DATA PROCESSING PROSPECTUS
Idea-Concept Kft., as the Controller of data (hereinafter: ‘Controller’ or ‘Company’) proceeds under present prospectus throughout all the data processing (processing) of natural person users (hereinafter: ‘User’) related to the services provided by the website https://obskurus.hu/en operated by it.
By entering the website and by using the website the User considers himself or herself bound by the content of present prospectus.
Contact details of the Controller:

Controller:
Idea-Concept Kft.
Seat:
1094 Budapest, Páva utca 4. 3. em. 1.
Postal address:
1094 Budapest, Páva utca 4. 3. em. 1.
Electronic (e-mail) address:
boldizsar.barczi@ideaconcept.hu
Registry Court:
Fővárosi Törvényszék Cégbírósága (Company Registry Court of Budapest - Capital Regional Court)
Registry no.:
01-09-340484
VAT identification number:
26709637-2-43
The aim of the Data Processing Prospectus is to define the scope of personal data processed by the Controller, the method of processing and to ensure compliance with constitutional principles of data protection, accomplishment of requirements of security of data and to prevent unauthorised access to the data, alteration and unauthorised disclosure or use of data in order to achieve natural person Users’ right to privacy to be respected.
The Controller shall for the above mentioned purposes process User’s personal data confidentially, in accordance with the existing provisions of law, provide security thereof, take technical and organisational measures and form the rules of procedures which are necessary for the enforcement of the provisions of applicable laws and other recommendations.
1. Legal basis for the processing
(1) Idea-Concept Kft. shall process the personal data of its Customers in accordance with the provisions of Act CXII of 2011 on the Right to Informational Self-determination and on the Freedom of Information (hereinafter referred to as ‘Privacy Act’) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘General Data Protection Regulation’), it is committed to protecting the Customer’s personal data, it gives high priority to respect the right to informational self-determination of the Users.
(2) Furthermore, the processing by the Controller shall be governed in particular by the provisions of the following laws:

2:42. §of Act V of 2013 on the Civil Code;
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘General Data Protection Regulation’, ‘GDPR’);
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (‘Eker.tv.’);
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (‘Grt.tv.’);
Act VI of 1998 on the Promulgation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg 28 January 1981;
Act CXIX of 1995 on Processing of Name and Address Data for Research and Direct Marketing Purposes (‘Katv.’).
2. Definitions
„Customer” means any specified natural person who is identified by personal data or can directly or indirectly be identified;
„personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
„processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
„restriction of processing” means marking of the stored personal data with the aim of limiting their processing in the future;
„controller” means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
„processor” means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller;
„recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
„third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
„consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
„personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
„set of data” means entirety of data processed in one register.
3. Legal ground of processing
(1) Having known and accepted present Data Processing Prospectus, on the basis of prior and detailed information, the Customer gives his voluntary, unambiguous and definite consent to the processing of personal data relating to him or her by Idea-Concept Kft. or the following processors.
(2) Having known and accepted present Data Processing Prospectus, the Customer gives his voluntary and definite consent that part of his or her personal data (name, city) shall be recorded in the inner registry of Idea-Concept Kft.
(3) Idea-Concept Kft. may to process personal data without specific consent or even after the Customer has withdrawn his or her consent thereto for the purpose of fulfilling its legal obligations, for the purpose of enforcing the lawful interests of Idea-Concept Kft. or third person, provided that enforcement of these interests should be proportionate to the restriction of the right to the protection of personal data.
4. Scope of the personal data processed, controller, purpose and duration of the processing
(1) Regulation of data protection includes processing natural persons’ data exclusively since personal data can be interpreted only when they are related to natural persons.
(2) Anonymous information shall not be considered personal data which are collected by the Controller in such a way that identification of the person is excluded and which cannot be associated with any natural person; demographic data shall also not be considered personal data which are collected in such a way that they shall not be connected to identifiable persons’ personal data, thereby no connection shall be established with any natural person.
(3) Persons carrying out processing

The executive officer and employees of Idea-Concept Kft. shall only be entitled to perform the processing and technical processing as well as access data for the purpose and to the extent specified above. Persons participating in the processing of data by Idea-Concept Kft. shall be bound by the obligation of confidentiality concerning the personal data accessed by them.
(4) Identification of Users

For the purpose of identification, the Controller is entitled to process the following personal data given to him by the Users when making contact and/or ordering:

name of the client
e-mail address of the client
telephone number of the client
name of the contact person
e-mail address of the contact person
telephone number of the contact person
billing name of the client
billing address of the client
bank account number of the client
(Community) VAT identification number of the client

Purpose of processing: making contact for proposal and rendering service personalised for the Customers, gathering information for invoicing.
(5) Sending message online, request for quotation:

Request for quotation concerning the services of the Service Provider or request for any other information is available on the website, where the following personal data shall be given when making contact under Contact menu on the Company’s website:

name of the client
e-mail address of the client
telephone number of the client
name of the contact person
e-mail address of the contact person
telephone number of the contact person
intended time of the game
intended place of the game
expected number of participants
miscellaneous (information given by the inquirer, questions shall be raised)

Purpose of the processing: rendering service personalised for the Customers and sending price offer requested by the Customers.
(6) Validation of orders, invoicing

The Controller shall process the following data, in addition to the data provided during registration:

billing name of the client
billing address of the client
registration number of order
(Community) VAT identification number of the client
bank account number of the client
data set out in the handover minutes
data set out in the acknowledgment of participation (concerning every participant of the game)

If the order is placed over the telephone, the call may be recorded.

Purpose of the processing: rendering service personalised for the Customers, recording information for invoicing, completion of, settling the payment procedure.
5. Direct marketing, promotion
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (’Eker.tv.’);
The Company may process the personal data of natural person and billing address necessary for the identification thereof, for the purpose of drawing up the contract for the information society service, determining and modifying the contents thereof, monitoring the performance thereof, billing the charges arising therefrom as well as enforcing the claims related thereto based on the legal title of 13/A § (1) of Act CVIII of 2001 and also his or her telephone number, e-mail address, bank account number, online registration number based on the legal title of consent.
For the purpose of billing the Company may process the personal data of natural person and billing address related to the use of the information society service, based on the legal title of 13/A § (2) of Act CVIII of 2001.
The recipients of personal data and categories of recipients mean employees of the Company dealing with customer service, financial, marketing issues as processor, employees of the enterprise working on the Company’s tax, accountancy matters for the purpose of fulfilling the taxing and accounting obligations, employees of the Company’s IT service provider for the purpose of performing the web hosting services.
Duration of processing of personal data means the period of registration/rendering service or until data subject has withdrawn his or her consent (until he or she requests for deleting the data), in case of purchase until the end of the 5th year counted from the year following the purchase.
By acknowledging present Data Processing Prospectus, the User expressly gives his or her consent that Controller shall process his or her personal data for its own direct marketing purposes.
Depending on the consent given by him or her, the Controller shall be entitled to send circulars as handouts about its new services, about our special offers for the User at certain intervals.
The Service Provider shall send promotional letters only for those Users, whose expressed consent has been given under the website’s menu to get promotional letters from the Service Provider.
The Customer, if he or she is not willing to get any promotional letters any more, shall be entitled to unsubscribe at any time without limitation and any explanation, free of charge.
The Customer may make the withdrawal of consent by:

clicking on the link referring to unsubscription in the promotional letter,
sending a letter to the postal address of the Controller.
6. Technical processing, Transfer, Data Security
(1) The rights and obligations of the processor in respect of technical processing of personal data shall be defined within the scope of the laws by Idea-Concept Kft. It is responsible for the lawfulness of the orders given by him.

Processor shall not make any decision on the merits regarding processing, it shall process personal data communicated thereto under the instructions of Idea-Concept Kft., it shall not carry out technical processing for its own purposes and it is obliged to store and preserve personal data under the instructions of the Controller.
(2) Transfer of data

If the Customer fails to fulfil his or her payment obligation to Idea-Concept Kft. and Idea-Concept Kft. engages a debt management company or legal representative for carrying out debt collection from the Customer, it shall be entitled to transfer data of the Customer thereto.

Debt management company or legal representative shall process data of the Customer according to the mandate given by Idea-Concept Kft. for the purpose of collecting Idea-Concept Kft’s debt and receivables (e.g. administration fee, legal costs, etc.) arising in connection with the collection of the debt by debt management company and shall be either Idea-Concept Kft’s or the debt management company’s due, during the period set out in the arrangement of Idea-Concept Kft. and the debt management company, that is, as a general rule 90 days or within this period until collection of debt is successful.

Debt management company and legal representative shall process transferred data also for the purposes of enforcement in litigation, out-of-court and nonlitigous proceedings.

Transferred data shall be known by the employees of the debt management company and the legal representative, within the scope of the laws, under obligation of confidentiality.

The Customer gives his or her consent to further collection of his or her data carried out by debt management company and legal representative apart from the data already provided (e.g. recording the new address or telephone number of the Customer available in the public directory) in addition to the data accessible on public interest grounds, for the purpose of and under enforcement of claims.

Idea-Concept Kft. shall be entitled to transfer data of the Customer to the companies who carry out accounting and audit, to debt management company and to legal representative and also when it is subject to disclosure of data mandatory by law to the organs specified in law.

Idea-Concept Kft. shall keep a record of the data transfer for the purpose of ensuring the verifiability of the lawfulness of data transfer and of informing the Customer which contains the time of transfer of the personal data processed by it, the legal basis and the recipient of the transfer, the definition of the scope of personal data transferred and other data defined in the law of processing.

Personal data shall be kept in the record of the data transfer for 5 years.
(3) Data Security

Idea-Concept Kft. shall take all the necessary measures to ensure the security of personal data given by its Customers when communicating both on the network and storing, preserving them. Controller shall store the given personal data on the secured server installed at the processors, who are operating the system.
(4) Anonymous user ID (cookie)

In the course of using the website the Controller may place anonymous user ID (cookie) on the computer of the Customer using the website provided that Customer’s consent has been given, which ID itself cannot identify the Customer in any way, it is suitable only for recognition of the Customer’s computer. Name, e-mail address and any other personal information is not required since during this procedure User does not transmit any personal data to Controller, exchange of data occurs only between computers.

The Controller processes the cookies only for the purpose of getting to know more about the Customer’s habits of using information so it can improve the standard of its services and publish customized pages, marketing materials when surfing on the website.

The Customer has the opportunity by setting his or her browser to prohibit placing unique identifier (cookie) on his or her computer. The Customer acknowledges that by disabling cookies some services may not function properly.
(5) Use of social media plug-ins (Facebook, Instagram, Twitter, Linked-in)

The website can use social media plug-ins. By using a plug-in, Customer establishes a connection to the website of the social media and gives his consent to the transfer of his or her personal data to Facebook/Instagram/Twitter/Linked-in.

If the Customer has already been signed-in on Facebook/Instagram/Twitter/Linked-in, it might occur that the given social media network will link his or her visit to the social media account of the Customer. If the Customer clicks the proper button, his or her browser will directly transfer information concerned to the given social media network and stores them there.

Information regarding the scope and the purpose of data collection, additional technical processing and utilization of data by Facebook/Instagram/Twitter/Linked-in, the rights and settings serving the protection of personal data can be found in the declaration of data protection of Facebook/Instagram/Twitter/Linked-in.
(6) Remarketing codes

For the purpose of using the services, the system shall automatically log the following data:

The remarketing code uses cookies for labeling the visitors of the website.

Installed cookie shall help the advertisements related to the Service Provider’s products and services to be published on other websites belong to Google Display’s network and on facebook visited later by the visitor of the website. User may disable cookies at any time and he or she may personalize the advertisements on the surface of advertising settings of Google.
(7) Log files

For the purpose of using the services, the system shall automatically log the following data:

dynamic IP address of the User’s computer
depending on the settings of the User’s computer, type of the browser and the operating system used by the User
activity of the User regarding the website

Use of these data shall serve on one hand technical purposes such as analysis and ex-post verification of the safety functioning of the servers; on the other hand the Controller shall use these data for preparing statistics of the use of the website, for analysing the user’s needs in order to raise the standard of the services.

The above mentioned data are not eligible for identification of the User and Controller shall not associate them with other personal data.

Controller shall process personal data related to the Customer other than the purposes mentioned above, in particular for the purpose of improving the efficiency of its service or for direct marketing purpose only if purpose of processing has been prior defined and pursuant to the consent of the Customer.

These data shall not be associated with the identification data of the Customer and they shall not be transmitted to third person without his or her consent.

These data must be deleted by the Controller if the purpose of processing has terminated or the Customer has so decided.

The Controller shall ensure user any time before and during use of the service to become familiar with the purpose and type of data processed by the Controller, including data which may not be associated directly with the user

The legal basis of the Controller’s process shall be the consent of the Customer in all cases.
7. Period of processing
(1) Idea-Concept Kft. shall process and perform technical processing of Customer’s personal data during the existence of the legal relationship and if Customer has been in delay of payment, until outstanding debt owed to Idea-Concept Kft. has been settled or up to the limitation period of the enforcement of the claim.

It shall be entitled and obliged to process and perform the technical processing of data, process of which shall be prescribed by the laws, up to the limitation period prescribed in laws.

At the end of the period of processing, the Controller must delete the Customer’s personal data.
(2) Data related to invoicing shall be processed by the Controller for 8 (eight) years in the interest of fulfilment of accounting duties pursuant to Section 169 of Act C of 2000 or until the term of limitation period set out in Act CL of 2017 on the Rules of Taxation.
(3) The Service provider shall use the software of Google Analytics to obtain independent data about the traffic of the website and other webanalitical data, therefore related to these data Google Inc. shall be the processor. Privacy Policy of Google Inc. is available at https://policies.google.com/privacy?hl=en. By using the website, the user of services of the website acknowledges that he or she has given his or her consent to technical processing of his or her data by Google.
(4) If, in the course of using service, personal data, i.e. when paying online, bank card number are to be sent online by the User, the Controller shall ensure a channel with adequate protection for such messages, a so-called SSL based connection.
(5) If the Service Provider has the website’s certain services and sites operated by a company having business relationship with it, the partner operator of the Service Provider shall collect personal data in the name of and on behalf of the Service Provider, in favour of the Service Provider, processing of which shall also be governed by the Data Processing Regulation of the controller.

If the website renders common service with its content partner, the right to utilize the personal data is common, nevertheless provisions of the Data Protection Policy of the controller shall apply under the regulations having the same content specified in the contractual relationship with the partner.
(6) In the course of the above mentioned processes, when providing data and during technical processing, the controller or the technical processor shall be clearly specified.
8. Rights of the Customer
(1) The Customer may request the Controller for

information on the processing of his or her personal data,
the rectification of his or her personal data and
with the exception of mandatory processing, the erasure or blocking of his or her personal data.
(2) Upon the Customer’s request, written information shall be provided by the Controller within thirty days of the submission of such request at the latest on the Customer’s data processed by it and on data related to technical processing performed by it or by a processor acting on behalf of it, on the source thereof, on the purpose, legal basis, period of processing, the name, the address of the processor and its activity related to processing, furthermore, if customer’s personal data has been transferred, the legal basis of transfer and the recipient thereof.
(3) Information shall be provided free of charge if no request has been submitted yet to the Controller in the current year concerning the same field. In other cases, the Controller shall assess reimbursement provided that paid reimbursement shall be refunded if data have been processed unlawfully or the request has led to adjustment of the data.
(4) The Controller shall keep a record of the data transfer for the purpose of ensuring the verifiability of the lawfulness of data transfer and of informing the customer which contains the time of transferring the personal data processed by it, the legal basis and the recipient of the transfer, the definition of the scope of personal data transferred and other data defined in the law of processing.
(5) If personal data is incorrect and the correct personal data is available to the Controller, the Controller shall adjust the personal data.
(6) Personal data shall be erased

if processing thereof is unlawful,
by Customer’s request (except for mandatory processing),
if data is incomplete or incorrect and this state cannot be lawfully rectified, provided that erasure is not exempted by law,
if the purpose of processing has terminated or the time limit of storing the data specified by law has expired,
it has been ordered by court or by the Authority.
(7) The Controller shall block personal data instead of erasing if the Customer requests for it, or if, with respect to the information available, it is assumed that the erasure would prejudice the legitimate interests of the Customer. Personal data so erased shall only be processed until the purpose of processing which excluded the erasure of the personal data exists.
(8) The Controller shall mark the personal data processed by it if accuracy or correctness is contested by the customer but the inaccuracy or incorrectness of the personal data in dispute cannot be verified clearly.
(9) Information of rectification, blocking, marking and erasure shall be provided to the Customer and all those to whom data for the purpose of processing were earlier transferred. Notice may be dispensed with if the legitimate interest of the customer with respect to the purpose of the processing shall not be prejudiced.
(10) If the Controller fails to perform the Customer’s request of rectification, erasure or blocking, it shall communicate in written, within 30 days of receipt of the request the facts and point of law on which the rejection of the request of rectification, erasure or blocking is based.
(11) In case of rejection of the request of rectification, erasure or blocking the Controller shall inform the Customer of the possibility of legal remedies and of application to Authority.
(12) Customer may object to processing of personal data concerning him or her,

if processing or transfer of personal data is necessary exclusively for the purpose of fulfilling controller’s legal obligation or enforcing lawful interests of the controller, data recipient or third person, except for mandatory processing;
where personal data shall be used or transferred for direct marketing, public inquiry or scientific research purposes and
in other cases specified by law.
(13) The Controller shall, after processing has been simultaneously suspended, examine the objection as soon as possible but not later than 30 days after request has been filed and inform the applicant of the result in written. If the Customer disagrees with the decision or if the Controller fails to meet the time limit of 30 days, the Customer shall seek judicial remedy in 30 days from communication of the decision or from the last day of the time limit.
(14) Providing information to the Customer shall be refused with appropriate justification referring to laws, only in cases set out in law. If it refuses to provide information, the customer must be informed of the possibility to legal remedies and to apply to Hungarian National Authority for Data Protection and Freedom of Information.
9. Legal remedies
In the event of infringement, the Customer may seek legal remedy before:

Hungarian National Authority for Data Protection and Freedom of Information

Seat:
1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Postal address:
1530 Budapest, Pf. 5.
Telephone:
06 -1- 391-1400
E-mail:
ugyfelszolgalat@naih.hu

regional court having territorial jurisdiction over Customer’s domicile or place of residence.

The court shall hear the case as a matter of priority.

The Controller shall be obliged to prove the lawfulness of processing, the data recipient shall be obliged to prove that data has been lawfully received.

If the court upholds the claim, it shall oblige the Controller to provide the information, to rectify, block, erase the data, destruct the decision made by automatic technical processing, consider the right of objection of the Customer or deliver the data specified in section 21 of Privacy Act requested by data recipient.

If the court dismisses the data recipient’s request in case specified in section 21 of Privacy Act, the Controller is obliged to erase personal data of the Customer within three days following the communication of the judgment.

The Controller is obliged to delete data also if data recipient fails to turn to the court within the time referred to in Section 21 (5) and (6) of Privacy Act.

The court may order the publication of its judgment, including the identification data of the Controller if it is necessary in the interests of data protection and in connection with the rights of a larger number of Customers subject under this Act.

The Controller shall be liable for compensating damage which another person may suffer caused by unlawful processing of data of the Customer or by non-compliance with requirements of security of data.

The Controller shall also be liable towards the Customer for the damage caused by the processor.

The Controller shall be exempted from the liability if it proves that the damage occurred as a consequence of an unavertable reason falling outside the scope of processing.

Damages shall not be paid if the damage was due to the intentional or grossly negligent conduct of the person suffering the damage.
10. Scope of the Data Processing Prospectus
Present Prospectus shall come into force on the day of its publication and shall remain in force for undefined period.

The Controller is entitled to unilaterally modify present prospectus at any time.

Modified Data Processing Prospectus shall enter into force also on the day of its publication.

The Controller is obliged to apply present regulation from the day of its entry into force, as well as to processing data which has already been existing before the effective date.

Budapest, the 15th of September, 2019