercial or public interests or the security of the processing operations, seeks the views of the affected individuals or their representatives on the planned data processing.

The data controller conducts reviews as necessary, but at least when there is a change in the risk presented by the processing operations, to assess whether the processing of personal data complies with the data protection impact assessment.

IV.9. Special Provisions for Processing Personal Data of Minors
Under Article 8 of the GDPR, the processing of personal data of children is lawful if the child is at least 16 years old. For children under 16, the processing of personal data is only lawful if and to the extent that it is authorized by the holder of parental responsibility over the child. Obtaining consent is the responsibility and duty of the Data Controller.

V. Final Provisions
This policy invalidates all previous policies and notices in the field of data protection, and the invalidity of any point of this policy does not affect the validity of the entire policy. This policy comes into effect on August 1, 2023. This policy is binding on all employees of HUNGARY-MEAT Food Industry Manufacturing, Service, and Trade Limited Liability Company. According to the relevant provisions of the Labor Code Act I of 2012, the Employer's Policy is considered communicated if published in the usual and generally known manner at the location.

Kiskunfélegyháza, April 1, 2024.

Hungary Meat Kft. Data Protection Policy Appendix 1:

Definitions:

data subject: any identified or identifiable natural person based on any information;

identifiable natural person: a natural person who can be identified, directly or indirectly, especially by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

personal data: any information relating to the data subject;

special categories of personal data: any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation;

consent: the data subject’s voluntary, specific, informed and unambiguous indication of their wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them;

data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
joint controller: the natural or legal person, public authority, agency or other body which, together with one or more other controllers, jointly determines the purposes and means of the processing of personal data;

processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

transmission: making data available to a specific third party;

publication: making data available to anyone;

deletion: making data unrecognizable in a way that it cannot be restored;

restriction of processing: marking stored data with the aim of limiting its processing in the future;

data destruction: the complete physical destruction of the data carrier containing the data;

data processing: operations performed on personal data by a data processor on behalf of the data controller;

data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;

third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

EEA state: a Member State of the European Union and any other state which is a party to the agreement on the European Economic Area;

third country: any state that is not an EEA state;

data protection incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

3.6. Data Protection Information for Customers

3.6.1. General Data Protection Information

HUNGARY-MEAT Kft. (hereinafter: Data Controller, Company) as the data controller processes personal data for multiple purposes while respecting the rights of the data subjects and complying with legal obligations, particularly the European Parliament and Council Regulation (EU) 2016/679 (hereinafter: GDPR). HUNGARY-MEAT Kft. considers it important to inform the data subjects about the handling of personal data acquired during data processing activities and its most important characteristics.
On what basis do we process the data of the data subjects? We process personal data only for specific purposes and with appropriate legal bases. These purposes and legal bases are detailed in the specific data processing notices.
Who processes your personal data? Your personal data is processed by HUNGARY-MEAT Kft.
This data processing information is based on the European Parliament and Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, taking into account the content of Act CXII of 2011 on the right to information self-determination and freedom of information.
Data Controller’s name and contact information:

Name / Company name:

HUNGARY-MEAT Food Industry Manufacturing, Service, and Trade Limited Liability Company

Headquarters:

6100 Kiskunfélegyháza, Majsai út 30.

Representative of Data Controller:

László Kovács, Managing Director

Tax number:

11421702-2-03

Phone/Fax number:

Phone: 003676-463-815
Fax: 003676-462-775

Email address:

hm@hungarymeat.hu

Website name and address:

https://www.hungarymeat.hu

Availability of the data protection information:

Available in paper form at the Company’s headquarters and premises

Personal data is mostly processed by HUNGARY-MEAT Kft. at its own headquarters/premises. However, there are operations that require external assistance, data processors. The identity of the data processor may vary according to the characteristics of each data processing operation. If you want to know which data processor is involved in a particular data processing operation, you can do so in the individual data processing notice under the "Data Processor" category.
What principles does our Company consider important when processing your personal data? Personal data processing is carried out in accordance with the applicable legal regulations, with particular regard to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) (GDPR). During the operation of the website, only personal data specified in the individual data processing activities is processed, and the provided personal data is protected by the necessary technical and organizational measures. Particular attention is paid to ensuring the confidentiality, integrity, and availability of personal data. After you provide your personal data, our Company is responsible for their accuracy and correctness.
Terms used in this notice are interpreted according to the definitions in the GDPR and the Act on the Right to Informational Self-Determination and Freedom of Information.
What rights do you have concerning your personal data processed by our Company? As a data controller, our Company ensures that data subjects can exercise their rights as defined in the GDPR. A request to exercise these rights cannot be refused by the data controller unless it proves that it is not able to identify the data subject. Therefore, the data subject must identify themselves for their request to be fulfilled.
The data controller is obliged to comply with the request without undue delay, but no later than 1 month from receipt, and inform the data subject of any obstacles or delays in fulfilling the request. In such a case, the deadline may be extended by an additional 2 months, with the data subject being informed of the extension and its reasons within 1 month.
The data controller will respond to the data subject's request in the same format in which it was received. The data subject can also submit their request electronically, in which case the response will also be provided electronically, unless the data subject specifies otherwise.
To ensure the exercise of the data subject's rights, the rights described in this notice can be exercised free of charge. However, if the request is clearly unfounded or excessive, particularly due to its repetitive nature, the data controller may charge a reasonable fee to cover the administrative costs of fulfilling the request or refuse to act on the request. In such cases, the data controller must provide justification to the data subject.
In accordance with the GDPR, data subjects can exercise the following rights:
a.) Throughout the duration of the data processing, the data subject has the right to request information and access the personal data processed by the data controller and the characteristics of the data processing, especially: - the identity and contact details of the data controller and its contact person, and if applicable, the contact details of the data protection officer - the purpose, legal basis, and duration of the data processing, - the name, address, and activities related to the data processing of any data processors used, - the legal basis and recipients of any data transfers, - any data protection incidents that may have occurred
b.) The data subject has the right to request the rectification of their personal data: If the customer's data has changed or is inaccurate, the data controller will modify them upon request at any time during the data processing period. This request can be made through the provided contact details.
c.) In the case of data processing based on consent, the customer can withdraw their consent at any time and request the deletion of their data if there is no other legal basis for the data processing. The customer's personal data will be deleted if the data processing is unlawful, the purpose of the data processing has ceased, or the specified retention period has expired; or if a court or the National Authority for Data Protection and Freedom of Information has ordered it.
d.) The data controller will restrict the processing of personal data if requested by the data subject. The data subject can request the restriction of their data in the following cases - if the accuracy of the data is contested, in which case the restriction applies for the period allowing the data controller to verify the accuracy of the personal data - if the data processing is unlawful and the data subject opposes the deletion of the data and requests the restriction instead - the data controller no longer needs the personal data for the purposes of the data processing, but the data subject requires them for the establishment, exercise, or defense of legal claims - if the data subject has objected to the data processing, pending the verification of whether the data controller’s legitimate grounds override those of the data subject
e.) The data subject can object to the processing of their personal data: They can express their objection if their data is processed based on the legal basis necessary for the legitimate interests of the data controller or a third party. In this case, the data controller cannot continue to process the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
f.) Right to data portability: If the data processing is necessary for the performance of a contract and the data processing is carried out by automated means, or if the data is processed by computer-based systems, the data subjects have the right to receive the personal data concerning them that they have provided to the data controller in a structured, commonly used, and machine-readable format. They also have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided. This right can be exercised for a fee, given that the data processing is not automated.
Data Security: The data controller commits to ensuring the security of the data, taking the necessary technical measures to protect the collected, stored, and processed data, and doing everything possible to prevent their destruction, unauthorized use, and unauthorized alteration.
The data controller is also obliged to ensure that any third parties to whom the data may be transferred or handed over are instructed to fulfill these obligations.
The data controller protects personal data from unauthorized access; unauthorized alteration; unauthorized transmission; unauthorized disclosure; unauthorized or accidental deletion, destruction; damage; and from becoming inaccessible due to changes in the applied technology. Furthermore, personal data processed by the data controller are stored on a server with physical protection at the Company’s premises, which can only be accessed electronically with a unique username and password. Daily backups on a separate server also ensure data security.
The legal basis for data processing: The data processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract [GDPR Article 6(1)(b)].

Types of personal data processed:
Customer/Buyer’s name, address, email address, phone number, the amount of the purchase price or service fee, billing name and address, as well as any additional information voluntarily provided to HUNGARY-MEAT Kft. in connection with the contract, and any other data included in the notes to the order.

Invoicing, compliance with accounting obligations, retention of receipts

HUNGARY-MEAT Kft. processes the name, address (headquarters, residence, mailing address, other address), tax number (if necessary), service description, quantity, gross and net value, date of performance, date of invoice, payment deadline, and accounting documents containing these data related to the service for the purpose of issuing invoices, documenting contracts and payments, fulfilling accounting obligations, and retaining accounting documents supporting direct and indirect accounting according to the Accounting Act Section 169(2) for 8 years. The data processing is necessary for compliance with a legal obligation to which the data controller is subject [GDPR Article 6(1)(b); Accounting Act Section 169(2)]. If the data is not provided, HUNGARY-MEAT Kft. will refuse to provide the service.

Complaint Handling

The data processing is necessary for compliance with a legal obligation to which the data controller is subject [GDPR Article 6(1)(b); Consumer Protection Act Section 17/A(7)]. HUNGARY-MEAT Kft. processes the name, address (headquarters, residence, mailing address, other address) of the data subjects and the data of the service used for the purpose of handling complaints. Complaint records and copies of written responses to complaints are retained for 5 years under Section 17/A(7) of the Consumer Protection Act. If the data is not provided, the data subject cannot exercise their consumer and warranty rights.
Legal Enforcement

The data processing is necessary for the purposes of the legitimate interests pursued by the data controller (legal claims) [GDPR Article 6(1)(f)]. HUNGARY-MEAT Kft. processes the data and related documents, documents, and copies of the data subjects with whom it enters into legal relations for the purpose of enforcing civil and criminal claims. The data processing lasts until the limitation period or statutory expiry period specified in the relevant contract or law (general limitation period: 5 years).
Recipients, Data Transfers, Data Processors: The Company provides accounting services, the bank managing the account, the company operating the online payment or invoicing system, the tax authority (NAV), if necessary, a legal representative and/or competent court, the Payment Order Center (MOKK) (in the case of payment orders), court bailiff.
Rights of legal enforcement: According to Articles 12-22 of the GDPR and the Company's Data Protection and Data Security Regulations, you have the right to receive information about the facts related to data processing before the data processing begins (hereinafter: the right to prior information), the data controller provides your personal data and related information at your request (hereinafter: the right of access), the data controller rectifies or supplements your personal data at your request (hereinafter: the right to rectification), restricts the processing of your personal data at your request (hereinafter: the right to restriction of processing), deletes your personal data at your request (hereinafter: the right to erasure), objects to the processing of personal data and exercises the right to data portability.

The right of legal enforcement can be initiated by email, phone, or letter through the contact details provided above.
The data subject may also exercise the right to lodge a complaint with the supervisory authority at the following contact:
National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa utca 9-11.
Email: ugyfelszolgalat@naih.hu
Mailing address: 1363 Budapest, Pf.: 9.
Phone:
+36 (30) 683-5969
+36 (30) 549-6838
+36 (1) 391 1400
Fax: +36 (1) 391-1410
Website: naih.hu

Amendment of the Information Notice
HUNGARY-MEAT Kft. reserves the right to unilaterally amend this Information Notice with effect following the amendment, provided that the data subjects are immediately informed of the amendments.
Acceptance and Understanding of the Information Notice
By providing personal data, you, as the data subject, confirm that you have read and expressly accept the version of the Information Notice in force at the time the data is provided. Specific data protection conditions may also apply when using certain special services, which will be communicated to the data subject before using the service.

3.7. DATA PROCESSING NOTICE FOR THE WEBSITE

DATA PROCESSING NOTICE
for visitors to the website
www.hungarymeat.hu
operated by HUNGARY-MEAT Kft.
Please read this Notice carefully to understand how we process your personal data and to know your rights regarding data processing.

Introduction

Our Company, as the Data Controller, processes the data of individuals visiting the above-named website to provide appropriate services.

The Data Controller fully complies with the legal requirements for personal data processing. This data processing notice is based on Regulation (EU) 2016/679 of the European Parliament and the Council (GDPR) on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and also considers the content of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.

During its business and economic activities, the Data Controller pays special attention to the protection of personal data, compliance with mandatory legal provisions, and the secure and fair processing of data. The Data Controller treats personal data confidentially as described in this notice and takes all necessary security, technical, and organizational measures to ensure the security of the data and the enforcement of data protection and data security requirements. The Data Controller considers it important to respect and enforce the rights of its Clients, Partners, and all other natural persons (hereinafter referred to as Data Subjects) related to data processing. Therefore, the Data Controller undertakes to ensure that its data processing activities related to its services comply with the expectations defined by applicable laws.

As a Data Controller, HUNGARY-MEAT Kft. (hereinafter referred to as Data Controller) respects the privacy of all individuals who provide personal data and is committed to protecting them. In accordance with Article 13 of the General Data Protection Regulation (GDPR) of the European Union, the following information is provided:

The operator of the website and the processor of the personal data provided on the website (hereinafter referred to as Data Controller):

Name / Company Name:

HUNGARY-MEAT Élelmiszeripari Termelő Szolgáltató és Kereskedelmi Korlátolt Felelősségű Társaság

Headquarters:

6100 Kiskunfélegyháza, Majsai út 30.

Data Controller's representative:

László Kovács, Managing Director

Tax number:

11421702-2-03

Phone/Fax number:

Tel: 003676-463-815
Fax: 003676-462-775

Email address:

hm@hungarymeat.hu

Website name, address:

https://www.hungarymeat.hu

Availability of the data processing notice:

Available in paper form at the Company's headquarters and premises

Data Protection Officer:

The Data Controller is not required to appoint a data protection officer according to Article 37 of the GDPR

Data protection requests:

If you have any requests or questions regarding data processing, you can send your request by post to 6100 Kiskunfélegyháza, Majsai út 30., or electronically to hm@hungarymeat.hu. We will respond to your request without delay, but no later than 30 days to the address you requested.

Data Processing

The persons detailed below perform data processing

International Data Transfers:

No transfers to foreign countries.

1. Principles and Lawfulness of Data Processing
The Data Controller declares that it processes personal data in accordance with this data processing notice and complies with the applicable legal requirements, paying particular attention to the following:
- Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
- Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- The processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data must be erased or rectified without delay.

Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

The principles of data protection apply to any information concerning an identified or identifiable natural person.
1.1. Lawfulness of Data Processing:
The processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially where the data subject is a child.

Where the processing of personal data is based on the data subject's consent, the Data Controller may process the collected data further for the purpose of fulfilling legal obligations, performing contracts, protecting the vital interests of the data subject or another natural person, or pursuing the legitimate interests of the Data Controller or a third party, provided that the legal conditions for such processing are met, without further consent and even after the withdrawal of the data subject's consent.

Personal data may be transferred, and different processing activities may be connected if the data subject has consented or if permitted by law, and if the conditions for lawful processing are met for each personal data item.

Personal data may be transferred to a data controller or data processor in a third country if the data subject has explicitly consented or if permitted by law, and provided that the adequate level of protection of personal data is ensured during processing in the third country.

In the case of mandatory data processing, the purpose and conditions of the processing, the categories of data to be processed, and the duration of the processing shall be defined by the law or municipal regulation ordering the processing.

Data processing based on the fulfillment of a legal obligation is independent of the data subject's consent as it is determined by law. In such cases, the data subject must be informed before the processing begins that the processing is mandatory and must be clearly and fully informed about all facts relating to the processing of his or her data, such as the purpose and legal basis of the processing, the identity of the data controller and data processor, the duration of the processing, and the entities that may access the data. The information must also cover the data subject's rights and legal remedies related to data processing. In the case of mandatory processing, the information can be provided by referring to the relevant legal provisions publicly disclosed.

Law may order the disclosure of personal data for reasons of public interest, specifying the categories of data to be disclosed. In all other cases, the disclosure of personal data requires the consent of the data subject, or written consent in the case of special categories of personal data. In case of doubt, it should be assumed that the data subject has not given consent. Consent shall be considered given in respect of data provided by the data subject in the course of public appearances or data expressly provided for public disclosure. In procedures initiated at the request of the data subject, it shall be presumed that the data subject has given consent to the processing of the necessary data. The data subject must be informed of this presumption. The data subject may also give consent within a written contract with the Data Controller for the fulfillment of the contract. In this case, the contract must contain all the information the data subject needs to know for data processing, such as the specific data to be processed, the duration of processing, the purpose of use, data transfer, and the use of a data processor. The contract must clearly state that the data subject consents to the processing of his or her data as specified in the contract.

The right to the protection of personal data and the personality rights of the data subject cannot be violated by other interests, including the public's right to access data of public interest, unless otherwise provided by law.

Personal data may also be processed if obtaining the data subject's consent is impossible or would involve disproportionate effort, and the processing is necessary for compliance with a legal obligation, or for the protection of the legitimate interests of the Data Controller or a third party, and these interests are proportionate to the restriction of the right to the protection of personal data.

If the data subject is unable to give consent due to incapacity or other unavoidable reasons, personal data may be processed to the extent necessary for the protection of the vital interests of the data subject or another person, and for the prevention or mitigation of direct threats to the life, health, or property of individuals.

2. Specific Data Processing Related to the Data Controller's Website

2.1. Data Processed on the Website: Anyone can view the public content of our website without providing personal data, as visiting the site does not require registration or login.
The following data is processed in connection with the use of the website for the purposes and duration specified in this notice, and your rights related to data processing are ensured as follows:
2.2. Data Processing Related to Website Visitors
When using our website, certain data is automatically recorded from your device or browser when you visit the site. Further information on these processes is provided in the "Cookies and Web Beacons (Pixel Tags)" section of this privacy policy. Such data includes:
- Device identifiers, call status, network access, storage, and battery information
- Cookies, IP addresses, referrer headers, browser and version identification data, and web beacons and tags.
Providing personal data is essential for identification in the databases.
Those authorized to access the data: the Data Controller, the web developer/IT specialist, and the accounting firm.
Providing personal data is essential for identification in the databases and for the fulfillment of the Data Controller's legal obligations.

2.3. Cookie Management
What is a cookie? A cookie is a text file placed on your device (computer, smartphone) used to access the internet when you open and use our website. It typically contains information related to the connection between the web server and your device or the operation of the website (e.g., a session identifier consisting of a unique sequence of letters, numbers, and other characters; the time you opened the website, etc.), and the web server can read it back from time to time – while you are browsing our website or when you visit it again later. Using the content of the cookie, the website (server) can improve the user experience and implement the services provided on the website. For example, when shopping in an online store, the store can distinguish and manage ongoing purchases using such cookies (e.g., the current content of the cart). If the internet connection is interrupted while shopping, the website can use the previously stored cookie to know which products were added to the cart, which products were searched for, and continue the purchase where it left off once the connection is restored.
Acceptance by visiting the website: When you visit our website, it collects data using the cookies described above. By visiting our website, you, as a user, can accept with a single click that the site uses cookies in accordance with this notice – cookies that are not suitable for identifying individuals. As a user, you can also delete cookies from your browsers at any time in the Settings menu. If you disable cookie installation on your computer in your browser or delete them, this may limit the usability of the website (or certain parts of it), and the settings you previously provided on the website may be lost.

Cookies used on our website:
- Essential cookies
- Functional cookies
- Google Analytics cookies
- Social media cookies
The data subjects of the data processing are the visitors to the website.
The purpose of data processing is to provide additional services, identification, and tracking of visitors. Identifying users visiting our website, distinguishing them from each other, identifying users' current sessions, storing data provided during the session, and preventing data loss.
The legal basis for data processing: The user's consent is not required if the use of cookies is strictly necessary for the service provider.
The data processed: unique identifier, time, and settings data. The cookies used on our website support the operation of the site and contain information (numbers and character strings) interpretable by the site's program code regarding the time of the visit, session ID, and other session-related information.
The information stored in functional cookies is not disclosed to third parties.
Data controllers authorized to access the data: The data controller does not process personal data using cookies.
Data storage method: electronic.
Data processing duration: Some functional cookies used on our website expire when you leave the site or close the browser. Some other functional cookies have a longer lifespan (180 days), but the content of these cookies can only be accessed by our website if you revisit our site from the same device and have not deleted these cookies in the meantime.
Legal remedies: Most internet browsers automatically allow cookies. However, you can change this setting at any time, disable and delete cookies. You can access, view, and examine the content of cookies stored on your device at any time.
Managing cookies, disabling their use, or deleting them is generally possible in the settings of well-known internet browsers, typically in the security, privacy, or privacy settings submenu, under the name cookie or cookie.
Please note that if you disable or do not accept the use of cookies, certain functions of the website may change or may not be available to you while using the site.
More information on managing cookies can be found in the help section of the respective programs or by clicking on the following links: Internet Explorer, Chrome, Mozilla Firefox, Edge.

2.4. Google Analytics Service
To analyze, measure, and monitor the traffic and performance data of our website, we use the Google Analytics service. The information collected from the website is automatically forwarded to Google, but this information does not and must not contain personal data. The information collected and transmitted are statistical data capable of distinguishing sessions from each other, but not identifying visitors.
The purpose of data processing
To measure the performance of the website, create usage statistics, and distinguish sessions from each other.
The data processed
The Google Analytics service uses cookies to measure the performance of the website and to create usage statistics. These cookies contain information (unique character strings) that the service can interpret.
Data processing duration
The cookies used by the Google Analytics service have different validity periods. Some cookies expire when you close the site in your internet browser, while some have a shorter (1 minute) or significantly longer (e.g., 24 hours or 2 years) validity period. However, our website – and through it the Google Analytics service – can only access the content of these longer-validity cookies if you revisit our site from the same device and have not deleted these cookies in the meantime.
Legal remedies
If you do not want the Google Analytics service to collect data about your visit to our website, you can disable it by installing and using a program designed for this purpose. You can also disable the use of cookies – including all other cookies – used by Google Analytics. You can access, view, examine, and delete the content of cookies stored on your device at any time.

3. Data Processing Methods and Security

The Data Controller ensures the security of the data and takes the technical and organizational measures necessary to enforce the GDPR and other data and privacy protection rules. The Data Controller protects personal data against unauthorized access; unauthorized alteration; unauthorized transfer; unauthorized disclosure; unauthorized or accidental deletion; destruction; damage; and becoming inaccessible due to changes in the applied technology.

The website operates through SSL encryption (https).
Emails operate through the servers of the Google Workspace (hosting provider).
Personal data (applications) can be accessed through a password-protected administration interface.
Paper-based documents are stored in a locked office, in a locked cabinet.
In the event of data loss due to the fault of the Data Controller, the Data Controller is obliged to restore the data free of charge.

Data processing security: To ensure the security of the personal data we process, we take all necessary technical and organizational measures to protect the data against accidental deletion (destruction), unauthorized use, or modification. We limit access to the data processed in our IT systems through an authorization system, allowing access exclusively to our employees. With these measures, we ensure that unauthorized persons cannot access, disclose, transfer, modify, or delete the data.

Data transfer: We do not disclose your personal data to those not authorized to access it, and we only transfer it to third parties if you have given your prior consent. An exception to this is if the transfer of data is required by law, such as providing the content of financial documents related to contracts and services to the National Tax and Customs Administration, or during an official investigation by authorities (e.g., police, prosecutor's office, court, etc.) to provide the necessary data for the investigation. In these cases, your separate consent is not required as it is a legal obligation.

4. Data Subject Rights
4.1. Data Subject Rights
In accordance with the provisions of the GDPR and the Information Act, natural persons may request the Data Controller to provide information about the processing of their personal data; access to and rectification of their personal data; deletion or restriction of their personal data; and they may object to the processing of their personal data and exercise their right to data portability.

Right to Information and Access

The Data Controller shall, upon the request of the data subject, provide information during the period of data processing about the data it processes or has processed concerning the data subject, their sources, the purpose, legal basis, and duration of the data processing, the name and address of the data processor, and its activities related to data processing, the circumstances of any data protection incident, its effects, and the measures taken to mitigate it, and also about who and for what purpose have received or will receive the data subject’s personal data. If the data subject’s data have been transferred, the data subject may receive an extract from the data transfer records. The Data Controller must provide the information without undue delay, in an easily understandable form, within 30 days at the latest from the submission of the request. Providing the information is free of charge if the requester has not previously submitted a request for information concerning the same set of data in the current year. The Data Controller may refuse to provide information if the data subject is not requesting information about their data; if the requester cannot credibly prove that they are the data subject concerned; if the provision of information is excluded by law; or if the Data Controller received the data from another data controller who indicated that the data subject’s right to information is restricted. The Data Controller is only authorized to provide information to the data subject and persons authorized by the data subject in a fully certified private document. In the event of refusal to provide information, the Data Controller shall inform the requester of the legal basis for the refusal. If the information request is refused, the Data Controller shall inform the data subject of the possibility of judicial remedy and the option to contact the National Authority for Data Protection and Freedom of Information. The Data Controller shall notify the National Authority for Data Protection and Freedom of Information of the refused requests annually by January 31 of the following year.

Right to Rectification

The data subject may request the rectification of their personal data, meaning they have the right to have any inaccurate personal data concerning them rectified without undue delay upon their request. They may also request that the Data Controller completes any incomplete personal data. If the accurate personal data is available to the Data Controller, it shall rectify the personal data without undue delay. The Data Controller shall examine the request for rectification without undue delay, within 30 days at the latest from its submission, and inform the requester in writing about the decision and the possibilities for legal remedy.

Right to Erasure and Restriction

The data subject has the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay, and the Data Controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- The data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
- The personal data have been unlawfully processed;
- The personal data must be erased to comply with a legal obligation under Union or Member State law to which the Data Controller is subject;

Right to Restriction of Processing

The data subject has the right to obtain from the Data Controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
- The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- The Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;
- The data subject has objected to processing; pending the verification whether the legitimate grounds of the Data Controller override those of the data subject;

Right to Object

The data subject has the right to object to the processing of their personal data. The Company shall examine the objection without undue delay, within 30 days at the latest from the submission of the request, make a decision on its merits, and inform the requester in writing about the decision.
The data subject may object to the processing of their personal data if the processing or transfer of the personal data is necessary only for the fulfillment of a legal obligation to which the Data Controller is subject or for the enforcement of the legitimate interests of the Data Controller, the data recipient, or a third party, except in the case of mandatory data processing;
- If the personal data are used or transferred for direct marketing purposes, opinion polls, or scientific research; and
- In other cases specified by law.

If the data subject’s objection is justified, the Data Controller shall terminate all processing activities, including further data collection and data transfer, and block the data, and inform all those to whom the personal data objected to by the data subject have been previously transferred, about the objection and the measures taken based on it. If the Company does not agree with the data subject’s objection, or if the Company fails to comply with the deadline for examining and deciding on the objection, the data subject may appeal to a court within 30 days from the notification of the decision or from the last day of the deadline.

Rights Related to Automated Decision-Making and Profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except if the decision:
1. Is necessary for entering into, or performance of, a contract between the data subject and the Data Controller;
2. Is authorized by Union or Member State law to which the Data Controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
3. Is based on the data subject's explicit consent.

In the cases referred to in points 1 and 3, the Data Controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, including the right to obtain human intervention on the part of the Data Controller, to express their point of view, and to contest the decision.

Notification of Rectification, Erasure, and Restriction of Processing

The Data Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1), and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the data subject about those recipients upon request.

Notification of a Personal Data Breach to the Data Subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the data subject without undue delay. The notification shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in Article 33(3) (b), (c), and (d). The notification to the data subject shall not be required if any of the following conditions are met:
1. The Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
2. The Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
3. It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. If the Data Controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in the above paragraphs are met.

4.2. Submission of the Data Subject's Request, Measures by the Data Controller
The Data Controller facilitates the exercise of the rights of the Data Subject as set out in this chapter and in the legislation. The Data Controller shall not refuse to act on the data subject’s request for exercising their rights unless it demonstrates that it is not in a position to identify the data subject. The Data Controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Data Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If the Data Controller does not take action on the request of the data subject, the Data Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Data Controller may either:
1. Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
2. Refuse to act on the request.
The Data Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. Where the Data Controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, it may request the provision of additional information necessary to confirm the identity of the data subject.

5. Legal Remedies
5.1 Information, Complaint
If the data subject believes that their rights relating to the processing of personal data have been violated, they may contact the Data Controller for information and to exercise their rights at the contact details provided above.
5.2 Complaint Handling at the Authority
For further remedies, a complaint may be submitted to the National Authority for Data Protection and Freedom of Information. The Authority will only investigate complaints if the data subject has first contacted the Data Controller about exercising their rights related to the complaint.
The data subject may take legal action or submit a complaint to the data protection authority against the data controller in case of violation of their rights. Legal remedies and complaints can be pursued at the following contact details:

National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf.: 9.
Phone:
+36 (30) 683-5969
+36 (30) 549-6838
+36 (1) 391 1400
Fax: +36 (1) 391-1410
Email: ugyfelszolgalat@naih.hu
Website: naih.hu

6. Data Processors (Persons Authorized to Access Data, Data Transfer, Data Processing)
The data may primarily be accessed by the Data Controller, but it does not disclose them to third parties except for data processors and cooperating external service providers. To fulfill orders, ensure the operation of services, and settle accounts, the Data Controller may use data processors and cooperate with external service providers.
Data Processors
Concerning customers, the Data Controller transfers data to the following companies and uses the following data processors. The Data Processors do not make independent decisions; they are only authorized to act according to the contract with the Data Controller and the instructions received. The data processors record, manage, and process the personal data transferred to them by the Data Controller in accordance with the provisions of the GDPR.
Hosting Provider:

Name / Company Name:

Address:

1135 Budapest, Jász u. 65.

Phone:

06-20-922-8291

Email:

comprel@comprel.hu

The data you provide is stored on the server operated by the hosting provider. Only the Data Controller, IT specialist/web developer, and server operating staff have access to the data, and they are all responsible for securely handling the data.
The activity: hosting service, server service.
The purpose of data processing: ensuring the operation of the website.
Scope of processed data: Personal data previously listed in the Privacy Policy.
Duration of data processing and deadline for data deletion: Data processing lasts until the end of the website's operation or according to the contractual agreement between the website operator and the hosting provider. The data subject can also request data deletion by contacting the hosting provider if necessary.
Legal basis for data processing: GDPR Article 6(1)(b), processing is necessary for the performance of a contract to which the data subject is a party.

Website Operator:
The IT background of our website's operation is provided by our contractual service partner. The data processed on the website is stored within the European Union at our contracted partner.

Name / Company Name:

Address:

1135 Budapest, Jász u. 65.

Phone:

06-20-922-8291

Email:

comprel@comprel.hu

6. Other Provisions, Entry into Force
This Privacy Policy is published on the website of HUNGARY-MEAT Kft. (Data Controller) (www.hungarymeat.hu). The Data Controller reserves the right to review and amend this policy as necessary, which may be warranted by changes in applicable laws or our data processing activities and the technology used. If the changes affect personal data processed based on your voluntary consent, we will notify you immediately and suspend further processing of your data until you consent again. The current policy is publicly available on the Data Controller's website, and any updates to the policy will be communicated to data subjects through the same channel.

Dated: Kiskunfélegyháza, 2023. 08. 01.
Effective: from 2023. 08. 01.

HUNGARY-MEAT Kft.
represented by: László Kovács
Managing Director
DATA CONTROLLER

4th Annex:
REGISTER OF DATA PROCESSORS

Name and Contact Information of the Data Controller:

Name / Company Name:

HUNGARY-MEAT Élelmiszeripari Termelő Szolgáltató és Kereskedelmi Korlátolt Felelősségű Társaság

Address:

6100 Kiskunfélegyháza, Majsai út 30.

Data Processor Activity

Data Processor Contact Information
(name, address, phone number, and/or email address)

Payroll Software

MAXOFT Kereskedelmi és Konzultációs Kft.
1092 Budapest, Ráday utca 32. I./8.
TEL: 06 1 218- 7472
or 06 1 218-7091

Occupational Physician

Dr. István Víg, Sole Trader (address: 6640 Csongrád, Fohász utca 24., phone: 0630 910 6236 email: vigdoki@hotmail.com)

Lawyer (e.g., employment contracts, private law agreements, payment order procedures, etc.)

Dr. Péter M. Varga Law Office
Labour and Data Protection Specialist
Address: 1012 Budapest, Kiss János alt. U. 33/B.
Phone: 06 30 382 9220

Occupational Safety Consultant

PROFILUS Occupational Safety Engineering Office, Sole Proprietorship (address: 6000 Kecskemét, Csíksomlyói u.9., phone: 0670 949 9075, email: profilus@hungarymeat.hu

Enterprise Management System

Enyingi és Társai Bt. 9024 Győr, Nagy Imre u. 3. phone: 96/ 518-238 or 30/ 247-4474

Contractor (production, meat industry specialization)

Cyll Kft.
1124 Budapest, Németvölgyi út 16.
phone:
0620 336 4091
email: kalydy@cyllkft.com

Contractor (production, meat industry specialization)

Profi Meat Kft.
1033 Budapest, Huszti út 35. I.e./209.
phone: 06 30 630 9789
email:
pint@profi-meat.com

Labor Leasing

Dzsen-Mil Kft.
6100 Kiskunfélegyháza, Molnár Béla utca 2.
phone: 0676 320 047
email: dzsenmilepkft@gmail.com

Labor Consulting

Divan Kft.
6000 Kecskemét, Tinódi utca 1/a.
phone: 06 20 559 1 559
email:
kgyorgy@divan.hu

GDPR policy

Terms and conditions

Hungary-Meat © 2025

Cookie policy

Complaint