GDPR – The Munchkin Nook

Data Management Notice

1. Purpose, Scope, and Applicable Laws of the Data Management Notice
The purpose of this Notice is to record the data protection and data management principles applied by Bookers Limited Liability Company (hereinafter collectively referred to as the “Company”), and the data protection and data management policy that the Company, as a data controller, acknowledges as binding upon itself.
When formulating the provisions of this Notice, the Company particularly took into account the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (“Infotv.”), Act V of 2013 on the Civil Code (“Ptk.”), and Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising (“Grtv.”).
This Data Management Notice applies to the data management carried out by the Company for data provided by clients. As a data controller, the Company respects the privacy of all individuals who provide personal data and is committed to protecting it. Therefore, based on Article 13 of the General Data Protection Regulation of the European Union (Regulation 679/2016, hereinafter: GDPR), we provide the following information:

2. Definitions
• “Data subject or user”: any identified or identifiable natural person based on any personal data; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• “Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• “Data processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Data controller”: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
• “Data processor”: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
• “Recipient”: a natural or legal person, public authority, agency, or another body, to whom or which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
• “Data transfer”: making data accessible to a specified third party.
• “Third party”: a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
• “Consent of the data subject”: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3. Data Controller Information
• Name of Data Controller: Bookers Limited Liability Company
• Company Registration Number: 01-09-983069
• Location of Activity: 1137 Budapest, Jászai Mari tér 5-6.
• Representative of Data Controller: András Péter Timár, Managing Director
• Company’s Email Address: info@bookers.hu
• Data Controller’s Phone Number: +36-1-328-0243, mobile: +36-30-697-0207
• Data Controller’s Website: http://www.bookers.hu
If you have any requests or questions regarding data processing, you can send your request by post or electronically to the following addresses:
• Postal Address: 1137 Budapest, Jászai Mari tér 5.6
• Email Address: info@bookers.hu (Attn: András Péter Timár)
We will respond to your inquiries without delay, but no later than 30 days from the receipt of your request.
Principles and Methods of Data Management, Applicable Laws

4.1. The Data Controller acts in accordance with the requirements of good faith, fairness, and transparency, cooperating with the data subjects during data management. The Data Controller only manages data that is specified by law or provided by the data subject. The scope of managed Personal Data is proportionate to the purpose of data management and does not extend beyond it.

4.2. In any case where the Data Controller intends to use Personal Data for purposes other than the original data collection purpose, the data subject will be informed, and their prior, explicit consent will be obtained, or they will be provided with the opportunity to prohibit the use.

4.3. The Data Controller does not verify the Personal Data provided to it. The person providing the Personal Data is solely responsible for its accuracy.

4.4. Personal Data of individuals under the age of 16 can only be managed with the consent of an adult exercising parental authority over them. The Data Controller cannot verify the legitimacy or content of the consent; therefore, the User or the adult exercising parental authority guarantees that the consent complies with legal regulations. In the absence of such consent, the Data Controller does not collect Personal Data from individuals under 16.

4.5. The Data Controller does not transfer Personal Data managed by it to third parties other than the Data Processors specified in this Policy. An exception to this is the use of data in a statistically aggregated form, which does not contain any data that can identify the data subject, and thus does not constitute Data Management or data transfer.
In certain cases, such as official court or police requests, legal proceedings, suspected or actual violations of rights, or threats to the service provision, the Data Controller may make accessible the available Personal Data of the affected User to third parties.

4.6. The Data Controller informs the affected User and those to whom the Personal Data was previously transferred for data management purposes about the correction, restriction, or deletion of Personal Data. Notification can be omitted if it does not harm the legitimate interests of the User with regard to the purpose of data management.

4.7. In accordance with the relevant provisions of the GDPR, the Data Controller is not obliged to appoint a data protection officer as it is not a public authority or body, its activities do not include regular and systematic large-scale monitoring of Users, and it does not handle special categories of data or data relating to criminal convictions and offenses.

4.8. The Data Controller manages personal data in compliance with applicable laws. The relevant laws for data management include:
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.);
• Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Grtv.);
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services;
• Act C of 2000 on Accounting, Section 169 (regarding the retention of documents).

Data Management at the Company
The www.munchkin-nook.com website (hereinafter referred to as the Website) contains links that provide automatic transitions to other internet websites. These linked websites are owned and operated by third parties. The Data Controller’s website merely provides connections to these sites, and neither the Data Controller nor its employees assume any obligations or responsibilities for the content on these sites.
Management of Cookies Used on the munchkin-nook.com Website
The Data Controller uses an analytical tool to monitor its website, which creates a series of data and tracks how visitors use the internet pages. The system creates a cookie when the page is viewed, aiming to record information related to the visit (pages visited, time spent on the site, browsing data, exits, etc.), which cannot be associated with the visitor’s identity. This tool helps improve the ergonomics of the website, creating a user-friendly website to enhance the online experience of visitors. The Data Controller does not use analytical systems to collect personal information. Most internet browsers automatically accept cookies, but visitors can delete or automatically reject them. Since every browser is different, visitors can individually set their cookie preferences using their browser’s toolbar. Certain features of our website may not be usable if cookies are not accepted.

The Data Controller’s system automatically records the user’s computer’s IP address, the start time of the visit, and in some cases, depending on the computer’s settings, the type of browser and operating system. These recorded data cannot be connected with other personal data. The data processing serves solely statistical purposes.

Cookies enable the Website to recognize previous visitors. Cookies help the Data Controller, as the operator of the Website, to optimize the Website, tailoring its services to the users’ habits. Cookies can also remember settings, so they do not need to be re-entered when navigating to a new page, recall previously entered data, so it does not need to be retyped, analyze the use of the website to operate in accordance with user expectations, and monitor the effectiveness of our advertisements.

If the Data Controller displays various contents on the Website using external web services, this may result in storing some cookies that are not controlled by the Data Controller, and it has no influence on what data these websites or external domains collect. The applicable service’s policies provide information about these cookies.

The Data Controller uses cookies to display advertisements to Users via Google and Facebook. Data processing occurs without human intervention.
Users can set their web browser to accept all cookies, reject all, or notify them when a cookie is received. The setting options are usually found in the browser’s “Options” or “Settings” menu. By disabling cookies, the User acknowledges that the Website may not function fully without cookies.

The www.aboutcookies.org website provides detailed information in English to assist in settings for different browsers.
During the operation of the Website, the Data Controller utilizes External service providers, with whom it cooperates. Regarding Personal Data managed in the systems of External service providers, the privacy policies of these External service providers apply. The Data Controller does everything in its power to ensure that the External service provider manages the Personal Data transferred to them in accordance with the law and uses it only for the purposes specified by the User or as stated in this Policy.
Below, we summarize the types of cookies, their descriptions, and storage durations:
Essential Cookies: These cookies are crucial for visitors to browse the website and use its features. Without these cookies, services such as online ordering and electronic billing cannot be provided.
Development Cookies: These cookies collect information about how you use our website, such as which pages you visit most frequently. Based on this data, we can further improve the structure of our website to make it easier for users to navigate. Additionally, our affiliates use these cookies to analyze website usage to ensure it operates in the best possible manner according to user expectations.

1. Improving User Experience with Cookies: The website uses cookies to enhance user experience. These cookies may store preferences such as geographical location, text size, font type, and other customizable features. They can also remember viewed products or services to avoid repetition. However, these cookies cannot identify individuals personally, nor do they track browsing activities outside the website.

2. Contacting the Website Operator: The website features a messaging system allowing visitors to send messages to the operator without registration. When sending messages, certain data such as the sender’s IP address, message timestamp, and provided details (name, email, phone number, message content, etc.) are stored. This data is logged by the system but is accessible only to the operator. The purpose is to facilitate communication and service inquiries.

3. Data Processing for Contracts: For services provided by the company, data processing occurs for contract formation, service utilization, and billing. Data processing is based on GDPR regulations, specifically for contract performance and pre-contractual actions at the request of the data subject. Providing personal data is necessary for contract formation and service utilization. The data is used solely for providing services and is not shared with third parties.
Data Source: Directly from the data subject.
Data Retention Period: The data related to contract requests are retained for 6 years following the maturity of the requests. For accounting documents generated during sales, they are retained for 8 years in accordance with Section 169 (2) of Act C of 2000 on Accounting. Accounting documents supporting accounting entries (including general ledger accounts, analytical or detailed records) must be preserved in readable form for at least 8 years, retrievable based on accounting references.
Personnel with Access to Data: Primary access to data is granted to the data controller’s employees. Data are not made public, nor are they transferred to third parties.
Recipients of Data Transmission: Recipients include partners contracted by the data controller for service provision, the company’s accounting and payroll processing partners, and authorities such as courts, investigative authorities, tax authorities, and other regulatory agencies for compliance with official requests.

Data Processing on the Company’s Facebook Page:
• Data Subjects: All individuals who have registered on Facebook and have “liked” the page operated by the data controller.
• Purpose of Data Processing: Sharing content elements, services, products, or the page itself on social media platforms to increase visibility.
• Legal Basis for Data Processing: Voluntary consent of the data subject on the social media platform.
• Data Processed: Names and public profile pictures of individuals registered on the Facebook platform.
• Data Source: Directly from the data subject on the social media platform.
• Data Retention Period: Determined by the regulations of the respective social media platform.
• Information on Data Processors: Detailed information on data processors can be obtained from the respective social media platform’s privacy policy.
User Rights and Enforcement:
• Right to Information: Data subjects have the right to request information about data processing.
• Right of Access: Data subjects have the right to access their personal data and related information.
• Right to Rectification: Data subjects have the right to request the correction of inaccurate personal data without undue delay.

4. Right to erasure (“right to be forgotten”) The data subject is entitled to request the Controller to erase the personal data concerning him or her without undue delay, and the Controller shall be obliged to erase the personal data concerning the data subject without undue delay if certain conditions are met. Among other things, the Controller shall be obliged to erase the personal data concerning the data subject upon request if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; if the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing; or if the personal data have been unlawfully processed; or if the data subject objects to the processing and there are no overriding legitimate grounds for the processing; the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject; the personal data have been collected in relation to the offer of information society services.

5. Where processing is based on consent, the consequences of withdrawing consent: Please note that withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

6.5. Right to restriction of processing The data subject has the right to request the Controller to restrict processing if one of the following applies: The accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data; the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or the data subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the data subject.
Where processing has been restricted in accordance with the above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Upon lifting the restriction of processing requested by the data subject, the Controller shall inform the data subject in advance.

6.6. Right to data portability The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:
• the processing is based on consent or on a contract, and
• the processing is carried out by automated means.

In exercising the right to data portability, the data subject shall have the right to have the personal data transmitted directly from one Controller to another, where technically feasible.
The right to data portability shall not adversely affect the rights and freedoms of others or the right to erasure.

6.7. Right to object The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the Controller’s legitimate interest, including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

6.8. Automated individual decision-making, including profiling The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
This right shall not apply if the decision: a) is necessary for entering into, or performance of, a contract between the data subject and a Controller; b) is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or c) is based on the data subject’s explicit consent.
In the cases referred to in points (a) and (c), the Controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.

6.9. Notification of a personal data breach to the data subject
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject referred to in paragraph 1 shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in Article 33(3) of the Regulation, b), c) and d).
The obligation to inform the data subject in accordance with paragraph 1 shall not apply if any of the following conditions are met: a) the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption; b) the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise; c) it would involve disproportionate effort. In such a case, the data subjects shall be informed through public means or similar measures shall be taken to ensure that the data subjects are effectively informed.

If the Controller has not already informed the data subject of the personal data breach, the supervisory authority, after considering whether the personal data breach is likely to result in a high risk, may order the Controller to inform the data subject or may find that any of the conditions referred to in paragraph 3 are met. (Article 34 of the Regulation)

6.10. Framework for the exercise of rights The Companies shall, without undue delay and in any event within one month of receipt of the request, inform the data subject of any actions taken in response to his or her rights listed above. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Companies shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the Companies do not take action on the request of the data subject, they shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. The contact details of the supervisory authority (in Hungary, the National Authority for Data Protection and Freedom

Data Processing Information Amendment

7.1. The Data Controller reserves the right to unilaterally modify this Information with prior notice to users.

Company Name: Bookers Kft.
Company Registration Number: 01-09-983069
Registered Office: 5-6 Jászai Mari Square, Budapest, 1137
Representative: Péter András Timár / Executive

Budapest, June 11, 2024.