(regarding data provided in the context of requesting a quote, concluding a contract, and performing the contract)
This notice contains information regarding data processing and handling performed by SUN Elements Kft. during the conclusion of contracts to be entered into within the above scope, as well as during the performance of concluded contracts.
By placing an Order / concluding an Individual Contract, the Data Subject expressly consents to the processing of their personal data in accordance with this notice.
Definitions
Data Controller:
The data controller is the legal entity that determines the purposes and means of processing personal data independently or together with others— in this case, SUN Elements Limited Liability Company (company details: registered by the Metropolitan Court of Budapest under company registration number Cg.01-09-407862; registered seat: 1042 Budapest, József Attila utca 52. Fsz. 2.; branch office: 2191 Bag, parcel no. 3003/84.; represented individually by managing directors Csaba Hajnal and Szimóna Hajnal; tax number: 23439988-2-41) (hereinafter: the Company or Data Controller).
The Company’s contact for data protection matters: szymona85@gmail.com
Data Processor:
Any natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Company (hereinafter: Data Processor).
Data Subject:
Any individual whose personal data is processed by the Company.
Personal Data:
Any information relating to an identified or identifiable natural person (the Data Subject) in connection with the above data processing activities. An identifiable natural person is one who can be identified directly or indirectly. Any data processed by the Company that is provided by the Data Subject or by the Customer on behalf of the Data Subject, or data from which the individual can be identified, qualifies as personal data.
Principles
The Company processes personal data only for a specific purpose, for the exercise of a right or the fulfillment of an obligation, while respecting the principles of data minimization, accuracy, and limited storage.
At every stage of data processing, the processing is consistent with these purposes.
The Company only processes personal data that is indispensable and suitable for achieving the purpose of processing, and only to the extent and for the duration necessary for accomplishing that purpose.
If the Contracting Party provides personal data relating to another individual, it is the Contracting Party’s responsibility to obtain the necessary consent from the Data Subject for the provision of such data.
Scope of Processed Data
The personal data processed by the Company under this document particularly include:
name, birth name, mother’s name, place and date of birth, home address / place of residence / any other real estate address under the control of the Data Subject, telephone number, email address, tax identification number, bank account number.
Legal Basis, Purpose and Duration of Data Processing
Legal basis of processing:
The legal basis for data processing is Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), specifically:
a) the Data Subject has given consent to the processing of their personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the Data Subject is a party, or in order to take steps at the request of the Data Subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
f) processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party.
Purpose of data processing:
The purpose of data processing is the conclusion of contracts to be entered into by the Data Controller, business communication related thereto, ensuring the fulfillment of the contract, and the enforcement of claims arising from a breach of contract.
Duration of data processing and storage:
The processing and storage period begins on the date of placing the order / concluding the individual contract, and lasts for 5 years + 30 calendar days following the completion of the contract.
If the contract is not completed, the period lasts 5 years + 30 calendar days following the termination or cessation of the contract.
These periods are determined in accordance with the statutory limitation rules applicable to claims.
Data Protection Measures and Data Security
Access to personal data is granted only to individuals performing activities related to the Company’s operational purposes.
Information on Rights, Obligations and Related Rules Concerning Data Processing
a) The Data Subject has the right to withdraw their consent to data processing at any time, and the Data Controller must comply with such withdrawal.
b) If the Data Subject withdraws their consent before the expiry of the above periods, the personal data must be deleted in accordance with this notice, except for data processed on the basis of statutory obligations, for which deletion does not apply.
c) When the above conditions for deletion occur, the Data Controller must terminate the processing of personal data concerning the Data Subject (i.e., delete the data) without requiring a separate request from the Data Subject.
d) Data security: The Company fulfills its obligations relating to data security in accordance with the applicable laws, in particular Article 24 of the GDPR. To protect personal data, the Company maintains appropriate information security regulations describing the methods and conditions for applying data security principles. Access to data is restricted by the assignment of appropriate authorization levels by both the Data Controller and the Data Processor. Employees of the Company or the Data Processor may access data only in accordance with job functions or contractual tasks, and based on the authorization levels defined.
To ensure IT system security, the Company protects its systems with firewalls and uses antivirus and anti-malware software to prevent external and internal data loss. Regarding the handling of potential data processing incidents, the Company maintains the above-mentioned information security regulations.
Confidentiality, Data Security Measures
The Data Controller and the Data Processor classify and handle all personal data as confidential.
During our structured information security operations, we pay particular attention to:
a. operational and development security,
b. prevention of data leakage,
c. maintenance of business continuity,
d. protection against malicious code,
e. secure storage, transmission, and processing of data,
f. protection against and detection of intrusion,
g. prevention of unauthorized access,
h. incident management, and
i. security training for employees.
f) The Company protects personal data with measures proportionate to the risks involved.
Provisions Concerning Data Processors
a. The Data Processor may access the Data Subject’s personal data only to the extent necessary for the specific data processing purposes defined.
b. Personal data covered by this document may be transferred by the Company to third-party Data Processors on the basis of a contract or legal obligation.
The current list of Data Processors is available for review at the Company’s branch office.
Rights of the Data Subject Regarding Data Processing
The Company informs the Data Subject of the following rights and remedies related to data processing:
a) The Data Subject is entitled to the following rights and procedural options regarding data processing:
i. they may submit a request to the Company seeking information about the processing of their personal data;
ii. they may request the rectification of their personal data;
iii. they may request the deletion or blocking of their personal data (except in the case of mandatory data processing);
iv. in certain cases, they have the right to data portability;
v. they may object to the processing of their personal data.
b) Deletion cannot be requested when the purpose of processing relates to the Company’s legal obligations, the performance of a contract with the customer, or the submission, enforcement or defence of legal claims. In such cases, the Company will restrict the data, meaning it will store it without further processing, except for the activities listed above.
c) In accordance with applicable laws and within the legally prescribed time limits, the Data Controller shall inform the Data Subject of its position and any actions taken in response to the Data Subject’s request.
d) The Data Subject may also initiate an investigation before the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) if they believe a violation has occurred or there is an imminent risk regarding the processing of their personal data.
e) If the Data Subject’s personality rights are violated, they may bring the matter before the competent Regional Court (Törvényszék) based on their place of residence or stay.
f) The Data Subject is advised—but not required—to first contact the Company directly before initiating any administrative or judicial procedures, in order to facilitate the prompt resolution of any potential issues.
g) The Company shall take the necessary measures regarding the Data Subject’s request for information or objection as soon as possible, and in all cases within the deadlines provided for by applicable laws.
If justified—particularly in complex cases or in periods of high request volumes—these deadlines may be extended as permitted by the relevant legislation.
In such cases, the Company shall notify the Data Subject of the reasons for the delay upon receipt of the request.
h) If the Data Subject submits a request to the Company regarding data processing, the Company shall restrict the processing until the request is assessed. Restriction means that during this period, the Company will store the data but will not perform any other processing operations.
The restriction applies until a response is provided, or—if any administrative or judicial procedure is initiated—until the final or legally binding conclusion of such proceedings.
NAIH / Court Contact Details
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
1055 Budapest, Falk Miksa utca 9–11.
Mailing address: 1363 Budapest, P.O. Box 9.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
Further information: http://naih.hu
Courts:
http://birosag.hu/torvenyszekek
http://birosag.hu/ugyfelkapcsolati-portal/illetekessegkereso
Validity
This document shall be interpreted and applied in accordance with the applicable legal regulations and the guidelines and statements issued by NAIH.
Temporal validity: from 01 November 2025 until withdrawn.