Privacy policy

The purpose of this Data Processing Policy is to regulate the processing of the personal data of natural persons specified in Section 1 by Notus Kontroll Ltd. (registered office: 6900 Makó, Csanád vezér tér 25, Ground Floor 5, Door 5, company reg. no.: 06-09-026521) (hereinafter: the Data Controller), in accordance with Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: Infotv.), Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR), and other applicable legislation.

1./ Scope of Data Subjects and Data Processing:

processes data of individuals who register for and participate in the ‘Makogo’ game.

This Policy applies to all data processing activities conducted by Notus Kontroll Ltd. involving personal data, regardless of the nature of such data.

2./ Purpose of Data Processing:

The purpose of data processing is to provide information related to Notus Kontroll Ltd.’s ‘Makogo’ mobile application game. For this purpose, Notus Kontroll Ltd. records and processes the voluntarily provided personal data of data subjects for contact, advertising or other informational purposes, needs assessment, newsletter distribution, and statistical analysis.

during the processing of personal data:

• to establish the necessary conditions for lawful data processing;
• establish data protection and data security regulations to prevent unauthorized use of personal data;
• In the event of a data protection incident, Notus Kontroll Ltd. shall take appropriate and effective measures to prevent further compromise of data processing security, adequately minimize any damage incurred, and, in accordance with the GDPR, notify the National Authority for Data Protection and Freedom of Information and the data subjects concerned.

The data subject acknowledges that during the data processing period, Notus Kontroll Ltd. may send communications to the contact details provided at registration for purposes strictly related to the objectives of the data processing. The data subject may separately declare whether they wish Notus Kontroll Ltd. to send advertisements, newsletters, or informational materials to the provided contact details during the data processing period. Notus Kontroll Ltd. will only send such communications if the data subject has given explicit, separate consent, and the data subject is entitled to withdraw this consent at any time during the data processing period.

3./ Principles and Legal Basis of Data Processing:

shall act in accordance with the following principles relating to the processing of personal data:

a) personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;

b) personal data shall be collected only for specified, explicit and legitimate purposes, i.e. in a purpose-limited manner;

c) data processing shall always be limited to what is necessary (“data minimization”);

d) processed data shall be accurate and, where necessary, kept up to date: every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified in relation to the purposes of the processing (“accuracy”);

e) personal data must be stored in a form that permits identification of data subjects for no longer than is necessary for the purposes of the processing (“storage limitation”);

f) personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage (“integrity and confidentiality”).

The legal basis for data processing is the prior, voluntary consent of the data subjects. The source of the data is the voluntary provision by the data subjects. The data subject may withdraw their consent to data processing at any time without justification, verbally, in writing, or via electronic means, regarding any data for which regulations do not require or permit retention.

By registering with Notus Kontroll Kft. and acknowledging this policy, the data subject explicitly consents to the processing of their personal data provided during registration by Notus Kontroll Kft., as the data processor, in accordance with the terms set forth in this policy.

4./ Data concerning data subjects:

Data processing extends to the following data of the data subjects for purposes of contact; advertising or other information; needs assessment; or newsletter distribution:

• last name, first name
• email address

5./ Duration of data processing:

The start date of data processing is the date of electronic registration in the “Makogo” mobile application for any purpose.

Data processing will cease if the data subject requests the deletion of their personal data, except for data required to be retained by law. The data subject may request deletion of their data at the following email address: notuskontroll69@gmail.com.

6./ Types of data transferred:

Notus Kontroll Ltd. may not use personal data for purposes other than those specified. Personal data may only be disclosed to third parties with the prior informed consent of the data subjects, except in cases of mandatory data transfer required by law.

7./ Obligations of employees authorized to process personal data:

Employees of Notus Kontroll Ltd. who are authorized to access and process personal data must not disclose, share, or make such personal data covered by this policy accessible to any other person.

An employee may share personal data with another employee only when necessary for task performance. Personal data may be disclosed to third parties only with supervisor approval, for compelling reasons, and to fulfill rights or obligations.

8./ Technical implementation of data processing:

The processed data may be maintained in the following formats:

• printed document,
• electronic data
• electronically created data archived on paper

Company-owned computers may only be used by authorized personnel, who are also responsible for their proper use.

Only pre-approved and legally licensed software may run on computers deployed at Notus Control Ltd. The verification process must extend beyond detecting operational faults to include data protection considerations. Any identified deficiencies must be reported in writing to the software provider. Deploying faulty software is prohibited. Only system administrators are authorized to install/update software; testing is conducted jointly by the user and administrator. Modifying settings or temporarily suspending operation of security software (antivirus, backup) is strictly forbidden.

In case of physical malfunction or abnormal operation, computer use must be suspended and the system administrator notified immediately.

Any external storage device (USB drive, external hard drive, etc.) must first be scanned for viruses before use. If infected files are detected, the device must not be used and the administrator must be notified immediately. Confidential documents may only be removed from the workplace with the data controller’s authorization and only when absolutely necessary for offsite work. Copying programs or data files from Notus Control Ltd.’s IT equipment is prohibited except for remote work purposes or backup procedures.

Notus Control Ltd. computers have no internet restrictions, so users bear heightened responsibility for complying with legal and data security requirements during internet use.

Opening emails of uncertain origin or installing any software from the internet is prohibited. If problems or abnormal operation are detected, device use must be suspended and the system administrator notified immediately.

Employees must shut down their computers and related equipment at the end of work hours and secure external storage devices. When leaving workstations during work hours, staff must lock their computers; password-protected screen savers are mandatory.

Server data is backed up daily, while employees must perform weekly backups of work-related data stored on their computers.

Only devices and software pre-approved by Notus Kontroll Ltd.’s management may be installed in the information communication system. The system administrator is authorized to remove any device that does not meet security requirements or lacks authorization for network connection.

9. Appointment, Legal Status, and Responsibilities of the Data Protection Officer

Notus Kontroll Ltd. shall appoint a Data Protection Officer from among its employees based on professional competence and expert-level knowledge of data protection laws and practices.

Data Protection Officer: …..

Notus Kontroll Ltd. ensures that the Data Protection Officer is properly and timely involved in all matters concerning personal data protection. Specifically, the Data Protection Officer must be included in the preparation of personal data processing activities, the development of procedures, and the creation of policies.

provides the Data Protection Officer with the necessary tools and resources to perform their duties.

is accountable to the managing director.

The data protection officer is directly available to data subjects for matters related to the processing of personal data.

The data protection officer may not hold a position where they exercise employer rights or are authorized to make decisions regarding data processing activities or set conditions.

The data protection officer performs at least the following tasks:

regarding their data processing obligations;

b) monitors compliance with data protection regulations and this policy;

c) upon request, provides professional advice on data protection impact assessments and oversees their execution;

d) cooperates with the staff of the National Authority for Data Protection and Freedom of Information in official proceedings;

e) serves as a point of contact for the National Authority for Data Protection and Freedom of Information regarding data processing matters and, where applicable, consults with them on any other issues.

for it.

10. Procedure in case of a data protection incident

In the event of a data protection incident, the data controller is required to properly document the incident or its traces and immediately notify the data protection officer about the incident. At the same time, all employees of Notus Kontroll Ltd. are required to take all necessary measures for damage mitigation and evidence preservation, including in particular data backup and recovery requests to the relevant service providers, initiating anonymization or encryption, and reviewing footage from cameras operated by Notus Kontroll Ltd. The obligations under this section also apply to any potential data processor in case of an incident involving the personal data they handle.

The notification referred to in the preceding paragraph must cover in particular:

1. the nature of the data protection incident, including the categories of data subjects affected, the categories and approximate quantity of data involved in the incident,
2. the name and contact details of the data protection officer or other designated contact person for information,
3. the severity of the damage resulting from the incident, any unauthorized access, further possible consequences and measures to be taken.

The notification must not be delayed on the grounds that further information needs to be obtained.

The data-protection officer must promptly and thoroughly investigate the data-protection incident. During the investigation, all persons covered by the personal scope of this policy are obliged to assist the data-protection officer and to provide detailed information.

Within 36 hours of the incident occurring—or, if the officer learns of the incident only later, within 36 hours of becoming aware of it—the data-protection officer must scan the completed and signed incident record and send it electronically to the management of Notus Kontroll Kft., or, if that is impossible, inform the management of the incident by other means.

If the data-protection incident is likely to pose a high risk to the rights and freedoms of the data subjects, or if the data-protection authority so orders, the data-protection officer—after informing the management of Notus Kontroll Kft. and in accordance with the management’s instructions—must notify the data subjects of the incident without undue delay.

The notification must cover at least the following:

a) the time and circumstances of the data-protection incident;

b) the nature of the incident (e.g. destruction, loss, or unauthorised disclosure of data due to infection, hacker attack, loss of a data carrier, etc.);

c) an assessment of the consequences of the incident for the data subjects’ rights and freedoms and of the severity of the harm;

d) a description of the measures taken or envisaged to remedy or mitigate the damage or harm;

The notification referred to above must be given in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The notification shall be free of charge.

The data subjects need not be informed of the data-protection incident in the following cases:

a) Notus Kontroll Kft. has implemented appropriate technical and organisational protection measures and these measures have been applied to the personal data affected by the data-protection incident, in particular those measures (such as encryption) that render the data unintelligible to persons not authorised to access the personal data;

b) following the data-protection incident, Notus Kontroll Kft. has taken additional steps to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;

c) providing the information would require disproportionate effort. In such cases, the data subjects shall be informed by means of a public notice published on the Notus Kontroll Kft. website.

The National Authority for Data Protection and Freedom of Information must also be notified of the incident. The notification shall be sent electronically to the National Authority for Data Protection and Freedom of Information at the email address provided, within 72 hours of the incident occurring. If the notification is not made within 72 hours, the reasons justifying the delay must be attached. The data protection officer shall consult the management of Notus Kontroll Kft. in advance regarding these reasons. The notification shall be made by the data protection officer.

The incident need not be reported to the National Authority for Data Protection and Freedom of Information if it is unlikely to pose a risk to the rights and freedoms of the data subjects.

11. Measures to be taken by the management of Notus Kontroll Kft. in the event of a data-protection incident

Upon becoming aware of the data-protection incident, the management of Notus Kontroll Kft. shall immediately examine the report of the data protection officer and, if necessary, promptly request further information from employees and from the data processor.

The management of Notus Kontroll Kft. is exclusively entitled to decide, based on the circumstances and potential risks of the incident, whether the data subjects must be notified and whether the incident must be reported to the National Authority for Data Protection and Freedom of Information. In doing so, the management of Notus Kontroll Kft. must carefully and thoroughly assess the risks posed by the incident.

The management of Notus Kontroll Kft. – taking the company’s legitimate economic interests into account – shall determine the manner in which the data subjects are to be informed.

In the event of a data-protection incident, the management of Notus Kontroll Kft. may take any measures necessary to ensure the security of the data processing, including in particular:

a) may order extraordinary work arrangements in order to reduce risks, avert or prevent damages, and protect the rights and data of the data subjects;

b) may decide to close off or evacuate the registered office of Notus Kontroll Kft. or part thereof, and may seize any equipment required for the work;

c) may file a criminal report or make a notification to the competent authority when necessary;

d) may request the assistance of the data processor to restore data or to reduce or avert damages;

12. Rights and obligations of data subjects in relation to the data processing

During the data processing, Notus Kontroll Kft. ensures the data subjects’ right to the protection of their personal data.

The data subject is entitled to:

a)the right to information:The data subject has the right to receive information about the data-processing activities before such processing begins.

b)the right of access: The data subject has the right to obtain from Notus Kontroll Kft. confirmation as to whether or not personal data concerning him or her are being processed and, if so, the right to access those personal data and related information (such as the purposes of processing, the categories of personal data concerned, the storage period, etc.).

c)the right to rectification and erasure:The data subject has the right to obtain from Notus Kontroll Kft. the rectification of inaccurate personal data concerning him or her without undue delay. The data subject also has the right to obtain the erasure of personal data concerning him or her without undue delay, and Notus Kontroll Kft. is obliged to erase such data without undue delay where the data subject has withdrawn consent or the processing purpose has otherwise ceased to exist. In addition to the above, Notus Kontroll Ltd. will continue to process data that, under the law, cannot yet be deleted or could not yet be deleted at the time the relevant request was made.

d)Right to restriction of processing:The data subject has the right to obtain from Notus Kontroll Ltd. restriction of processing where: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; Notus Kontroll Ltd. no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

e) Notification obligation regarding rectification or erasure of personal data or restriction of processingNotus Kontroll Ltd. shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

f)Right to data portability:The data subject has the right to receive the personal data concerning him or her, which he or she has provided to Notus Kontroll Kft., in a structured, commonly used and machine-readable format.

g)Right to object:The data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on the legitimate interests pursued by Notus Kontroll Kft. or by a third party (processing based on point (e) or (f) of Article 6(1) of the GDPR), including profiling based on those provisions. In such case, Notus Kontroll Kft. shall no longer process the personal data unless Notus Kontroll Kft. demonstrates that the processing is necessary for compelling legitimate grounds which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

h) ARight not to be subject to automated decision-making: The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

i)Right to lodge a complaint and to judicial remedy:Pursuant to Article 77 of the GDPR, the data subject has the right to lodge a complaint with a supervisory authority if, in his or her opinion, the processing of his or her personal data infringes the GDPR. This right may be exercised with the Hungarian National Authority for Data Protection and Freedom of Information. (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c; phone: +36 (1) 391-1400; fax: +36 (1) 391-1410; website: http://www.naih.hu; e-mail: ugyfelszolgalat@naih.hu).

In addition to the above, the data subject may object to the processing of his or her personal data if:

• the processing or transmission of the personal data is necessary solely for compliance with a legal obligation to which Notus Kontroll Kft. is subject or for the pursuit of the legitimate interests of Notus Kontroll Kft., the data recipient or a third party, except where processing is mandatory;
• the personal data are used or transmitted for the purposes of direct marketing, public-opinion polling or scientific research; or in any other case prescribed by law.

Notus Kontroll Kft. shall examine the objection within the shortest possible time but no later than 15 days after receipt of the request, decide whether it is well-founded, and notify the requester of its decision in writing. Detailed rules on the above rights are set out in Sections 14–19 and 21 of the Info Act. If his or her rights are infringed, or in other cases specified in the Info Act, the data subject may bring an action before a court (Info Act § 23). Adjudication of the action falls within the jurisdiction of the tribunals. At the data subject’s option, the action may also be brought before the tribunal having jurisdiction over the data subject’s domicile or place of residence.

13. Final provisions

Notus Kontroll Kft. shall compensate any person for damage caused by the unlawful processing of the data subject’s personal data or by a breach of data-security requirements, unless the damage resulted from the injured party’s intentional or grossly negligent conduct.

Notus Kontroll Kft. shall review this Policy whenever necessary, but at least every two years. The consolidated Policy incorporating any amendments must be made public in an appropriate manner and communicated separately to all persons to whom it imposes obligations.

During the review of this Policy, the data-protection officer’s opinion must be sought and documented.

Any matters not regulated herein shall be governed by the provisions of Act V of 2013 on the Civil Code, the Info Act, the GDPR, and other applicable legislation in force.

Szeged, 13 February 2025

Notus Kontroll Kft.